feat: add label_match_statement & rule_labels (#58)

* feat: add label_match_statement As per https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl\#label_match_statement * feat: add rule_labels option Co-authored-by: Ray Smets <rayjsmets@gmail.com> Co-authored-by: Ray Smets <rayjsmets@gmail.com>
umotif-public · May 18, 2022 · 959daf9 · 959daf9
1 parent 1d3e1c2
commit 959daf9
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 8 deletions.
diff --git a/examples/wafv2-custom-json-response-managed-rule-group/main.tf b/examples/wafv2-custom-json-response-managed-rule-group/main.tf
@@ -0,0 +1,66 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+module "waf" {
+  source = "../.."
+
+  name_prefix          = var.name_prefix
+  allow_default_action = true
+
+  create_alb_association = false
+
+  visibility_config = {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "${var.name_prefix}-waf-setup-waf-main-metrics"
+    sampled_requests_enabled   = false
+  }
+
+  custom_response_bodies = [
+    {
+      key          = "403-forbidden-json"
+      content      = "{\"code\":403,\"message\":\"Forbidden\"}"
+      content_type = "APPLICATION_JSON"
+    }
+  ]
+
+  rules = [
+    {
+      name     = "AWSManagedRulesCommonRuleSet-rule"
+      priority = "0"
+
+      override_action = "count"
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "AWSManagedRulesCommonRuleSet-metric"
+        sampled_requests_enabled   = true
+      }
+
+      managed_rule_group_statement = {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    },
+    {
+      name     = "JsonResponse"
+      priority = "1"
+      action   = "block"
+      custom_response = {
+        custom_response_body_key = "403-forbidden-json"
+        response_code            = 403
+      }
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "AWSManagedRulesCommonRuleSetJsonResponse"
+        sampled_requests_enabled   = true
+      }
+
+      label_match_statement = {
+        key   = "awswaf:managed:aws:"
+        scope = "NAMESPACE"
+      }
+    },
+  ]
+}
diff --git a/examples/wafv2-custom-json-response-managed-rule-group/variables.tf b/examples/wafv2-custom-json-response-managed-rule-group/variables.tf
@@ -0,0 +1,5 @@
+variable "name_prefix" {
+  description = "A prefix used for naming resources."
+  type        = string
+  default     = "example"
+}
diff --git a/examples/wafv2-custom-response-code/main.tf b/examples/wafv2-custom-response-code/main.tf
@@ -18,9 +18,10 @@ module "waf" {
 
   rules = [
     {
-      name     = "ip-rate-based"
-      priority = "6"
-      action   = "block"
+      name        = "ip-rate-based"
+      priority    = "6"
+      action      = "block"
+      rule_labels = ["LabelNameA"]
 
       custom_response = {
         response_code = 412
@@ -63,4 +64,4 @@ module "waf" {
       }
     }
   ]
-}
+}
diff --git a/examples/wafv2-custom-response/main.tf b/examples/wafv2-custom-response/main.tf
@@ -31,9 +31,10 @@ module "waf" {
 
   rules = [
     {
-      name     = "ip-rate-based"
-      priority = "6"
-      action   = "block"
+      name        = "ip-rate-based"
+      priority    = "6"
+      action      = "block"
+      rule_labels = ["LabelNameA", "LabelNameB"]
 
       custom_response = {
         custom_response_body_key = "default_1",
@@ -87,4 +88,4 @@ module "waf" {
       }
     }
   ]
-}
+}
diff --git a/main.tf b/main.tf
@@ -89,6 +89,13 @@ resource "aws_wafv2_web_acl" "main" {
         }
       }
 
+      dynamic "rule_label" {
+        for_each = try(rule.value.rule_labels, [])
+        content {
+          name = rule_label.value
+        }
+      }
+
       statement {
 
         dynamic "managed_rule_group_statement" {
@@ -724,6 +731,14 @@ resource "aws_wafv2_web_acl" "main" {
           }
         }
 
+        dynamic "label_match_statement" {
+          for_each = length(lookup(rule.value, "label_match_statement", {})) == 0 ? [] : [lookup(rule.value, "label_match_statement", {})]
+          content {
+            key   = lookup(label_match_statement.value, "key")
+            scope = lookup(label_match_statement.value, "scope")
+          }
+        }
+
         dynamic "regex_pattern_set_reference_statement" {
           for_each = length(lookup(rule.value, "regex_pattern_set_reference_statement", {})) == 0 ? [] : [lookup(rule.value, "regex_pattern_set_reference_statement", {})]
           content {