Skip to content

Commit

Permalink
Bug fixes for rate_based_statement with forwarded_ip_config and `…
Browse files Browse the repository at this point in the history 
…ip_set_reference_statement` with `ip_set_forwarded_ip_config` (#69)

* Added ip_set_forwarded_ip_config logic in dynamics

* Fixed var reference

* Fixed var reference

* Fixed var reference

* Fixed ip_set_forwarded_ip_config

* Fixed bug

* Revert "Fixed bug"

This reverts commit 80ec0d4.

* Attempting bug fix

* Updated documentation

* Fix rate limit bug

Co-authored-by: Wesley Kirkland <wesley@wesleyl.me>
  • Loading branch information
@wesleykirkland
wesleykirkland and Wesley Kirkland authored Jan 25, 2023
1 parent 3fb3fe3 commit c0e21b5
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 6 deletions.
22 changes: 21 additions & 1 deletion examples/wafv2-ip-rules/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,12 +178,32 @@ module "waf" {
}
},
{
name = "block-ip-set"
name = "allow-custom-ip-set-with-XFF-header"
priority = "5"
action = "count"

ip_set_reference_statement = {
arn = aws_wafv2_ip_set.custom_ip_set.arn
}

visibility_config = {
cloudwatch_metrics_enabled = false
sampled_requests_enabled = false
}
},
{
name = "block-ip-set"
priority = "6"
action = "block"

ip_set_reference_statement = {
arn = aws_wafv2_ip_set.block_ip_set.arn

ip_set_forwarded_ip_config = {
fallback_behavior = "NO_MATCH"
header_name = "X-Forwarded-For"
position = "ANY"
}
}

forwarded_ip_config = {
Expand Down
10 changes: 5 additions & 5 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1018,11 +1018,11 @@ resource "aws_wafv2_web_acl" "main" {
content {
arn = lookup(ip_set_reference_statement.value, "arn")
dynamic "ip_set_forwarded_ip_config" {
for_each = length(lookup(ip_set_reference_statement.value, "forwarded_ip_config", {})) == 0 ? [] : [lookup(ip_set_reference_statement.value, "forwarded_ip_config", {})]
for_each = length(lookup(ip_set_reference_statement.value, "ip_set_forwarded_ip_config", {})) == 0 ? [] : [lookup(ip_set_reference_statement.value, "ip_set_forwarded_ip_config", {})]
content {
fallback_behavior = lookup(forwarded_ip_config.value, "fallback_behavior")
header_name = lookup(forwarded_ip_config.value, "header_name")
position = lookup(forwarded_ip_config.value, "position")
fallback_behavior = lookup(ip_set_forwarded_ip_config.value, "fallback_behavior")
header_name = lookup(ip_set_forwarded_ip_config.value, "header_name")
position = lookup(ip_set_forwarded_ip_config.value, "position")
}
}
}
Expand Down Expand Up @@ -1130,7 +1130,7 @@ resource "aws_wafv2_web_acl" "main" {
aggregate_key_type = lookup(rate_based_statement.value, "aggregate_key_type", "IP")

dynamic "forwarded_ip_config" {
for_each = length(lookup(rule.value, "forwarded_ip_config", {})) == 0 ? [] : [lookup(rule.value, "forwarded_ip_config", {})]
for_each = length(lookup(rate_based_statement.value, "forwarded_ip_config", {})) == 0 ? [] : [lookup(rate_based_statement.value, "forwarded_ip_config", {})]
content {
fallback_behavior = lookup(forwarded_ip_config.value, "fallback_behavior")
header_name = lookup(forwarded_ip_config.value, "header_name")
Expand Down

0 comments on commit c0e21b5

Please sign in to comment.