Merge pull request #29082 from hashicorp/b-wafv2-body-oversize-handling

wafv2/web_acl: Rule add body oversize_handling
hashicorp · Jan 25, 2023 · 94ef267 · 94ef267
2 parents b6e17f9 + 6ecfc62
commit 94ef267
Show file tree

Hide file tree

Showing 5 changed files with 284 additions and 126 deletions.
diff --git a/.changelog/29082.txt b/.changelog/29082.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+ resource/aws_wafv2_rule_group: Add `oversize_handling` argument to `body` block of the `field_to_match` block
+ ```
diff --git a/internal/service/wafv2/flex.go b/internal/service/wafv2/flex.go
@@ -423,7 +423,7 @@ func expandFieldToMatch(l []interface{}) *wafv2.FieldToMatch {
 	}
 
 	if v, ok := m["body"]; ok && len(v.([]interface{})) > 0 {
-		f.Body = &wafv2.Body{}
+		f.Body = expandBody(v.([]interface{}))
 	}
 
 	if v, ok := m["cookies"]; ok && len(v.([]interface{})) > 0 {
@@ -550,6 +550,22 @@ func expandJSONBody(l []interface{}) *wafv2.JsonBody {
 	return jsonBody
 }
 
+func expandBody(l []interface{}) *wafv2.Body {
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+
+	m := l[0].(map[string]interface{})
+
+	body := &wafv2.Body{}
+
+	if v, ok := m["oversize_handling"].(string); ok && v != "" {
+		body.OversizeHandling = aws.String(v)
+	}
+
+	return body
+}
+
 func expandJSONMatchPattern(l []interface{}) *wafv2.JsonMatchPattern {
 	if len(l) == 0 || l[0] == nil {
 		return nil
@@ -1500,7 +1516,7 @@ func flattenFieldToMatch(f *wafv2.FieldToMatch) interface{} {
 	}
 
 	if f.Body != nil {
-		m["body"] = make([]map[string]interface{}, 1)
+		m["body"] = flattenBody(f.Body)
 	}
 
 	if f.Cookies != nil {
@@ -1611,6 +1627,18 @@ func flattenJSONBody(b *wafv2.JsonBody) interface{} {
 	return []interface{}{m}
 }
 
+func flattenBody(b *wafv2.Body) interface{} {
+	if b == nil {
+		return []interface{}{}
+	}
+
+	m := map[string]interface{}{
+		"oversize_handling": aws.StringValue(b.OversizeHandling),
+	}
+
+	return []interface{}{m}
+}
+
 func flattenJSONMatchPattern(p *wafv2.JsonMatchPattern) []interface{} {
 	if p == nil {
 		return []interface{}{}

diff --git a/internal/service/wafv2/schemas.go b/internal/service/wafv2/schemas.go
@@ -347,7 +347,7 @@ func fieldToMatchBaseSchema() *schema.Resource {
 	return &schema.Resource{
 		Schema: map[string]*schema.Schema{
 			"all_query_arguments": emptySchema(),
-			"body":                emptySchema(),
+			"body":                bodySchema(),
 			"cookies":             cookiesSchema(),
 			"headers":             headersSchema(),
 			"json_body":           jsonBodySchema(),
@@ -734,6 +734,19 @@ func cookiesMatchPatternSchema() *schema.Schema {
 	}
 }
 
+func bodySchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeList,
+		Optional: true,
+		MaxItems: 1,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"oversize_handling": oversizeHandlingOptionalSchema(wafv2.OversizeHandlingContinue),
+			},
+		},
+	}
+}
+
 func oversizeHandlingOptionalSchema(defaultValue string) *schema.Schema {
 	return &schema.Schema{
 		Type:         schema.TypeString,

diff --git a/internal/service/wafv2/web_acl_test.go b/internal/service/wafv2/web_acl_test.go
@@ -1017,6 +1017,54 @@ func TestAccWAFV2WebACL_ByteMatchStatement_jsonBody(t *testing.T) {
 	})
 }
 
+func TestAccWAFV2WebACL_ByteMatchStatement_body(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v wafv2.WebACL
+	webACLName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_wafv2_web_acl.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t); testAccPreCheckScopeRegional(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, wafv2.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckWebACLDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWebACLConfig_byteMatchStatementBody(webACLName, wafv2.OversizeHandlingNoMatch),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWebACLExists(ctx, resourceName, &v),
+					acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)),
+					resource.TestCheckResourceAttr(resourceName, "name", webACLName),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
+						"statement.0.byte_match_statement.0.field_to_match.0.body.#":                   "1",
+						"statement.0.byte_match_statement.0.field_to_match.0.body.0.oversize_handling": "NO_MATCH",
+					}),
+				),
+			},
+			{
+				Config: testAccWebACLConfig_byteMatchStatementBody(webACLName, wafv2.OversizeHandlingContinue),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWebACLExists(ctx, resourceName, &v),
+					acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)),
+					resource.TestCheckResourceAttr(resourceName, "name", webACLName),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
+						"statement.0.byte_match_statement.0.field_to_match.0.body.#":                   "1",
+						"statement.0.byte_match_statement.0.field_to_match.0.body.0.oversize_handling": "CONTINUE",
+					}),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: testAccWebACLImportStateIdFunc(resourceName),
+			},
+		},
+	})
+}
+
 func TestAccWAFV2WebACL_GeoMatch_basic(t *testing.T) {
 	ctx := acctest.Context(t)
 	var v wafv2.WebACL
@@ -2282,6 +2330,57 @@ resource "aws_wafv2_web_acl" "test" {
 `, name, matchScope, invalidFallbackBehavior, oversizeHandling, matchPattern)
 }
 
+func testAccWebACLConfig_byteMatchStatementBody(name, oversizeHandling string) string {
+	return fmt.Sprintf(`
+resource "aws_wafv2_web_acl" "test" {
+  name        = "%[1]s"
+  description = "%[1]s"
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  rule {
+    name     = "rule-1"
+    priority = 1
+
+    action {
+      count {}
+    }
+
+    statement {
+      byte_match_statement {
+        field_to_match {
+          body {
+            oversize_handling = "%[2]s"
+          }
+        }
+        positional_constraint = "CONTAINS_WORD"
+        search_string         = "Buddy"
+        text_transformation {
+          priority = 0
+          type     = "NONE"
+        }
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = false
+      metric_name                = "friendly-rule-metric-name"
+      sampled_requests_enabled   = false
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "friendly-metric-name"
+    sampled_requests_enabled   = false
+  }
+}
+`, name, oversizeHandling)
+}
+
 func testAccWebACLConfig_geoMatchStatement(name, countryCodes string) string {
 	return fmt.Sprintf(`
 resource "aws_wafv2_web_acl" "test" {