diff --git a/.changelog/29082.txt b/.changelog/29082.txt new file mode 100644 index 000000000000..1584ce970f92 --- /dev/null +++ b/.changelog/29082.txt @@ -0,0 +1,3 @@ +```release-note:enhancement + resource/aws_wafv2_rule_group: Add `oversize_handling` argument to `body` block of the `field_to_match` block + ``` \ No newline at end of file diff --git a/internal/service/wafv2/flex.go b/internal/service/wafv2/flex.go index 42c81e974846..69005e40631e 100644 --- a/internal/service/wafv2/flex.go +++ b/internal/service/wafv2/flex.go @@ -423,7 +423,7 @@ func expandFieldToMatch(l []interface{}) *wafv2.FieldToMatch { } if v, ok := m["body"]; ok && len(v.([]interface{})) > 0 { - f.Body = &wafv2.Body{} + f.Body = expandBody(v.([]interface{})) } if v, ok := m["cookies"]; ok && len(v.([]interface{})) > 0 { @@ -550,6 +550,22 @@ func expandJSONBody(l []interface{}) *wafv2.JsonBody { return jsonBody } +func expandBody(l []interface{}) *wafv2.Body { + if len(l) == 0 || l[0] == nil { + return nil + } + + m := l[0].(map[string]interface{}) + + body := &wafv2.Body{} + + if v, ok := m["oversize_handling"].(string); ok && v != "" { + body.OversizeHandling = aws.String(v) + } + + return body +} + func expandJSONMatchPattern(l []interface{}) *wafv2.JsonMatchPattern { if len(l) == 0 || l[0] == nil { return nil @@ -1500,7 +1516,7 @@ func flattenFieldToMatch(f *wafv2.FieldToMatch) interface{} { } if f.Body != nil { - m["body"] = make([]map[string]interface{}, 1) + m["body"] = flattenBody(f.Body) } if f.Cookies != nil { @@ -1611,6 +1627,18 @@ func flattenJSONBody(b *wafv2.JsonBody) interface{} { return []interface{}{m} } +func flattenBody(b *wafv2.Body) interface{} { + if b == nil { + return []interface{}{} + } + + m := map[string]interface{}{ + "oversize_handling": aws.StringValue(b.OversizeHandling), + } + + return []interface{}{m} +} + func flattenJSONMatchPattern(p *wafv2.JsonMatchPattern) []interface{} { if p == nil { return []interface{}{} diff --git a/internal/service/wafv2/schemas.go b/internal/service/wafv2/schemas.go index cc2ab0efacbf..eee20e44f462 100644 --- a/internal/service/wafv2/schemas.go +++ b/internal/service/wafv2/schemas.go @@ -347,7 +347,7 @@ func fieldToMatchBaseSchema() *schema.Resource { return &schema.Resource{ Schema: map[string]*schema.Schema{ "all_query_arguments": emptySchema(), - "body": emptySchema(), + "body": bodySchema(), "cookies": cookiesSchema(), "headers": headersSchema(), "json_body": jsonBodySchema(), @@ -734,6 +734,19 @@ func cookiesMatchPatternSchema() *schema.Schema { } } +func bodySchema() *schema.Schema { + return &schema.Schema{ + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "oversize_handling": oversizeHandlingOptionalSchema(wafv2.OversizeHandlingContinue), + }, + }, + } +} + func oversizeHandlingOptionalSchema(defaultValue string) *schema.Schema { return &schema.Schema{ Type: schema.TypeString, diff --git a/internal/service/wafv2/web_acl_test.go b/internal/service/wafv2/web_acl_test.go index 142a298d3b07..3973591f026c 100644 --- a/internal/service/wafv2/web_acl_test.go +++ b/internal/service/wafv2/web_acl_test.go @@ -980,6 +980,54 @@ func TestAccWAFV2WebACL_ByteMatchStatement_jsonBody(t *testing.T) { }) } +func TestAccWAFV2WebACL_ByteMatchStatement_body(t *testing.T) { + ctx := acctest.Context(t) + var v wafv2.WebACL + webACLName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_wafv2_web_acl.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t); testAccPreCheckScopeRegional(ctx, t) }, + ErrorCheck: acctest.ErrorCheck(t, wafv2.EndpointsID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckWebACLDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccWebACLConfig_byteMatchStatementBody(webACLName, wafv2.OversizeHandlingNoMatch), + Check: resource.ComposeTestCheckFunc( + testAccCheckWebACLExists(ctx, resourceName, &v), + acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", webACLName), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + resource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.0.byte_match_statement.0.field_to_match.0.body.#": "1", + "statement.0.byte_match_statement.0.field_to_match.0.body.0.oversize_handling": "NO_MATCH", + }), + ), + }, + { + Config: testAccWebACLConfig_byteMatchStatementBody(webACLName, wafv2.OversizeHandlingContinue), + Check: resource.ComposeTestCheckFunc( + testAccCheckWebACLExists(ctx, resourceName, &v), + acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", webACLName), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + resource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.0.byte_match_statement.0.field_to_match.0.body.#": "1", + "statement.0.byte_match_statement.0.field_to_match.0.body.0.oversize_handling": "CONTINUE", + }), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccWebACLImportStateIdFunc(resourceName), + }, + }, + }) +} + func TestAccWAFV2WebACL_GeoMatch_basic(t *testing.T) { ctx := acctest.Context(t) var v wafv2.WebACL @@ -2245,6 +2293,57 @@ resource "aws_wafv2_web_acl" "test" { `, name, matchScope, invalidFallbackBehavior, oversizeHandling, matchPattern) } +func testAccWebACLConfig_byteMatchStatementBody(name, oversizeHandling string) string { + return fmt.Sprintf(` +resource "aws_wafv2_web_acl" "test" { + name = "%[1]s" + description = "%[1]s" + scope = "REGIONAL" + + default_action { + allow {} + } + + rule { + name = "rule-1" + priority = 1 + + action { + count {} + } + + statement { + byte_match_statement { + field_to_match { + body { + oversize_handling = "%[2]s" + } + } + positional_constraint = "CONTAINS_WORD" + search_string = "Buddy" + text_transformation { + priority = 0 + type = "NONE" + } + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-rule-metric-name" + sampled_requests_enabled = false + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-metric-name" + sampled_requests_enabled = false + } +} +`, name, oversizeHandling) +} + func testAccWebACLConfig_geoMatchStatement(name, countryCodes string) string { return fmt.Sprintf(` resource "aws_wafv2_web_acl" "test" { diff --git a/website/docs/r/wafv2_web_acl.html.markdown b/website/docs/r/wafv2_web_acl.html.markdown index a7ebd6169253..a737476f9a62 100644 --- a/website/docs/r/wafv2_web_acl.html.markdown +++ b/website/docs/r/wafv2_web_acl.html.markdown @@ -10,6 +10,8 @@ description: |- Creates a WAFv2 Web ACL resource. +~> **Note:** In `field_to_match` blocks, _e.g._, in `byte_match_statement`, the `body` block includes an optional argument `oversize_handling`. AWS indicates this argument will be required starting February 2023. To avoid configurations breaking when that change happens, treat the `oversize_handling` argument as **required** as soon as possible. + ## Example Usage This resource is based on `aws_wafv2_rule_group`, check the documentation of the `aws_wafv2_rule_group` resource to see examples of the various available statements. @@ -269,59 +271,59 @@ resource "aws_wafv2_web_acl" "test" { The following arguments are supported: -* `custom_response_body` - (Optional) Defines custom response bodies that can be referenced by `custom_response` actions. See [Custom Response Body](#custom-response-body) below for details. -* `default_action` - (Required) Action to perform if none of the `rules` contained in the WebACL match. See [Default Action](#default-action) below for details. +* `custom_response_body` - (Optional) Defines custom response bodies that can be referenced by `custom_response` actions. See [`custom_response_body`](#custom_response_body) below for details. +* `default_action` - (Required) Action to perform if none of the `rules` contained in the WebACL match. See [`default_ action`](#default_action) below for details. * `description` - (Optional) Friendly description of the WebACL. * `name` - (Required) Friendly name of the WebACL. -* `rule` - (Optional) Rule blocks used to identify the web requests that you want to `allow`, `block`, or `count`. See [Rules](#rules) below for details. +* `rule` - (Optional) Rule blocks used to identify the web requests that you want to `allow`, `block`, or `count`. See [`rule`](#rule) below for details. * `scope` - (Required) Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are `CLOUDFRONT` or `REGIONAL`. To work with CloudFront, you must also specify the region `us-east-1` (N. Virginia) on the AWS provider. * `tags` - (Optional) Map of key-value pairs to associate with the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level. -* `visibility_config` - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See [Visibility Configuration](#visibility-configuration) below for details. +* `visibility_config` - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See [`visibility_config`](#visibility_config) below for details. -### Custom Response Body +### `custom_response_body` Each `custom_response_body` block supports the following arguments: -* `key` - (Required) Unique key identifying the custom response body. This is referenced by the `custom_response_body_key` argument in the [Custom Response](#custom-response) block. +* `key` - (Required) Unique key identifying the custom response body. This is referenced by the `custom_response_body_key` argument in the [`custom_response`](#custom_response) block. * `content` - (Required) Payload of the custom response. * `content_type` - (Required) Type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. -### Default Action +### `default_action` The `default_action` block supports the following arguments: ~> **NOTE:** One of `allow` or `block`, expressed as an empty configuration block `{}`, is required when specifying a `default_action` -* `allow` - (Optional) Specifies that AWS WAF should allow requests by default. See [Allow](#action) below for details. -* `block` - (Optional) Specifies that AWS WAF should block requests by default. See [Block](#block) below for details. +* `allow` - (Optional) Specifies that AWS WAF should allow requests by default. See [`allow`](#allow) below for details. +* `block` - (Optional) Specifies that AWS WAF should block requests by default. See [`block`](#block) below for details. -### Rules +### `rule` ~> **NOTE:** One of `action` or `override_action` is required when specifying a rule Each `rule` supports the following arguments: -* `action` - (Optional) Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See [Action](#action) below for details. +* `action` - (Optional) Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See [`action`](#action) below for details. * `name` - (Required) Friendly name of the rule. -* `override_action` - (Optional) Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `rule_group_reference_statement` and `managed_rule_group_statement`. See [Override Action](#override-action) below for details. +* `override_action` - (Optional) Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `rule_group_reference_statement` and `managed_rule_group_statement`. See [`override_action`](#override_action) below for details. * `priority` - (Required) If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first. -* `rule_label` - (Optional) Labels to apply to web requests that match the rule match statement. See [Rule Label](#rule-label) below for details. -* `statement` - (Required) The AWS WAF processing statement for the rule, for example `byte_match_statement` or `geo_match_statement`. See [Statement](#statement) below for details. -* `visibility_config` - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See [Visibility Configuration](#visibility-configuration) below for details. +* `rule_label` - (Optional) Labels to apply to web requests that match the rule match statement. See [`rule_label`](#rule_label) below for details. +* `statement` - (Required) The AWS WAF processing statement for the rule, for example `byte_match_statement` or `geo_match_statement`. See [`statement`](#statement) below for details. +* `visibility_config` - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See [`visibility_config`](#visibility_config) below for details. -### Action +#### `action` The `action` block supports the following arguments: ~> **NOTE:** One of `allow`, `block`, or `count`, is required when specifying an `action`. -* `allow` - (Optional) Instructs AWS WAF to allow the web request. See [Allow](#action) below for details. -* `block` - (Optional) Instructs AWS WAF to block the web request. See [Block](#block) below for details. -* `captcha` - (Optional) Instructs AWS WAF to run a Captcha check against the web request. See [Captcha](#captcha) below for details. -* `challenge` - (Optional) Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See [Challenge](#challenge) below for details. -* `count` - (Optional) Instructs AWS WAF to count the web request and allow it. See [Count](#count) below for details. +* `allow` - (Optional) Instructs AWS WAF to allow the web request. See [`allow`](#allow) below for details. +* `block` - (Optional) Instructs AWS WAF to block the web request. See [`block`](#block) below for details. +* `captcha` - (Optional) Instructs AWS WAF to run a Captcha check against the web request. See [`captcha`](#captcha) below for details. +* `challenge` - (Optional) Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See [`challenge`](#challenge) below for details. +* `count` - (Optional) Instructs AWS WAF to count the web request and allow it. See [`count`](#count) below for details. -### Override Action +#### `override_action` The `override_action` block supports the following arguments: @@ -330,64 +332,71 @@ The `override_action` block supports the following arguments: * `count` - (Optional) Override the rule action setting to count (i.e., only count matches). Configured as an empty block `{}`. * `none` - (Optional) Don't override the rule action setting. Configured as an empty block `{}`. -### Allow +#### `allow` The `allow` block supports the following arguments: -* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [Custom Request Handling](#custom-request-handling) below for details. +* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [`custom_request_handling`](#custom_request_handling) below for details. -### Block +#### `block` The `block` block supports the following arguments: -* `custom_response` - (Optional) Defines a custom response for the web request. See [Custom Response](#custom-response) below for details. +* `custom_response` - (Optional) Defines a custom response for the web request. See [`custom_response`](#custom_response) below for details. -### Captcha +#### `captcha` The `captcha` block supports the following arguments: -* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [Custom Request Handling](#custom-request-handling) below for details. +* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [`custom_request_handling`](#custom_request_handling) below for details. -### Challenge +#### `challenge` The `challenge` block supports the following arguments: -* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [Custom Request Handling](#custom-request-handling) below for details. +* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [`custom_request_handling`](#custom_request_handling) below for details. -### Count +#### `count` The `count` block supports the following arguments: -* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [Custom Request Handling](#custom-request-handling) below for details. +* `custom_request_handling` - (Optional) Defines custom handling for the web request. See [`custom_request_handling`](#custom_request_handling) below for details. -### Custom Request Handling +#### `custom_request_handling` The `custom_request_handling` block supports the following arguments: -* `insert_header` - (Required) The `insert_header` blocks used to define HTTP headers added to the request. See [Custom HTTP Header](#custom-http-header) below for details. +* `insert_header` - (Required) The `insert_header` blocks used to define HTTP headers added to the request. See [`insert_header`](#insert_header) below for details. + +#### `insert_header` + +Each `insert_header` block supports the following arguments. Duplicate header names are not allowed: -### Custom Response +* `name` - Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. +* `value` - Value of the custom header. + +#### `custom_response` The `custom_response` block supports the following arguments: * `custom_response_body_key` - (Optional) References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `custom_response_body` block of this resource. * `response_code` - (Required) The HTTP status code to return to the client. -* `response_header` - (Optional) The `response_header` blocks used to define the HTTP response headers added to the response. See [Custom HTTP Header](#custom-http-header) below for details. +* `response_header` - (Optional) The `response_header` blocks used to define the HTTP response headers added to the response. See [`response_header`](#response_header) below for details. -### Custom HTTP Header +#### `response_header` -Each block supports the following arguments. Duplicate header names are not allowed: +Each `response_header` block supports the following arguments. Duplicate header names are not allowed: * `name` - Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. * `value` - Value of the custom header. -### Rule Label +#### `rule_label` Each block supports the following arguments: * `name` - Label string. -### Statement +#### `statement` The processing guidance for a Rule, used by AWS WAF to determine whether a web request matches the rule. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statements-list.html) for more information. @@ -395,67 +404,67 @@ The processing guidance for a Rule, used by AWS WAF to determine whether a web r The `statement` block supports the following arguments: -* `and_statement` - (Optional) Logical rule statement used to combine other rule statements with AND logic. See [AND Statement](#and-statement) below for details. -* `byte_match_statement` - (Optional) Rule statement that defines a string match search for AWS WAF to apply to web requests. See [Byte Match Statement](#byte-match-statement) below for details. -* `geo_match_statement` - (Optional) Rule statement used to identify web requests based on country of origin. See [GEO Match Statement](#geo-match-statement) below for details. -* `ip_set_reference_statement` - (Optional) Rule statement used to detect web requests coming from particular IP addresses or address ranges. See [IP Set Reference Statement](#ip-set-reference-statement) below for details. -* `label_match_statement` - (Optional) Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See [Label Match Statement](#label-match-statement) below for details. -* `managed_rule_group_statement` - (Optional) Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See [Managed Rule Group Statement](#managed-rule-group-statement) below for details. -* `not_statement` - (Optional) Logical rule statement used to negate the results of another rule statement. See [NOT Statement](#not-statement) below for details. -* `or_statement` - (Optional) Logical rule statement used to combine other rule statements with OR logic. See [OR Statement](#or-statement) below for details. -* `rate_based_statement` - (Optional) Rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See [Rate Based Statement](#rate-based-statement) below for details. -* `regex_match_statement` - (Optional) Rule statement used to search web request components for a match against a single regular expression. See [Regex Match Statement](#regex-match-statement) below for details. -* `regex_pattern_set_reference_statement` - (Optional) Rule statement used to search web request components for matches with regular expressions. See [Regex Pattern Set Reference Statement](#regex-pattern-set-reference-statement) below for details. -* `rule_group_reference_statement` - (Optional) Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See [Rule Group Reference Statement](#rule-group-reference-statement) below for details. -* `size_constraint_statement` - (Optional) Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See [Size Constraint Statement](#size-constraint-statement) below for more details. -* `sqli_match_statement` - (Optional) An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See [SQL Injection Match Statement](#sql-injection-match-statement) below for details. -* `xss_match_statement` - (Optional) Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See [XSS Match Statement](#xss-match-statement) below for details. - -### AND Statement +* `and_statement` - (Optional) Logical rule statement used to combine other rule statements with AND logic. See [`and_statement`](#and_statement) below for details. +* `byte_match_statement` - (Optional) Rule statement that defines a string match search for AWS WAF to apply to web requests. See [`byte_match_statement`](#byte_match_statement) below for details. +* `geo_match_statement` - (Optional) Rule statement used to identify web requests based on country of origin. See [`geo_match_statement`](#geo_match_statement) below for details. +* `ip_set_reference_statement` - (Optional) Rule statement used to detect web requests coming from particular IP addresses or address ranges. See [IP Set Reference Statement](#ip_set_reference_statement) below for details. +* `label_match_statement` - (Optional) Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See [`label_match_statement`](#label_match_statement) below for details. +* `managed_rule_group_statement` - (Optional) Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See [Managed Rule Group Statement](#managed_rule_group_statement) below for details. +* `not_statement` - (Optional) Logical rule statement used to negate the results of another rule statement. See [`not_statement`](#not_statement) below for details. +* `or_statement` - (Optional) Logical rule statement used to combine other rule statements with OR logic. See [`or_statement`](#or_statement) below for details. +* `rate_based_statement` - (Optional) Rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See [`rate_based_statement`](#rate_based_statement) below for details. +* `regex_match_statement` - (Optional) Rule statement used to search web request components for a match against a single regular expression. See [`regex_match_statement`](#regex_match_statement) below for details. +* `regex_pattern_set_reference_statement` - (Optional) Rule statement used to search web request components for matches with regular expressions. See [Regex Pattern Set Reference Statement](#regex_pattern_set_reference_statement) below for details. +* `rule_group_reference_statement` - (Optional) Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See [Rule Group Reference Statement](#rule_group_reference_statement) below for details. +* `size_constraint_statement` - (Optional) Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See [`size_constraint_statement`](#size_constraint_statement) below for more details. +* `sqli_match_statement` - (Optional) An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See [`sqli_match_statement`](#sqli_match_statement) below for details. +* `xss_match_statement` - (Optional) Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See [`xss_match_statement`](#xss_match_statement) below for details. + +#### `and_statement` A logical rule statement used to combine other rule statements with `AND` logic. You provide more than one `statement` within the `and_statement`. The `and_statement` block supports the following arguments: -* `statement` - (Required) Statements to combine with `AND` logic. You can use any statements that can be nested. See [Statement](#statement) above for details. +* `statement` - (Required) Statements to combine with `AND` logic. You can use any statements that can be nested. See [`statement`](#statement) above for details. -### Byte Match Statement +#### `byte_match_statement` The byte match statement provides the bytes to search for, the location in requests that you want AWS WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. The `byte_match_statement` block supports the following arguments: -* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [Field to Match](#field-to-match) below for details. +* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [`field_to_match`](#field_to_match) below for details. * `positional_constraint` - (Required) Area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. * `search_string` - (Required) String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes. * `text_transformation` - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. - See [Text Transformation](#text-transformation) below for details. + See [`text_transformation`](#text_transformation) below for details. -### GEO Match Statement +#### `geo_match_statement` The `geo_match_statement` block supports the following arguments: * `country_codes` - (Required) Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. -* `forwarded_ip_config` - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See [Forwarded IP Config](#forwarded-ip-config) below for details. +* `forwarded_ip_config` - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See [`forwarded_ip_config`](#forwarded_ip_config) below for details. -### IP Set Reference Statement +#### `ip_set_reference_statement` A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an `aws_wafv2_ip_set` that specifies the addresses you want to detect, then use the `ARN` of that set in this statement. The `ip_set_reference_statement` block supports the following arguments: * `arn` - (Required) The Amazon Resource Name (ARN) of the IP Set that this statement references. -* `ip_set_forwarded_ip_config` - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See [IPSet Forwarded IP Config](#ipset-forwarded-ip-config) below for more details. +* `ip_set_forwarded_ip_config` - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See [`ip_set_forwarded_ip_config`](#ip_set_forwarded_ip_config) below for more details. -### Label Match Statement +#### `label_match_statement` The `label_match_statement` block supports the following arguments: * `scope` - (Required) Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. * `key` - (Required) String to match against. -### Managed Rule Group Statement +#### `managed_rule_group_statement` A rule statement used to run the rules that are defined in a managed rule group. @@ -463,31 +472,31 @@ You can't nest a `managed_rule_group_statement`, for example for use inside a `n The `managed_rule_group_statement` block supports the following arguments: -* `excluded_rule` - (Optional, **Deprecated**) The `rules` whose actions are set to `COUNT` by the web ACL, regardless of the action that is set on the rule. See [Excluded Rule](#excluded-rule) below for details. Use `rule_action_override` instead. (See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ManagedRuleGroupStatement.html#WAF-Type-ManagedRuleGroupStatement-ExcludedRules)) +* `excluded_rule` - (Optional, **Deprecated**) The `rules` whose actions are set to `COUNT` by the web ACL, regardless of the action that is set on the rule. See [`excluded_rule`](#excluded_rule) below for details. Use `rule_action_override` instead. (See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ManagedRuleGroupStatement.html#WAF-Type-ManagedRuleGroupStatement-ExcludedRules)) * `name` - (Required) Name of the managed rule group. -* `rule_action_override` - (Optional) Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See [Rule Action Override](#rule-action-override) below for details. -* `managed_rule_group_configs`- (Optional) Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config. See [Managed Rule Group Configs](#managed-rule-group-configs) for more details -* `scope_down_statement` - Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See [Statement](#statement) above for details. +* `rule_action_override` - (Optional) Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See [`rule_action_override`](#rule_action_override) below for details. +* `managed_rule_group_configs`- (Optional) Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config. See [Managed Rule Group Configs](#managed_rule_group_configs) for more details +* `scope_down_statement` - Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See [`statement`](#statement) above for details. * `vendor_name` - (Required) Name of the managed rule group vendor. * `version` - (Optional) Version of the managed rule group. You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything. -### NOT Statement +#### `not_statement` A logical rule statement used to negate the results of another rule statement. You provide one `statement` within the `not_statement`. The `not_statement` block supports the following arguments: -* `statement` - (Required) Statement to negate. You can use any statement that can be nested. See [Statement](#statement) above for details. +* `statement` - (Required) Statement to negate. You can use any statement that can be nested. See [`statement`](#statement) above for details. -### OR Statement +#### `or_statement` A logical rule statement used to combine other rule statements with `OR` logic. You provide more than one `statement` within the `or_statement`. The `or_statement` block supports the following arguments: -* `statement` - (Required) Statements to combine with `OR` logic. You can use any statements that can be nested. See [Statement](#statement) above for details. +* `statement` - (Required) Statements to combine with `OR` logic. You can use any statements that can be nested. See [`statement`](#statement) above for details. -### Rate Based Statement +#### `rate_based_statement` A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html) for more information. @@ -496,35 +505,35 @@ You can't nest a `rate_based_statement`, for example for use inside a `not_state The `rate_based_statement` block supports the following arguments: * `aggregate_key_type` - (Optional) Setting that indicates how to aggregate the request counts. Valid values include: `FORWARDED_IP` or `IP`. Default: `IP`. -* `forwarded_ip_config` - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregate_key_type` is set to `FORWARDED_IP`, this block is required. See [Forwarded IP Config](#forwarded-ip-config) below for details. +* `forwarded_ip_config` - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregate_key_type` is set to `FORWARDED_IP`, this block is required. See [`forwarded_ip_config`](#forwarded_ip_config) below for details. * `limit` - (Required) Limit on requests per 5-minute period for a single originating IP address. -* `scope_down_statement` - (Optional) Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See [Statement](#statement) above for details. +* `scope_down_statement` - (Optional) Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See [`statement`](#statement) above for details. -### Regex Match Statement +#### `regex_match_statement` A rule statement used to search web request components for a match against a single regular expression. The `regex_match_statement` block supports the following arguments: * `regex_string` - (Required) String representing the regular expression. Minimum of `1` and maximum of `512` characters. -* `field_to_match` - (Required) The part of a web request that you want AWS WAF to inspect. See [Field to Match](#field-to-match) below for details. +* `field_to_match` - (Required) The part of a web request that you want AWS WAF to inspect. See [`field_to_match`](#field_to_match) below for details. * `text_transformation` - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. - See [Text Transformation](#text-transformation) below for details. + See [`text_transformation`](#text_transformation) below for details. -### Regex Pattern Set Reference Statement +#### `regex_pattern_set_reference_statement` A rule statement used to search web request components for matches with regular expressions. To use this, create a `aws_wafv2_regex_pattern_set` that specifies the expressions that you want to detect, then use the `ARN` of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set. The `regex_pattern_set_reference_statement` block supports the following arguments: * `arn` - (Required) The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. -* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [Field to Match](#field-to-match) below for details. +* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [`field_to_match`](#field_to_match) below for details. * `text_transformation` - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. - See [Text Transformation](#text-transformation) below for details. + See [`text_transformation`](#text_transformation) below for details. -### Rule Group Reference Statement +#### `rule_group_reference_statement` A rule statement used to run the rules that are defined in an WAFv2 Rule Group or `aws_wafv2_rule_group` resource. @@ -533,9 +542,9 @@ You can't nest a `rule_group_reference_statement`, for example for use inside a The `rule_group_reference_statement` block supports the following arguments: * `arn` - (Required) The Amazon Resource Name (ARN) of the `aws_wafv2_rule_group` resource. -* `excluded_rule` - (Optional) The `rules` whose actions are set to `COUNT` by the web ACL, regardless of the action that is set on the rule. See [Excluded Rule](#excluded-rule) below for details. +* `excluded_rule` - (Optional) The `rules` whose actions are set to `COUNT` by the web ACL, regardless of the action that is set on the rule. See [`excluded_rule`](#excluded_rule) below for details. -### Size Constraint Statement +#### `size_constraint_statement` A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component. AWS WAFv2 inspects up to the first 8192 bytes (8 KB) of a request body, and when inspecting the request URI Path, the slash `/` in the URI counts as one character. @@ -543,90 +552,90 @@ the URI counts as one character. The `size_constraint_statement` block supports the following arguments: * `comparison_operator` - (Required) Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. -* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [Field to Match](#field-to-match) below for details. +* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [`field_to_match`](#field_to_match) below for details. * `size` - (Required) Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. * `text_transformation` - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. - See [Text Transformation](#text-transformation) below for details. + See [`text_transformation`](#text_transformation) below for details. -### SQL Injection Match Statement +#### `sqli_match_statement` An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious SQL code. The `sqli_match_statement` block supports the following arguments: -* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [Field to Match](#field-to-match) below for details. +* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [`field_to_match`](#field_to_match) below for details. * `text_transformation` - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. - See [Text Transformation](#text-transformation) below for details. + See [`text_transformation`](#text_transformation) below for details. -### XSS Match Statement +#### `xss_match_statement` The XSS match statement provides the location in requests that you want AWS WAF to search and text transformations to use on the search area before AWS WAF searches for character sequences that are likely to be malicious strings. The `xss_match_statement` block supports the following arguments: -* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [Field to Match](#field-to-match) below for details. +* `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [`field_to_match`](#field_to_match) below for details. * `text_transformation` - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. - See [Text Transformation](#text-transformation) below for details. + See [`text_transformation`](#text_transformation) below for details. -### Excluded Rule +#### `excluded_rule` The `excluded_rule` block supports the following arguments: * `name` - (Required) Name of the rule to exclude. If the rule group is managed by AWS, see the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use. -### Rule Action Override +#### `rule_action_override` The `rule_action_override` block supports the following arguments: -* `action_to_use` - (Required) Override action to use, in place of the configured action of the rule in the rule group. See [Action](#action) below for details. +* `action_to_use` - (Required) Override action to use, in place of the configured action of the rule in the rule group. See [`action`](#action) below for details. * `name` - (Required) Name of the rule to override. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use. -### Managed Rule Group Configs +#### `managed_rule_group_configs` The `managed_rule_group_configs` block support the following arguments: -* `aws_managed_rules_bot_control_rule_set` - (Optional) Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. See [AWS Managed Rules Bot Control Rule Set](#managed-rules-bot-control-rule-set) for more details +* `aws_managed_rules_bot_control_rule_set` - (Optional) Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. See [`aws_managed_rules_bot_control_rule_set`](#aws_managed_rules_bot_control_rule_set) for more details * `login_path` - (Optional) The path of the login endpoint for your application. -* `password_field` - (Optional) Details about your login page password field. See [Password Field](#password-field) for more details. +* `password_field` - (Optional) Details about your login page password field. See [`password_field`](#password_field) for more details. * `payload_type`- (Optional) The payload type for your login endpoint, either JSON or form encoded. -* `username_field` - (Optional) Details about your login page username field. See [Username Field](#username-field) for more details. +* `username_field` - (Optional) Details about your login page username field. See [`username_field`](#username_field) for more details. -### Managed Rules Bot Control Rule Set +#### `aws_managed_rules_bot_control_rule_set` * `inspection_level` - (Optional) The inspection level to use for the Bot Control rule group. -### Password Field +#### `password_field` * `identifier` - (Optional) The name of the password field. -### Username Field +#### `username_field` * `identifier` - (Optional) The name of the username field. -### Field to Match +#### `field_to_match` The part of a web request that you want AWS WAF to inspect. Include the single `field_to_match` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `field_to_match` for each rule statement that requires it. To inspect more than one component of a web request, create a separate rule statement for each component. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields.html#waf-rule-statement-request-component) for more details. The `field_to_match` block supports the following arguments: ~> **NOTE:** Only one of `all_query_arguments`, `body`, `cookies`, `headers`, `json_body`, `method`, `query_string`, `single_header`, `single_query_argument`, or `uri_path` can be specified. -An empty configuration block `{}` should be used when specifying `all_query_arguments`, `body`, `method`, or `query_string` attributes. +An empty configuration block `{}` should be used when specifying `all_query_arguments`, `method`, or `query_string` attributes. * `all_query_arguments` - (Optional) Inspect all query arguments. -* `body` - (Optional) Inspect the request body, which immediately follows the request headers. -* `cookies` - (Optional) Inspect the cookies in the web request. See [Cookies](#cookies) below for details. -* `headers` - (Optional) Inspect the request headers. See [Headers](#headers) below for details. -* `json_body` - (Optional) Inspect the request body as JSON. See [JSON Body](#json-body) for details. +* `body` - (Optional) Inspect the request body, which immediately follows the request headers. See [`body`](#body) below for details. +* `cookies` - (Optional) Inspect the cookies in the web request. See [`cookies`](#cookies) below for details. +* `headers` - (Optional) Inspect the request headers. See [`headers`](#headers) below for details. +* `json_body` - (Optional) Inspect the request body as JSON. See [`json_body`](#json_body) for details. * `method` - (Optional) Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. * `query_string` - (Optional) Inspect the query string. This is the part of a URL that appears after a `?` character, if any. -* `single_header` - (Optional) Inspect a single header. See [Single Header](#single-header) below for details. -* `single_query_argument` - (Optional) Inspect a single query argument. See [Single Query Argument](#single-query-argument) below for details. +* `single_header` - (Optional) Inspect a single header. See [`single_header`](#single_header) below for details. +* `single_query_argument` - (Optional) Inspect a single query argument. See [`single_query_argument`](#single_query_argument) below for details. * `uri_path` - (Optional) Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. -### Forwarded IP Config +#### `forwarded_ip_config` The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. If the specified header isn't present in the request, AWS WAFv2 doesn't apply the rule to the web request at all. @@ -637,7 +646,7 @@ The `forwarded_ip_config` block supports the following arguments: * `fallback_behavior` - (Required) - Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. * `header_name` - (Required) - Name of the HTTP header to use for the IP address. -### IPSet Forwarded IP Config +#### `ip_set_forwarded_ip_config` The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. @@ -647,7 +656,7 @@ The `ip_set_forwarded_ip_config` block supports the following arguments: * `header_name` - (Required) - Name of the HTTP header to use for the IP address. * `position` - (Required) - Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. -### Headers +#### `headers` Inspect the request headers. @@ -660,7 +669,7 @@ The `headers` block supports the following arguments: * `match_scope` - (Required) The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. * `oversize_handling` - (Required) Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. -### JSON Body +#### `json_body` The `json_body` block supports the following arguments: @@ -669,7 +678,7 @@ The `json_body` block supports the following arguments: * `match_scope` - (Required) The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`. * `oversize_handling` - (Optional) What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. -### Single Header +#### `single_header` Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` (provided as lowercase strings). @@ -677,7 +686,7 @@ The `single_header` block supports the following arguments: * `name` - (Optional) Name of the query header to inspect. This setting must be provided as lower case characters. -### Single Query Argument +#### `single_query_argument` Inspect a single query argument. Provide the name of the query argument to inspect, such as `UserName` or `SalesRegion` (provided as lowercase strings). @@ -685,7 +694,13 @@ The `single_query_argument` block supports the following arguments: * `name` - (Optional) Name of the query header to inspect. This setting must be provided as lower case characters. -### Cookies +#### `body` + +The `body` block supports the following arguments: + +* `oversize_handling` - (Optional) What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + +#### `cookies` Inspect the cookies in the web request. You can specify the parts of the cookies to inspect and you can narrow the set of cookies to inspect by including or excluding specific keys. This is used to indicate the web request component to inspect, in the [FieldToMatch](https://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html) specification. @@ -694,16 +709,16 @@ The `cookies` block supports the following arguments: * `match_pattern` - (Required) The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) * `match_scope` - (Required) The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` -* `oversize_handling` - (Required) What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` +* `oversize_handling` - (Required) What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. -### Text Transformation +#### `text_transformation` The `text_transformation` block supports the following arguments: * `priority` - (Required) Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. * `type` - (Required) Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. -### Visibility Configuration +### `visibility_config` The `visibility_config` block supports the following arguments: