Closed felipe88alves closed 1 year ago
Hey, I created a PR which I think is supposed to fix this issue? https://github.com/umotif-public/terraform-aws-waf-webaclv2/pull/95
Thanks @MatanHeledPort! Did you test the solution?
I was thinking of something similar to what's done with the cookies:
for_each = contains(keys(match_pattern.value), "all") ? [lookup(match_pattern.value, "all")] : []
Maybe keeping convention is better - I will change it to match cookies
For some reason it doesnt behave the same as cookies
Seems like this also happens with cookies
seems like the problem is with your use of the statement block. Want to share you config here?
Would probably be good to add an example as well in https://github.com/umotif-public/terraform-aws-waf-webaclv2/blob/main/examples/wafv2-bytematch-rules/main.tf
Sure! This is the scope_down_statement:
scope_down_statement = {
and_statement = {
statements = [
{
not_statement = {
byte_match_statement = {
field_to_match = {
headers = {
match_pattern = {
all = {}
}
match_scope = "ALL"
oversize_handling = "CONTINUE"
}
}
positional_constraint = "CONTAINS"
search_string = "authorization"
priority = 0
type = "NONE"
}
}
},
{
not_statement = {
byte_match_statement = {
field_to_match = {
uri_path = "{}"
}
positional_constraint = "EXACTLY"
search_string = "/"
priority = 0
type = "NONE"
}
}
}
]
}
}
Working on an example aswell
What initial statement is the scope_down_statement
under? A rate_based_statement
?
Something like this?
rules = [
{
name = "test_rule"
priority = 1
action = "block"
rate_based_statement = {
limit = 500000
aggregate_key_type = "IP"
scope_down_statement = {
and_statement = {
statements = [
{
not_statement = {
byte_match_statement = {
field_to_match = {
headers = {
match_pattern = {
all = {}
}
match_scope = "ALL"
oversize_handling = "CONTINUE"
}
}
positional_constraint = "CONTAINS"
search_string = "authorization"
priority = 0
type = "NONE"
}
}
},
{
not_statement = {
byte_match_statement = {
field_to_match = {
uri_path = "{}"
}
positional_constraint = "EXACTLY"
search_string = "/"
priority = 0
type = "NONE"
}
}
}
]
}
}
}
}
]
Yes, exactly Edit: This is the full rules array
waf_rules = [
{
name = "UnauthorizedRateLimit"
priority = "1"
override_action = "count"
visibility_config = {
metric_name = "UnauthorizedRateLimit-metric"
}
rate_based_statement = {
limit = 5000
aggregate_key_type = "IP"
# Optional scope_down_statement to refine what gets rate limited
scope_down_statement = {
and_statement = {
statements = [
{
not_statement = {
byte_match_statement = {
field_to_match = {
headers = {
match_pattern = {
"all" = {}
}
match_scope = "ALL"
oversize_handling = "CONTINUE"
}
}
positional_constraint = "CONTAINS"
search_string = "authorization"
priority = 0
type = "NONE"
}
}
},
{
not_statement = {
byte_match_statement = {
field_to_match = {
uri_path = "{}"
}
positional_constraint = "EXACTLY"
search_string = "/"
priority = 0
type = "NONE"
}
}
}
]
}
}
}
}
]
Took a quick look here, seems like the problem is with the use of override_action
.
It is described as a dynamic field in the main.tf
schema, whereas it is used as a normal var in the example.
Replace override_action = "count"
to action = "count"
and it should work
Ok that seemed to do the trick! The change worked
When you get to merging LMK @felipe88alves
I'm don't have write access, but maybe @Ohid25 can help 👍
Can we please get some feedback on this PR? Really needing it to reduce some manual toil. Cheers
Feel free to use my forked PR branch. Its what Im doing untill this merges @felipe88alves
What is the current behavior? Applying a rule with the
field_to_match
set toheaders
will fail when thematch_pattern
is set toall
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem. The following rule will not fail a
plan
, but will produce an empty statement, which fails when running anapply
What is the expected behavior? It should not produce an empty statement and should not fail an
apply
Software versions? umotif/terraform-aws-waf-webaclv2: v4.2.0 hashicorp/aws: v4.59.0