Skip to content

Commit

Permalink
Merge pull request #14902 from terraform-providers/f-ipsetforwardedip…
Browse files Browse the repository at this point in the history 
…config-for-ipsetrefstatement

resource/wafv2_web_acl and wafv2_rule_group: support for IPSetForwardedIPConfig in IPSetReferenceStatement
  • Loading branch information
@anGie44
anGie44 authored Aug 31, 2020
2 parents f86b399 + e25179e commit e752f91
Show file tree
Hide file tree
Showing 5 changed files with 484 additions and 2 deletions.
149 changes: 149 additions & 0 deletions aws/resource_aws_wafv2_rule_group_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -793,6 +793,84 @@ func TestAccAwsWafv2RuleGroup_IpSetReferenceStatement(t *testing.T) {
Steps: []resource.TestStep{
{
Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement(ruleGroupName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"statement.#": "1",
"statement.0.ip_set_reference_statement.#": "1",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "0",
}),
tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{
"statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`),
}),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateIdFunc: testAccAwsWafv2RuleGroupImportStateIdFunc(resourceName),
},
},
})
}

func TestAccAwsWafv2RuleGroup_IpSetReferenceStatement_IPSetForwardedIPConfig(t *testing.T) {
var v wafv2.RuleGroup
ruleGroupName := acctest.RandomWithPrefix("tf-acc-test")
resourceName := "aws_wafv2_rule_group.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAwsWafv2RuleGroupDestroy,
Steps: []resource.TestStep{
{
Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement_IPSetForwardedIPConfig(ruleGroupName, "MATCH", "X-Forwarded-For", "FIRST"),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"statement.#": "1",
"statement.0.ip_set_reference_statement.#": "1",
}),
tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{
"statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`),
}),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "MATCH",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "X-Forwarded-For",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "FIRST",
}),
),
},
{
Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement_IPSetForwardedIPConfig(ruleGroupName, "NO_MATCH", "X-Forwarded-For", "LAST"),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"statement.#": "1",
"statement.0.ip_set_reference_statement.#": "1",
}),
tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{
"statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`),
}),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "NO_MATCH",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "X-Forwarded-For",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "LAST",
}),
),
},
{
Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement_IPSetForwardedIPConfig(ruleGroupName, "MATCH", "Updated", "ANY"),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
Expand All @@ -804,6 +882,28 @@ func TestAccAwsWafv2RuleGroup_IpSetReferenceStatement(t *testing.T) {
tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{
"statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`),
}),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "MATCH",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "Updated",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "ANY",
}),
),
},
{
Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement(ruleGroupName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"statement.#": "1",
"statement.0.ip_set_reference_statement.#": "1",
"statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "0",
}),
tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{
"statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`),
}),
),
},
{
Expand Down Expand Up @@ -2098,6 +2198,55 @@ resource "aws_wafv2_rule_group" "test" {
`, name, name)
}

func testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement_IPSetForwardedIPConfig(name, fallbackBehavior, headerName, position string) string {
return fmt.Sprintf(`
resource "aws_wafv2_ip_set" "test" {
name = "ip-set-%[1]s"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = ["1.1.1.1/32", "2.2.2.2/32"]
}
resource "aws_wafv2_rule_group" "test" {
capacity = 5
name = "%[1]s"
scope = "REGIONAL"
rule {
name = "rule-1"
priority = 1
action {
allow {}
}
statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.test.arn
ip_set_forwarded_ip_config {
fallback_behavior = "%[2]s"
header_name = "%[3]s"
position = "%[4]s"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
`, name, fallbackBehavior, headerName, position)
}

func testAccAwsWafv2RuleGroupConfig_GeoMatchStatement(name string) string {
return fmt.Sprintf(`
resource "aws_wafv2_rule_group" "test" {
Expand Down
Loading

0 comments on commit e752f91

Please sign in to comment.