Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AWS WAFv2 labels on web requests #19486

Closed
mcab opened this issue May 24, 2021 · 8 comments · Fixed by #19576
Closed

Add AWS WAFv2 labels on web requests #19486

mcab opened this issue May 24, 2021 · 8 comments · Fixed by #19576
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Milestone
v3.67.0

Comments

@mcab
Copy link

mcab commented May 24, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

A label is metadata that a rule can add to matching web requests. Rules can also match against labels when they inspect web requests. Labels allow a matching rule to communicate results to the rules that are evaluated later in the same web ACL.

(from [1])

This would allow for strings to be attached during requests matching certain rules. Additionally, this would allow for a LabelMatchStatement to be applied to rules (see [2]).

This allows for:

  • conditional matching from earlier rules based on additional criteria. Example: count and label all statements that match an xss_match_statement, allow those that match the label and an ip_set_reference_statement, block the rest.
  • conditional actions on requests that are labeled by AWS WAF bot control.
  • many other scenarios.

New or Affected Resource(s)

New:

  • label_match_statement (from [3]), underneath statement, as part of rule.
  • label / label_name (from [4]), underneath rule, as part of aws_wafv2_web_acl or aws_wafv2_rule_group.
    • To be consistent with aws_wafv2_web_acl_logging_configuration, it should be label_name.
  • Possibly label_summary (from [5]), as an attribute.

Affected:

Potential Terraform Configuration

Labels when used in aws_wafv2_rule_group 
# Assuming 111122223333 is the AWS account ID, mirroring [7].

resource "aws_wafv2_rule_group" "testRules" {
	[...]

  rule {
    name     = "rule-1"
    
    statement {
      [...]
    }

    label {
      label_name = "testNS1:testNestedNS1:label1" # outputs awswaf:111122223333:rulegroup:testRules:testNS1:testNestedNS1:label1
      label_name = "testNS1:label2"               # outputs awswaf:111122223333:rulegroup:testRules:testNS1:label2
      label_name = "label3"                       # outputs awswaf:111122223333:rulegroup:testRules:label3
    }
    
    [...]
  }

  rule {
    name     = "conditions-on-rule-1-A"
    
    action {
      count {}
    }

    statement {
      label_match_statement {
        scope = "LABEL"
        key = "label3"
      }
    }

    [...]
  }

  rule {
    name     = "conditions-on-rule-1-B"

    action {
      block {}
    }

    statement {
      label_match_statement {
        scope = "NAMESPACE"
        key = "awswaf:111122223333:rulegroup:testRules:testNS1"
      }
    }
    
    [...]
  }

  [...]
}
Labels when used in aws_wafv2_web_acl 
# Assuming 111122223333 is the AWS account ID, mirroring [7].

resource "aws_wafv2_web_acl" "testAppWebACLA" {
  name        = "testAppA"
  [...]

  default_action {
    allow {}
  }

  rule {
    name     = "rule-2"
    [...]

    action {
      count {}
    }

    statement {
      [...]
    }

    label {
      label_name = "testNS2:testNestedNS2:label4" # outputs awswaf:111122223333:webacl:testApp:testNS2:testNestedNS2:label4
      label_name = "testNS2:label5"               # outputs awswaf:111122223333:webacl:testApp:testNS2:label5
      label_name = "label6"                       # outputs awswaf:111122223333:webacl:testApp:label6
    }
    
    [...]
  }

  rule {
    name     = "conditions-on-rule-2-A"
    [...]

    action {
      count {}
    }

    statement {
      label_match_statement {
        scope = "LABEL"
        key = "label6"
      }
    }
    
    [...]
  }

  rule {
    name     = "conditions-on-rule-2-B"
    [...]

    action {
      count {}
    }

    statement {
      label_match_statement {
        scope = "NAMESPACE"
        key = "awswaf:111122223333:webacl:testApp:testNS2"
      }
    }
    
    [...]
  }
  
  [...]
}

References
@mcab mcab added the enhancement Requests to existing resources that expand the functionality or scope. label May 24, 2021
@ghost ghost added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label May 24, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label May 24, 2021
@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label May 24, 2021
@andyalm
Copy link
Contributor

andyalm commented May 28, 2021

I have started work on this here

@andyalm andyalm mentioned this issue May 28, 2021
Merged
@bushong1
Copy link

bushong1 commented Aug 9, 2021

Any word on this? Feels stalled despite a complete PR...

@hatched-DavidMichon
Copy link

Any progress on this? Waiting eagerly on this new statement support

@hhamalai
Copy link
Contributor

Without this feature merged, we are required to run non-terraform tooling to setup these labels in order to filter log events from WAF request logs. Crucial feature when you're not willing to log everything, but only the traffic matching to your WAF rules.

@vat-gatepost-BARQUE
Copy link

Any updates on this?

@breathingdust
Copy link
Member

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

@breathingdust breathingdust added this to the Roadmap milestone Nov 10, 2021
@github-actions github-actions bot modified the milestones: Roadmap, v3.67.0 Nov 22, 2021
@github-actions
Copy link

github-actions bot commented Dec 1, 2021

This functionality has been released in v3.67.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
v3.67.0
Development

Successfully merging a pull request may close this issue.

WAFv2: Added support for label_match_statement and rule_label andyalm/terraform-provider-aws
8 participants
@bushong1 @breathingdust @andyalm @hhamalai @ewbankkit @mcab @hatched-DavidMichon @vat-gatepost-BARQUE