diff --git a/README.md b/README.md
index c650b27..5e4c336 100644
--- a/README.md
+++ b/README.md
@@ -211,7 +211,7 @@ Available targets:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
-| [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. | `list(string)` | `[]` | no |
+| [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. | `list(string)` | `[]` | no |
| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| [byte\_match\_statement\_rules](#input\_byte\_match\_statement\_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
} | no |
@@ -231,7 +231,7 @@ Available targets:
| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
| [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
statement:
aggregate\_key\_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
-| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.
method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource. | object({
method_enabled = bool,
uri_path_enabled = bool,
uri_path_enabled = bool,
single_header = list(string),
single_query_argument = list(string)
}) | `null` | no |
+| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.
method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. | object({
method_enabled = bool,
uri_path_enabled = bool,
query_string_enabled = bool,
single_header = list(string)
}) | `null` | no |
| [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`
statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded\_rule:
The list of names of the rules to exclude.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
@@ -241,7 +241,7 @@ Available targets:
| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
| [visibility\_config](#input\_visibility\_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `map(string)` | `{}` | no |
-| [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | An SQL injection match condition identifies the part of web requests,
such as the URI or the query string, that you want AWS WAF to inspect.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
xss\_match\_statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
+| [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
xss\_match\_statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
## Outputs
@@ -350,7 +350,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
## Copyrights
-Copyright © 2020-2021 [Cloud Posse, LLC](https://cloudposse.com)
+Copyright © 2021-2021 [Cloud Posse, LLC](https://cloudposse.com)
diff --git a/README.yaml b/README.yaml
index 5711d58..676a7a4 100644
--- a/README.yaml
+++ b/README.yaml
@@ -16,7 +16,7 @@ license: APACHE2
copyrights:
- name: Cloud Posse, LLC
url: https://cloudposse.com
- year: '2020'
+ year: '2021'
# Canonical GitHub repo
github_repo: cloudposse/terraform-aws-waf
diff --git a/docs/terraform.md b/docs/terraform.md
index f65ebf4..b8ea624 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -31,7 +31,7 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
-| [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. | `list(string)` | `[]` | no |
+| [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. | `list(string)` | `[]` | no |
| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| [byte\_match\_statement\_rules](#input\_byte\_match\_statement\_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
} | no |
@@ -51,7 +51,7 @@
| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
| [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
statement:
aggregate\_key\_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
-| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.
method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource. | object({
method_enabled = bool,
uri_path_enabled = bool,
uri_path_enabled = bool,
single_header = list(string),
single_query_argument = list(string)
}) | `null` | no |
+| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.
method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. | object({
method_enabled = bool,
uri_path_enabled = bool,
query_string_enabled = bool,
single_header = list(string)
}) | `null` | no |
| [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`
statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded\_rule:
The list of names of the rules to exclude.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
@@ -61,7 +61,7 @@
| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
| [visibility\_config](#input\_visibility\_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `map(string)` | `{}` | no |
-| [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | An SQL injection match condition identifies the part of web requests,
such as the URI or the query string, that you want AWS WAF to inspect.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
xss\_match\_statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
+| [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
xss\_match\_statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
## Outputs
diff --git a/main.tf b/main.tf
index de13ce8..c447c20 100644
--- a/main.tf
+++ b/main.tf
@@ -37,16 +37,9 @@ resource "aws_wafv2_web_acl_logging_configuration" "default" {
}
dynamic "single_header" {
- for_each = lookup(redacted_fields.value, "single_header", null) != null ? [redacted_fields.value.single_header] : []
+ for_each = lookup(redacted_fields.value, "single_header", null) != null ? toset(redacted_fields.value.single_header) : []
content {
- name = lookup(single_header.value, "name", null)
- }
- }
-
- dynamic "single_query_argument" {
- for_each = lookup(redacted_fields.value, "single_query_argument", null) != null ? [redacted_fields.value.single_query_argument] : []
- content {
- name = lookup(single_query_argument.value, "name", null)
+ name = single_header.value
}
}
}
diff --git a/rules.tf b/rules.tf
index 700eb14..75b7843 100644
--- a/rules.tf
+++ b/rules.tf
@@ -1,78 +1,88 @@
locals {
byte_match_statement_rules = module.this.enabled && var.byte_match_statement_rules != null ? {
- for indx, rule in flatten(var.byte_match_statement_rules) :
+ for rule in flatten(var.byte_match_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-byte-match-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
+
geo_match_statement_rules = module.this.enabled && var.geo_match_statement_rules != null ? {
- for indx, rule in flatten(var.geo_match_statement_rules) :
+ for rule in flatten(var.geo_match_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-geo-match-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
+
ip_set_reference_statement_rules = module.this.enabled && var.ip_set_reference_statement_rules != null ? {
for indx, rule in flatten(var.ip_set_reference_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-ip-set-reference-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
+
managed_rule_group_statement_rules = module.this.enabled && var.managed_rule_group_statement_rules != null ? {
- for indx, rule in flatten(var.managed_rule_group_statement_rules) :
+ for rule in flatten(var.managed_rule_group_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-managed-rule-group-%d", module.this.id, rule.priority),
lookup(rule, "action", null) != null ? rule.action : rule.override_action,
) => rule
} : {}
+
rate_based_statement_rules = module.this.enabled && var.rate_based_statement_rules != null ? {
- for indx, rule in flatten(var.rate_based_statement_rules) :
+ for rule in flatten(var.rate_based_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-rate-based-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
+
regex_pattern_set_reference_statement_ruless = module.this.enabled && var.regex_pattern_set_reference_statement_rules != null ? {
- for indx, rule in flatten(var.regex_pattern_set_reference_statement_rules) :
+ for rule in flatten(var.regex_pattern_set_reference_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-regex-pattern-set-reference-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
+
rule_group_reference_statement_rules = module.this.enabled && var.rule_group_reference_statement_rules != null ? {
- for indx, rule in flatten(var.rule_group_reference_statement_rules) :
+ for rule in flatten(var.rule_group_reference_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-rule-group-reference-%d", module.this.id, rule.priority),
lookup(rule, "action", null) != null ? rule.action : rule.override_action,
) => rule
} : {}
+
regex_pattern_set_reference_statement_rules = module.this.enabled && var.regex_pattern_set_reference_statement_rules != null ? {
- for indx, rule in flatten(var.regex_pattern_set_reference_statement_rules) :
+ for rule in flatten(var.regex_pattern_set_reference_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-regex-pattern-set-reference-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
+
size_constraint_statement_rules = module.this.enabled && var.size_constraint_statement_rules != null ? {
- for indx, rule in flatten(var.size_constraint_statement_rules) :
+ for rule in flatten(var.size_constraint_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-size-constraint-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
+
sqli_match_statement_rules = module.this.enabled && var.sqli_match_statement_rules != null ? {
- for indx, rule in flatten(var.sqli_match_statement_rules) :
+ for rule in flatten(var.sqli_match_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-sqli-match-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
+
xss_match_statement_rules = module.this.enabled && var.xss_match_statement_rules != null ? {
- for indx, rule in flatten(var.xss_match_statement_rules) :
+ for rule in flatten(var.xss_match_statement_rules) :
format("%s-%s",
- lookup(rule, "name", null) != null ? rule.name : format("%s-%d", module.this.id, indx),
+ lookup(rule, "name", null) != null ? rule.name : format("%s-xss-match-%d", module.this.id, rule.priority),
rule.action,
) => rule
} : {}
@@ -270,7 +280,6 @@ resource "aws_wafv2_web_acl" "default" {
}
}
-
dynamic "rule" {
for_each = local.ip_set_reference_statement_rules
diff --git a/variables.tf b/variables.tf
index 7f26b1f..a439301 100644
--- a/variables.tf
+++ b/variables.tf
@@ -382,8 +382,7 @@ variable "xss_match_statement_rules" {
type = list(any)
default = null
description = <<-DOC
- An SQL injection match condition identifies the part of web requests,
- such as the URI or the query string, that you want AWS WAF to inspect.
+ A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
@@ -418,7 +417,7 @@ variable "association_resource_arns" {
type = list(string)
default = []
description = <<-DOC
- A list of ARNs of the resources to associate with the web ACL.
+ A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage.
DOC
}
@@ -431,11 +430,10 @@ variable "log_destination_configs" {
variable "redacted_fields" {
type = object({
- method_enabled = bool,
- uri_path_enabled = bool,
- uri_path_enabled = bool,
- single_header = list(string),
- single_query_argument = list(string)
+ method_enabled = bool,
+ uri_path_enabled = bool,
+ query_string_enabled = bool,
+ single_header = list(string)
})
default = null
description = <<-DOC
@@ -444,11 +442,13 @@ variable "redacted_fields" {
method_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
- uri_path_enabled:
- Whether to enable redaction of the query string.
- This is the part of a URL that appears after a `?` character, if any.
uri_path_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
+ query_string_enabled:
+ Whether to enable redaction of the query string.
+ This is the part of a URL that appears after a `?` character, if any.
+ single_header:
+ The list of names of the query headers to redact.
DOC
}