Added support for Regex Match Statements (umotif-public#63)

* Added support for Regex Match Statements * Lint and other fixes Co-authored-by: Tomasz Rychlewicz <tomasz.rychlewicz@explaineverything.com>
DugeraProve · Jan 25, 2023 · e617afd · e617afd
1 parent 18432c4
commit e617afd
Show file tree

Hide file tree

Showing 22 changed files with 1,561 additions and 210 deletions.
diff --git a/.github/workflows/test.yaml.disabled b/.github/workflows/test.yaml.disabled
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.2.0
+  rev: v4.4.0
   hooks:
   - id: check-added-large-files
     args: ['--maxkb=500']
@@ -18,7 +18,7 @@ repos:
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.71.0
+  rev: v1.77.0
   hooks:
   - id: terraform_fmt
   - id: terraform_docs

diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ Supported WAF v2 components:
 - Logical Statements (AND, OR, NOT)
 - Size constraint statements
 - Label Match statements
+- Regex Match statements
 - Regex Pattern Match statements
 - Custom responses
 
@@ -217,6 +218,28 @@ module "waf" {
         }
       }
     },
+    ### Regex Match Rule example
+    {
+      name     = "RegexMatchRule-9"
+      priority = "9"
+
+      action = "allow"
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = false
+        metric_name                = "RegexMatchRule-metric"
+        sampled_requests_enabled   = false
+      }
+
+      byte_match_statement = {
+          field_to_match = {
+            uri_path = "{}"
+          }
+          regex_string         = "/foo/"
+          priority              = 0
+          type                  = "NONE"
+        }
+    },
     ### Size constraint Rule example
     # Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#size-constraint-statement
     # for all of the options available.

diff --git a/examples/core/main.tf b/examples/core/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-and-or-rules/main.tf b/examples/wafv2-and-or-rules/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-bytematch-rules/main.tf b/examples/wafv2-bytematch-rules/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-custom-json-response-managed-rule-group/main.tf b/examples/wafv2-custom-json-response-managed-rule-group/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-custom-response-code/main.tf b/examples/wafv2-custom-response-code/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-custom-response/main.tf b/examples/wafv2-custom-response/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-geo-rules/main.tf b/examples/wafv2-geo-rules/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-ip-rules/main.tf b/examples/wafv2-ip-rules/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-labelmatch-rules/main.tf b/examples/wafv2-labelmatch-rules/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-logging-configuration/main.tf b/examples/wafv2-logging-configuration/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-regex-pattern-rules/main.tf b/examples/wafv2-regex-pattern-rules/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }

diff --git a/examples/wafv2-regexmatch-rules/main.tf b/examples/wafv2-regexmatch-rules/main.tf
@@ -0,0 +1,57 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
+provider "aws" {
+  region = "eu-west-1"
+}
+#####
+# Web Application Firewall configuration
+#####
+module "waf" {
+  source = "../.."
+
+  name_prefix = var.name_prefix
+
+  allow_default_action = true
+
+  scope = "REGIONAL"
+
+  create_alb_association = false
+
+  visibility_config = {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "${var.name_prefix}-waf-setup-waf-main-metrics"
+    sampled_requests_enabled   = false
+  }
+
+  rules = [
+    {
+      name     = "block-some-path"
+      priority = "1"
+      action   = "block"
+
+      regex_match_statement = {
+        field_to_match = {
+          uri_path = "{}"
+        }
+        regex_string = "^/(path1|path2)/"
+        priority     = 0
+        type         = "NONE"
+      }
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = false
+        sampled_requests_enabled   = false
+      }
+    }
+  ]
+
+  tags = {
+    "Environment" = "test"
+  }
+}
diff --git a/examples/wafv2-regexmatch-rules/outputs.tf b/examples/wafv2-regexmatch-rules/outputs.tf
@@ -0,0 +1,24 @@
+output "web_acl_name" {
+  description = "The name of the WAFv2 WebACL."
+  value       = module.waf.web_acl_name
+}
+
+output "web_acl_arn" {
+  description = "The ARN of the WAFv2 WebACL."
+  value       = module.waf.web_acl_arn
+}
+
+output "web_acl_capacity" {
+  description = "The web ACL capacity units (WCUs) currently being used by this web ACL."
+  value       = module.waf.web_acl_capacity
+}
+
+output "web_acl_visibility_config_name" {
+  description = "The web ACL visibility config name"
+  value       = module.waf.web_acl_visibility_config_name
+}
+
+output "web_acl_rule_names" {
+  description = "List of created rule names"
+  value       = module.waf.web_acl_rule_names
+}
diff --git a/examples/wafv2-regexmatch-rules/variables.tf b/examples/wafv2-regexmatch-rules/variables.tf
@@ -0,0 +1,5 @@
+variable "name_prefix" {
+  description = "A prefix used for naming resources."
+  type        = string
+  default     = "example"
+}
diff --git a/examples/wafv2-sizeconstraint-rules/main.tf b/examples/wafv2-sizeconstraint-rules/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_version = ">= 0.13.7"
+
+  required_providers {
+    aws = ">= 4.0.0"
+  }
+}
+
 provider "aws" {
   region = "eu-west-1"
 }