From ebc4d1ca58c11a7cb436dcadaf41178f9b71ea47 Mon Sep 17 00:00:00 2001 From: Ian Bartholomew Date: Tue, 24 Aug 2021 13:09:15 -0700 Subject: [PATCH] Change redacted_fields variable type to map(any) (#4) Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> --- README.md | 8 +++----- docs/terraform.md | 2 +- variables.tf | 9 ++------- 3 files changed, 6 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 1a12067..de33a3e 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ + # terraform-aws-waf [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-waf.svg)](https://github.com/cloudposse/terraform-aws-waf/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) @@ -29,7 +30,6 @@ Terraform module to create and manage AWS WAFv2 rules. - --- This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. @@ -60,7 +60,6 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are - ## Security & Compliance [](https://bridgecrew.io/) Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance. @@ -231,7 +230,7 @@ Available targets: | [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | | [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
aggregate\_key\_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.

method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. | 
object({
    method_enabled       = bool,
    uri_path_enabled     = bool,
    query_string_enabled = bool,
    single_header        = list(string)
  })
| `null` | no | +| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.

method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. | `map(any)` | `{}` | no | | [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.

name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded\_rule:
The list of names of the rules to exclude.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | @@ -262,6 +261,7 @@ Like this project? Please give it a ★ on [our GitHub](https://github.com/cloud Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =) + ## Related Projects Check out these related projects. @@ -269,8 +269,6 @@ Check out these related projects. - [terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes]) - - ## References For additional context, refer to some of these links. diff --git a/docs/terraform.md b/docs/terraform.md index fc9729d..116b0a4 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -51,7 +51,7 @@ | [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | | [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
aggregate\_key\_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.

method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. | 
object({
    method_enabled       = bool,
    uri_path_enabled     = bool,
    query_string_enabled = bool,
    single_header        = list(string)
  })
| `null` | no | +| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.

method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. | `map(any)` | `{}` | no | | [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.

name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded\_rule:
The list of names of the rules to exclude.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | diff --git a/variables.tf b/variables.tf index 07d0d6b..64791a6 100644 --- a/variables.tf +++ b/variables.tf @@ -433,13 +433,8 @@ variable "log_destination_configs" { } variable "redacted_fields" { - type = object({ - method_enabled = bool, - uri_path_enabled = bool, - query_string_enabled = bool, - single_header = list(string) - }) - default = null + type = map(any) + default = {} description = <<-DOC The parts of the request that you want to keep out of the logs.