Enable the block to attach custom rule groups

umotif-public · Jan 25, 2023 · ccd0753 · ccd0753
1 parent c0e21b5
commit ccd0753
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ Supported WAF v2 components:
 - Regex Match statements
 - Regex Pattern Match statements
 - Custom responses
+- Attach Custom Rule Groups
 
 ## Terraform versions
 
@@ -239,6 +240,23 @@ module "waf" {
           priority              = 0
           type                  = "NONE"
         }
+    ### Attach Custom Rule Group example
+    {
+      name     = "CustomRuleGroup-1"
+      priority = "9"
+
+      override_action = "none"
+      excluded_rules = []
+      
+      visibility_config = {
+        cloudwatch_metrics_enabled = false
+        metric_name                = "CustomRuleGroup-metric"
+        sampled_requests_enabled   = false
+      }
+
+      rule_group_reference_statement = {
+        arn = "arn:aws:wafv2:eu-west-1:111122223333:regional/rulegroup/rulegroup-test/a1bcdef2-1234-123a-abc0-1234a5bc67d8"
+      }
     },
     ### Size constraint Rule example
     # Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#size-constraint-statement

diff --git a/main.tf b/main.tf
@@ -98,6 +98,20 @@ resource "aws_wafv2_web_acl" "main" {
 
       statement {
 
+        dynamic "rule_group_reference_statement" {
+          for_each = length(lookup(rule.value, "rule_group_reference_statement", {})) == 0 ? [] : [lookup(rule.value, "rule_group_reference_statement", {})]
+          content {
+            arn = lookup(rule_group_reference_statement.value, "arn")
+
+            dynamic "excluded_rule" {
+              for_each = length(lookup(rule_group_reference_statement.value, "excluded_rule", {})) == 0 ? [] : toset(lookup(rule_group_reference_statement.value, "excluded_rule"))
+              content {
+                name = excluded_rule.value
+              }
+            }
+          }
+        }
+
         dynamic "managed_rule_group_statement" {
           for_each = length(lookup(rule.value, "managed_rule_group_statement", {})) == 0 ? [] : [lookup(rule.value, "managed_rule_group_statement", {})]
           content {