Add AWS WAFv2 labels on web requests

[mcab]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

A label is metadata that a rule can add to matching web requests. Rules can also match against labels when they inspect web requests. Labels allow a matching rule to communicate results to the rules that are evaluated later in the same web ACL.

(from [1])

This would allow for strings to be attached during requests matching certain rules. Additionally, this would allow for a LabelMatchStatement to be applied to rules (see [2]).

This allows for:

• conditional matching from earlier rules based on additional criteria. Example: count and label all statements that match an xss_match_statement, allow those that match the label and an ip_set_reference_statement, block the rest.
• conditional actions on requests that are labeled by AWS WAF bot control.
• many other scenarios.

New or Affected Resource(s)

New:

• label_match_statement (from [3]), underneath statement, as part of rule.
• label / label_name (from [4]), underneath rule, as part of aws_wafv2_web_acl or aws_wafv2_rule_group.
  • To be consistent with aws_wafv2_web_acl_logging_configuration, it should be label_name.
• Possibly label_summary (from [5]), as an attribute.

Affected:

• aws_wafv2_web_acl
• aws_wafv2_rule_group
• Possibly label_name_condition from aws_wafv2_web_acl_logging_configuration
• Completing this unblocks labels being used in aws_cloudwatch_metric_alarm (from [6]), but not in scope for this feature request.

Potential Terraform Configuration

Labels when used in aws_wafv2_rule_group

```hcl # Assuming 111122223333 is the AWS account ID, mirroring [7]. resource "aws_wafv2_rule_group" "testRules" { [...] rule { name = "rule-1" statement { [...] } label { label_name = "testNS1:testNestedNS1:label1" # outputs awswaf:111122223333:rulegroup:testRules:testNS1:testNestedNS1:label1 label_name = "testNS1:label2" # outputs awswaf:111122223333:rulegroup:testRules:testNS1:label2 label_name = "label3" # outputs awswaf:111122223333:rulegroup:testRules:label3 } [...] } rule { name = "conditions-on-rule-1-A" action { count {} } statement { label_match_statement { scope = "LABEL" key = "label3" } } [...] } rule { name = "conditions-on-rule-1-B" action { block {} } statement { label_match_statement { scope = "NAMESPACE" key = "awswaf:111122223333:rulegroup:testRules:testNS1" } } [...] } [...] } ```

Labels when used in aws_wafv2_web_acl

```hcl # Assuming 111122223333 is the AWS account ID, mirroring [7]. resource "aws_wafv2_web_acl" "testAppWebACLA" { name = "testAppA" [...] default_action { allow {} } rule { name = "rule-2" [...] action { count {} } statement { [...] } label { label_name = "testNS2:testNestedNS2:label4" # outputs awswaf:111122223333:webacl:testApp:testNS2:testNestedNS2:label4 label_name = "testNS2:label5" # outputs awswaf:111122223333:webacl:testApp:testNS2:label5 label_name = "label6" # outputs awswaf:111122223333:webacl:testApp:label6 } [...] } rule { name = "conditions-on-rule-2-A" [...] action { count {} } statement { label_match_statement { scope = "LABEL" key = "label6" } } [...] } rule { name = "conditions-on-rule-2-B" [...] action { count {} } statement { label_match_statement { scope = "NAMESPACE" key = "awswaf:111122223333:webacl:testApp:testNS2" } } [...] } [...] } ```

References

• https://github.com/hashicorp/terraform-provider-aws/pull/19051 implemented label matching conditions for logging configurations, but I'm unsure if that is impacted by this feature request.

• [1] https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-labels.html

• [2] https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-match-examples.html

• [3] https://docs.aws.amazon.com/waf/latest/APIReference/API_LabelMatchStatement.html

• [4] https://docs.aws.amazon.com/waf/latest/APIReference/API_Label.html

• [5] https://docs.aws.amazon.com/waf/latest/APIReference/API_LabelSummary.html

• [6] https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics

• [7] https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html

[andyalm]

I have started work on this here

[bushong1]

Any word on this? Feels stalled despite a complete PR...

[hatched-DavidMichon]

Any progress on this? Waiting eagerly on this new statement support

[hhamalai]

Without this feature merged, we are required to run non-terraform tooling to setup these labels in order to filter log events from WAF request logs. Crucial feature when you're not willing to log everything, but only the traffic matching to your WAF rules.

[vat-gatepost-BARQUE]

Any updates on this?

[breathingdust]

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

[github-actions[bot]]

This functionality has been released in v3.67.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.