search

umotif-public / terraform-aws-waf-webaclv2

Terraform module to configure WAF V2 Web ACL with managed rules for Application Load Balancer
https://registry.terraform.io/modules/umotif-public/waf-webaclv2/aws
Other
137 stars 124 forks source link

Allow OR statement inside AND statement #96

Closed reloadedd closed 1 year ago

reloadedd commented 1 year ago

Description

Hi,

I faced the issue where I couldn't add an OR statement inside an AND statement. And seeing issue #61, it seems that I'm not the only one.

This PR adds the OR statement (the code was copied from the original OR statement) inside all ANDs that I could find in the code. Some ANDs do not support the NOT clause in the OR, therefore, I've removed it.

╷
│ Error: Unsupported block type
│
│   on umotif-public/main.tf line 1451, in resource "aws_wafv2_web_acl" "main":
│ 1451:                                 dynamic "not_statement" {
│
│ Blocks of type "not_statement" are not expected here.
╵

I've tested the module on my particular use case (a redirect) and it seems to work, looking at the plan output.

 + rule {
          + name     = "<whatever>"
          + priority = 7

          + action {

              + block {
                }
            }

          + statement {

              + rate_based_statement {
                  + aggregate_key_type = "IP"
                  + limit              = 123

                  + scope_down_statement {
                      + and_statement {
                          + statement {

                              + or_statement {
                                  + statement {
                                      + byte_match_statement {
                                          + positional_constraint = "EXACTLY"
                                          + search_string         = "some.url.com"

                                          + field_to_match {

                                              + single_header {
                                                  + name = "host"
                                                }
                                            }

                                          + text_transformation {
                                              + priority = 0
                                              + type     = "NONE"
                                            }
                                        }
                                    }
                                  + statement {
                                      + byte_match_statement {
                                          + positional_constraint = "EXACTLY"
                                          + search_string         = "some.other.url.com"

                                          + field_to_match {
                                            + single_header {
                                                  + name = "host"
                                                }
                                            }

                                          + text_transformation {
                                              + priority = 0
                                              + type     = "NONE"
                                            }
                                        }
                                    }
                                }
                            }
                          + statement {

                              + byte_match_statement {
                                  + positional_constraint = "STARTS_WITH"
                                  + search_string         = "/<whatever>"

                                  + field_to_match {

                                      + uri_path {}
                                    }

                                  + text_transformation {
                                      + priority = 0
                                      + type     = "NONE"
                                    }
                                }
                            }
                        }
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "<whatever>-metric"
              + sampled_requests_enabled   = true
            }
        }

Please review. Thanks.

Ohid25 commented 1 year ago

Thank you for your contribution! This is now released as a part of 4.4.0.