hashicorp · ewbankkit · Jun 27, 2022 · Nov 13, 2021 · Jun 27, 2022 · Jun 27, 2022
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_wafv2_web_acl: Add `rule.action.captcha` argument
+```
@@ -80,6 +80,10 @@ func expandRuleAction(l []interface{}) *wafv2.RuleAction {
 		action.Block = expandBlockAction(v.([]interface{}))
 	}
 
+	if v, ok := m["captcha"]; ok && len(v.([]interface{})) > 0 {
+		action.Captcha = expandCaptchaAction(v.([]interface{}))
+	}
+
 	if v, ok := m["count"]; ok && len(v.([]interface{})) > 0 {
 		action.Count = expandCountAction(v.([]interface{}))
 	}
@@ -106,8 +110,27 @@ func expandAllowAction(l []interface{}) *wafv2.AllowAction {
 	return action
 }
 
-func expandCountAction(l []interface{}) *wafv2.CountAction {
-	action := &wafv2.CountAction{}
+func expandBlockAction(l []interface{}) *wafv2.BlockAction {
+	action := &wafv2.BlockAction{}
+
+	if len(l) == 0 || l[0] == nil {
+		return action
+	}
+
+	m, ok := l[0].(map[string]interface{})
+	if !ok {
+		return action
+	}
+
+	if v, ok := m["custom_response"].([]interface{}); ok && len(v) > 0 {
+		action.CustomResponse = expandCustomResponse(v)
+	}
+
+	return action
+}
+
+func expandCaptchaAction(l []interface{}) *wafv2.CaptchaAction {
+	action := &wafv2.CaptchaAction{}
 
 	if len(l) == 0 || l[0] == nil {
 		return action
@@ -125,8 +148,8 @@ func expandCountAction(l []interface{}) *wafv2.CountAction {
 	return action
 }
 
-func expandBlockAction(l []interface{}) *wafv2.BlockAction {
-	action := &wafv2.BlockAction{}
+func expandCountAction(l []interface{}) *wafv2.CountAction {
+	action := &wafv2.CountAction{}
 
 	if len(l) == 0 || l[0] == nil {
 		return action
@@ -137,8 +160,8 @@ func expandBlockAction(l []interface{}) *wafv2.BlockAction {
 		return action
 	}
 
-	if v, ok := m["custom_response"].([]interface{}); ok && len(v) > 0 {
-		action.CustomResponse = expandCustomResponse(v)
+	if v, ok := m["custom_request_handling"].([]interface{}); ok && len(v) > 0 {
+		action.CustomRequestHandling = expandCustomRequestHandling(v)
 	}
 
 	return action
@@ -642,6 +665,10 @@ func flattenRuleAction(a *wafv2.RuleAction) interface{} {
 		m["block"] = flattenBlock(a.Block)
 	}
 
+	if a.Captcha != nil {
+		m["captcha"] = flattenCaptcha(a.Captcha)
+	}
+
 	if a.Count != nil {
 		m["count"] = flattenCount(a.Count)
 	}
@@ -676,6 +703,20 @@ func flattenBlock(a *wafv2.BlockAction) []interface{} {
 	return []interface{}{m}
 }
 
+func flattenCaptcha(a *wafv2.CaptchaAction) []interface{} {
+	if a == nil {
+		return []interface{}{}
+	}
+
+	m := map[string]interface{}{}
+
+	if a.CustomRequestHandling != nil {
+		m["custom_request_handling"] = flattenCustomRequestHandling(a.CustomRequestHandling)
+	}
+
+	return []interface{}{m}
+}
+
 func flattenCount(a *wafv2.CountAction) []interface{} {
 	if a == nil {
 		return []interface{}{}

@@ -470,6 +470,19 @@ func allowConfigSchema() *schema.Schema {
 	}
 }
 
+func captchaConfigSchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeList,
+		Optional: true,
+		MaxItems: 1,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"custom_request_handling": customRequestHandlingSchema(),
+			},
+		},
+	}
+}
+
 func countConfigSchema() *schema.Schema {
 	return &schema.Schema{
 		Type:     schema.TypeList,

@@ -106,9 +106,10 @@ func ResourceWebACL() *schema.Resource {
 							MaxItems: 1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
-									"allow": allowConfigSchema(),
-									"block": blockConfigSchema(),
-									"count": countConfigSchema(),
+									"allow":   allowConfigSchema(),
+									"block":   blockConfigSchema(),
+									"captcha": captchaConfigSchema(),
+									"count":   countConfigSchema(),
 								},
 							},
 						},

@@ -1301,16 +1301,23 @@ func TestAccWAFV2WebACL_Custom_requestHandling(t *testing.T) {
 						"action.0.allow.0.custom_request_handling.0.insert_header.0.value": "test-value-1",
 						"action.0.allow.0.custom_request_handling.0.insert_header.1.name":  "x-hdr2",
 						"action.0.allow.0.custom_request_handling.0.insert_header.1.value": "test-value-2",
-						"action.0.block.#": "0",
-						"action.0.count.#": "0",
-						"priority":         "1",
+						"action.0.block.#":   "0",
+						"action.0.captcha.#": "0",
+						"action.0.count.#":   "0",
+						"priority":           "1",
 					}),
 					resource.TestCheckResourceAttr(resourceName, "visibility_config.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
 					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
 					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
 				),
 			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: testAccWebACLImportStateIdFunc(resourceName),
+			},
 			{
 				Config: testAccWebACLConfig_customRequestHandlingCount(webACLName, "x-hdr1", "x-hdr2"),
 				Check: resource.ComposeTestCheckFunc(
@@ -1323,11 +1330,12 @@ func TestAccWAFV2WebACL_Custom_requestHandling(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "scope", "REGIONAL"),
 					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
-						"name":             "rule-1",
-						"action.#":         "1",
-						"action.0.allow.#": "0",
-						"action.0.block.#": "0",
-						"action.0.count.#": "1",
+						"name":               "rule-1",
+						"action.#":           "1",
+						"action.0.allow.#":   "0",
+						"action.0.block.#":   "0",
+						"action.0.captcha.#": "0",
+						"action.0.count.#":   "1",
 						"action.0.count.0.custom_request_handling.#":                       "1",
 						"action.0.count.0.custom_request_handling.0.insert_header.#":       "2",
 						"action.0.count.0.custom_request_handling.0.insert_header.0.name":  "x-hdr1",
@@ -1343,10 +1351,36 @@ func TestAccWAFV2WebACL_Custom_requestHandling(t *testing.T) {
 				),
 			},
 			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
-				ImportStateIdFunc: testAccWebACLImportStateIdFunc(resourceName),
+				Config: testAccWebACLConfig_customRequestHandlingCaptcha(webACLName, "x-hdr1", "x-hdr2"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWebACLExists(resourceName, &v),
+					acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)),
+					resource.TestCheckResourceAttr(resourceName, "name", webACLName),
+					resource.TestCheckResourceAttr(resourceName, "default_action.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "default_action.0.allow.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "default_action.0.block.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "scope", "REGIONAL"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
+						"name":               "rule-1",
+						"action.#":           "1",
+						"action.0.allow.#":   "0",
+						"action.0.block.#":   "0",
+						"action.0.captcha.#": "1",
+						"action.0.captcha.0.custom_request_handling.#":                       "1",
+						"action.0.captcha.0.custom_request_handling.0.insert_header.#":       "2",
+						"action.0.captcha.0.custom_request_handling.0.insert_header.0.name":  "x-hdr1",
+						"action.0.captcha.0.custom_request_handling.0.insert_header.0.value": "test-value-1",
+						"action.0.captcha.0.custom_request_handling.0.insert_header.1.name":  "x-hdr2",
+						"action.0.captcha.0.custom_request_handling.0.insert_header.1.value": "test-value-2",
+						"action.0.count.#": "0",
+						"priority":         "1",
+					}),
+					resource.TestCheckResourceAttr(resourceName, "visibility_config.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
+					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
+					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
+				),
 			},
 		},
 	})
@@ -1991,7 +2025,7 @@ resource "aws_wafv2_web_acl" "test" {
 `, name)
 }
 
-func testAccWebACLConfig_customRequestHandlingCount(name, firstHeader string, secondHeader string) string {
+func testAccWebACLConfig_customRequestHandlingAllow(name, firstHeader string, secondHeader string) string {
 	return fmt.Sprintf(`
 resource "aws_wafv2_web_acl" "test" {
   name        = %[1]q
@@ -2007,7 +2041,7 @@ resource "aws_wafv2_web_acl" "test" {
     priority = 1
 
     action {
-      count {
+      allow {
         custom_request_handling {
           insert_header {
             name  = %[2]q
@@ -2044,7 +2078,7 @@ resource "aws_wafv2_web_acl" "test" {
 `, name, firstHeader, secondHeader)
 }
 
-func testAccWebACLConfig_customRequestHandlingAllow(name, firstHeader string, secondHeader string) string {
+func testAccWebACLConfig_customRequestHandlingCaptcha(name, firstHeader string, secondHeader string) string {
 	return fmt.Sprintf(`
 resource "aws_wafv2_web_acl" "test" {
   name        = %[1]q
@@ -2060,7 +2094,60 @@ resource "aws_wafv2_web_acl" "test" {
     priority = 1
 
     action {
-      allow {
+      captcha {
+        custom_request_handling {
+          insert_header {
+            name  = %[2]q
+            value = "test-value-1"
+          }
+
+          insert_header {
+            name  = %[3]q
+            value = "test-value-2"
+          }
+        }
+      }
+    }
+
+    statement {
+      geo_match_statement {
+        country_codes = ["US", "CA"]
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = false
+      metric_name                = "friendly-rule-metric-name"
+      sampled_requests_enabled   = false
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "friendly-metric-name"
+    sampled_requests_enabled   = false
+  }
+}
+`, name, firstHeader, secondHeader)
+}
+
+func testAccWebACLConfig_customRequestHandlingCount(name, firstHeader string, secondHeader string) string {
+	return fmt.Sprintf(`
+resource "aws_wafv2_web_acl" "test" {
+  name        = %[1]q
+  description = %[1]q
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  rule {
+    name     = "rule-1"
+    priority = 1
+
+    action {
+      count {
         custom_request_handling {
           insert_header {
             name  = %[2]q

@@ -310,6 +310,7 @@ The `action` block supports the following arguments:
 
 * `allow` - (Optional) Instructs AWS WAF to allow the web request. See [Allow](#action) below for details.
 * `block` - (Optional) Instructs AWS WAF to block the web request. See [Block](#block) below for details.
+* `captcha` - (Optional) Instructs AWS WAF to run a Captcha check against the web request. See [Captcha](#captcha) below for details.
 * `count` - (Optional) Instructs AWS WAF to count the web request and allow it. See [Count](#count) below for details.
 
 ### Override Action
@@ -333,6 +334,12 @@ The `block` block supports the following arguments:
 
 * `custom_response` - (Optional) Defines a custom response for the web request. See [Custom Response](#custom-response) below for details.
 
+### Captcha
+
+The `captcha` block supports the following arguments:
+
+* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [Custom Request Handling](#custom-request-handling) below for details.
+
 ### Count
 
 The `count` block supports the following arguments: