aws_wafv2_rule_group missing rate_based_statement

[ADF1111]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The resource aws_wafv2_rule_group is missing the option to implement rate_based_statement rules as described in the documentation. Because of that, it is not possible to implement a rate based rule when deploying AWS WAF Web ACLs with AWS Firewall Manager.

New or Affected Resource(s)

• aws_wafv2_rule_group: Inside rule, in statement, rate_based_statement should be added.

Potential Terraform Configuration

resource "aws_wafv2_rule_group" "HTTPFlood_global" {
  name     = "${var.global_policy_name}-rate-based-HTTPFlood"
  scope    = "CLOUDFRONT"
  capacity = 100
  rule {
    name     = "HTTPGetFloodProtection"
    priority = 0

    action {
      block {}
    }

    statement {
      rate_based_statement {
        limit              = 10000
        aggregate_key_type = "IP"
        scope_down_statement {
          and_statement {
            statement {
              byte_match_statement {
                search_string         = "login"
                positional_constraint = "CONTAINS"

                field_to_match {
                  uri_path {}
                }

                text_transformation {
                  priority = 0
                  type     = "LOWERCASE"
                }

                text_transformation {
                  priority = 1
                  type     = "URL_DECODE"
                }
              }
            }
            statement {
              byte_match_statement {
                search_string         = "get"
                positional_constraint = "EXACTLY"

                field_to_match {
                  method {}
                }

                text_transformation {
                  priority = 1
                  type     = "LOWERCASE"
                }
              }
            }
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "HTTPGetFloodProtection"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "HTTPFloodProtection_global"
    sampled_requests_enabled   = true
  }
}

References

• https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html https://docs.aws.amazon.com/fr_fr/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html https://aws.amazon.com/about-aws/whats-new/2021/09/aws-firewall-manager-waf-rate-based-rules/

[justinretzolk]

Hey @ADF1111 👋 Thanks for taking the time to submit this issue. It looks like this is a duplicate of #20908. We like to try to keep discussions consolidated, so we’re going to close this new issue in favor of #20908.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.