v1.8.0

Feature-Add_enable_machine_learning_bot_control @jgalais (#91)

Hello,

what

• I added "enable_machine_learning" argument inside "aws_managed_rules_bot_control_rule_set" config

why

• I added this argument to avoid idempotency problem if you use "COMMON" inspection level.

regards,
Jgalais

v1.7.2

🚀 Enhancements

Fix `scope_down_statement` Rules @RoseSecurity (#90)

## what

• Fix text_transformation errors by fixing dynamic references
• Update documentation and variable to support more complex structure
• Provide a parameter for an evaluation_window_sec, which is the amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.
• Update examples with scope_down_statement rules to ensure test coverage

Rate Limit Rule Example

why

• Enhance the reliability, functionality, and features of the waf module

testing

Utilized the following example Atmos component:

        rate_based_statement_rules:
          - name: "scoped-rate-limit"
            action: "block"
            priority: 10
            statement:
              limit: 1000
              aggregate_key_type: "IP"
              evaluation_window_sec: 300
              scope_down_statement:
                byte_match_statement:
                  field_to_match:
                    uri_path: true
                  positional_constraint: "STARTS_WITH"
                  search_string: "/test"
                  text_transformation:
                    - priority: 0
                      type: "NONE"

Which resulted in the following Terraform plan and apply:

      + rule {
          + name     = "scoped-rate-limit"
          + priority = 10

          + action {
              + block {
                }
            }

          + statement {
              + rate_based_statement {
                  + aggregate_key_type    = "IP"
                  + evaluation_window_sec = 300
                  + limit                 = 1000

                  + scope_down_statement {
                      + byte_match_statement {
                          + positional_constraint = "STARTS_WITH"
                          + search_string         = "/test"

                          + field_to_match {
                              + uri_path {}
                            }

                          + text_transformation {
                              + priority = 0
                              + type     = "NONE"
                            }
                        }
                    }
                }
            }

And Terratest output:

TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:           + statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:               + rate_based_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                   + aggregate_key_type    = "IP"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                   + evaluation_window_sec = 300
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                   + limit                 = 100
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: 
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                   + scope_down_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                       + byte_match_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                           + positional_constraint = "STARTS_WITH"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                           + search_string         = "example-scope-down-statement"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: 
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                           + field_to_match {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                               + uri_path {}
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                             }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: 
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                           + text_transformation {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                               + priority = 40
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                               + type     = "NONE"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                             }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                         }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                     }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                 }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:             }

references

• Terraform Docs

🤖 Automatic Updates

Update .github/settings.yml @osterman (#89)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

v1.7.1

🚀 Enhancements

Fix Scope Down Statement Rule @RoseSecurity (#88)

what

• Corrects byte_match_statement handling within scope-down rules to accurately query scope_down_statement parameters instead of the statement parameters

why

• The current configuration produces the following error when correct variables are passed into the module:

│ Error: Insufficient text_transformation blocks
│ 
│   on .terraform/dev/modules/aws_waf/rules.tf line 756, in resource "aws_wafv2_web_acl" "default":
│  756:                   content {
│ 
│ At least 1 "text_transformation" blocks are required.
╵
╷
│ Error: Unsupported attribute
│ 
│   on .terraform/dev/modules/aws_waf/rules.tf line 757, in resource "aws_wafv2_web_acl" "default":
│  757:                     positional_constraint = byte_match_statement.value.positional_constraint
│     ├────────────────
│     │ byte_match_statement.value is object with 4 attributes
│ 
│ This object does not have an attribute named "positional_constraint".
╵
╷
│ Error: Unsupported attribute
│ 
│   on .terraform/dev/modules/aws_waf/rules.tf line 758, in resource "aws_wafv2_web_acl" "default":
│  758:                     search_string         = byte_match_statement.value.search_string
│     ├────────────────
│     │ byte_match_statement.value is object with 4 attributes
│ 
│ This object does not have an attribute named "search_string".
╵
Releasing state lock. This may take a few moments...
exit status 1

• To correct this, this change proposes to use the proper parameters, allowing for the following values to be passed to the module:

      scope_down_statement = optional(object({
        byte_match_statement = object({
          positional_constraint = string
          search_string         = string
          field_to_match = object({
            all_query_arguments   = optional(bool)
            body                  = optional(bool)
            method                = optional(bool)
            query_string          = optional(bool)
            single_header         = optional(object({ name = string }))
            single_query_argument = optional(object({ name = string }))
            uri_path              = optional(bool)
          })
          text_transformation = list(object({
            priority = number
            type     = string
          }))
        })
      }))

v1.7.0

Add `scope_down_statement` Support @RoseSecurity (#87)

what

AWS highly recommends safeguarding against HTTP request floods; they advise implementing two rate limiting rules for web traffic. The initial rule employs AWS WAF's rate-based rules to automatically block IP addresses of malicious actors if the number of requests in a 5-minute sliding window surpasses a predefined threshold. The second rule focuses on a more detailed approach, allowing for targeted blocking. This is achieved by using scope_down_statements to refine the criteria for blocking, enhancing the precision of the defense mechanism.

why

• Adds scope_down_statements with byte matching support

references

• AWS WAF – Rate-based rules
• Rate-based rule request rate limiting behavior
• Terraform Resource

v1.6.0

feat: add a custom response body for the default block action @shashimal (#79)

what

Add a response body for the default blocked action by choosing from the existing custom response bodies.

why

Sometimes, users may want to display a custom response message for default blocked action.

references

🤖 Automatic Updates

Update release workflow to allow pull-requests: write @osterman (#82)

what

• Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

• So we can support commenting on PRs with a link to the release

Update GitHub Workflows to use shared workflows from '.github' repo @osterman (#80)

what

• Update workflows (.github/workflows) to use shared workflows from .github repo

why

• Reduce nested levels of reusable workflows

v1.5.0

fix content_type in aws_wafv2_web_acl to use correct map value @hostekevin (#57)

what

Fixed a typo in aws_wafv2_web_acl resource: changed content_type assignment.

why

Corrects content_type mapping to use the appropriate value.

references

Minor fix, no related GitHub issue.

🤖 Automatic Updates

Update GitHub Workflows to Fix ReviewDog TFLint Action @osterman (#76)

what

• Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

• The ReviewDog action will comment with line-level suggestions based on linting failures

Update GitHub workflows @osterman (#73)

what

• Update workflows (.github/workflows/settings.yaml)

why

• Support new readme generation workflow.
• Generate banners

Use GitHub Action Workflows from `cloudposse/.github` Repo @osterman (#70)

what

• Install latest GitHub Action Workflows

why

• Use shared workflows from cldouposse/.github repository
• Simplify management of workflows from centralized hub of configuration

chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.56.3 in /test/src @dependabot (#67)

Bumps google.golang.org/grpc from 1.51.0 to 1.56.3.

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.56.3

Security

• server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)

  In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

Release 1.56.2

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Release 1.56.1

• client: handle empty address lists correctly in addrConn.updateAddrs

Release 1.56.0

New Features

• client: support channel idleness using WithIdleTimeout dial option (#6263)
  • This feature is currently disabled by default, but will be enabled with a 30 minute default in the future.
• client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY (gRFC A62) (#6306)
• xds: Add support for Custom LB Policies (gRFC A52) (#6224)
• xds: support pick_first Custom LB policy (gRFC A62) (#6314) (#6317)
• client: add support for pickfirst address shuffling (gRFC A62) (#6311)
• xds: Add support for String Matcher Header Matcher in RDS (#6313)
• xds/outlierdetection: Add Channelz Logger to Outlier Detection LB (#6145)
  • Special Thanks: @​s-matyukevich
• xds: enable RLS in xDS by default (#6343)
• orca: add support for application_utilization field and missing range checks on several metrics setters
• balancer/weightedroundrobin: add new LB policy for balancing between backends based on their load reports (gRFC A58) (#6241)
• authz: add conversion of json to RBAC Audit Logging config (#6192)
• authz: add support for stdout logger (#6230 and #6298)
• authz: support customizable audit functionality for authorization policy (#6192 #6230 #6298 #6158 #6304 and #6225)

Bug Fixes

• orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 (#6245)
• xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults (#6361)
• xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() (#6361)

API Changes

• orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption (#6223)

Release 1.55.1

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Release 1.55.0

Behavior Changes

• xds: enable federation support by default (#6151)
• status: status.Code and status.FromError handle wrapped errors (#6031 and #6150)

... (truncated)

Commits

• 1055b48 Update version.go to 1.56.3 (#6713)
• 5efd7bd server: prohibit more than MaxConcurrentStreams handlers from running at once...
• bd1f038 Upgrade version.go to 1.56.3-dev (#6434)
• faab873 Update version.go to v1.56.2 (#6432)
• 6b0b291 status: fix panic when servers return a wrapped error with status OK (#6374) ...
• ed56401 [PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)
• cd6a794 Update version.go to v1.56.2-dev (#6387)
• 5b67e5e Update version.go to v1.56.1 (#6386)
• d0f5150 client: handle empty address lists correctly in addrConn.updateAddrs (#6354) ...
• 997c1ea Change version to 1.56.1-dev (#6345)
• Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges...

v1.4.0

feat: adds `geo_allowlist_statement_rules` action @queue-tip (#59)

what

This adds an action parameter to geo_allowlist_statement_rules objects, replacing the currently-default block action.

why

This is useful for metrics collection on the geo allowlist statements

To allow the user to choose either of the following actions

• block
• count

references

closes #58

v1.3.0

Add default block response to the `default block` block @mfuhrmeisterDM (#54)

what

We want to be able to set the default response header for the default action if this is set to block.

why

We face the problem that without a default response code some requests are not blocked. Even if AWS says that the default is 403.
We solved this by setting the response code manually to 403.

references

• https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html

v1.2.0

Add `managed_rule_group_configs` and `rule_action_override`. Update variables. Update examples and tests @aknysh (#52)

what

• Add managed_rule_group_configs and rule_action_override
• Update variables
• Update examples and tests

why

• managed_rule_group_configs is supported by Managed Rule Groups WAF rules, but was not implemented before
• rule_action_override is supported by Managed Rule Groups and Rule Group Reference WAF rules, but was not implemented before
• Update variables to use list(object) types instead of list(any) to reduce misconfiguration errors
• Update examples to show how to configure managed_rule_group_configs and rule_action_override for Managed Rule Groups WAF rules

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl
• https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html

v1.1.0

Feature/add ipset support @Sytten (#50)

what

• Add ip_set variable in ip_set_reference_statement_rules to create IP Set automatically

why

• If the IP set is not shared, there is no need to have separate from the WAF module
• It allows a user of atmos to continue defining all their rules in yaml, otherwise they have to use tf code to forward the ARN to this module