From 20fc0c2a27048af3394413baceea31e780e49d27 Mon Sep 17 00:00:00 2001 From: Duleendra Date: Thu, 16 May 2024 23:04:25 +0800 Subject: [PATCH 1/3] feat: add custom_response_body_key to default block action --- .github/mergify.yml | 77 ++++++++++++++++++++++++- .github/workflows/feature-branch.yml | 4 +- .github/workflows/release-branch.yml | 11 ++-- .github/workflows/release-published.yml | 5 +- .github/workflows/scheduled.yml | 3 +- README.md | 1 + docs/terraform.md | 1 + rules.tf | 3 + variables.tf | 11 ++++ 9 files changed, 106 insertions(+), 10 deletions(-) diff --git a/.github/mergify.yml b/.github/mergify.yml index 526045d..148d85c 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -1 +1,76 @@ -extends: .github +# https://docs.mergify.io/conditions.html +# https://docs.mergify.io/actions.html +pull_request_rules: +- name: "approve automated PRs that have passed checks" + conditions: + - "author~=^(cloudpossebot|renovate\\[bot\\])$" + - "-closed" + - "head~=^(auto-update|renovate)/.*" + - "check-success=test/bats" + - "check-success=test/readme" + - "check-success=test/terratest" + - "check-success=validate-codeowners" + - or: + - "base=master" + - "base=main" + - "base~=^release/v\\d{1,2}$" + + actions: + review: + type: "APPROVE" + bot_account: "cloudposse-mergebot" + message: "We've automatically approved this PR because the checks from the automated Pull Request have passed." + +- name: "merge automated PRs when approved and tests pass" + conditions: + - "author~=^(cloudpossebot|renovate\\[bot\\])$" + - "-closed" + - "head~=^(auto-update|renovate)/.*" + - "check-success=test/bats" + - "check-success=test/readme" + - "check-success=test/terratest" + - "check-success=validate-codeowners" + - "#approved-reviews-by>=1" + - "#changes-requested-reviews-by=0" + - "#commented-reviews-by=0" + - or: + - "base=master" + - "base=main" + - "base~=^release/v\\d{1,2}$" + + actions: + merge: + method: "squash" + +- name: "delete the head branch after merge" + conditions: + - "merged" + actions: + delete_head_branch: {} + +- name: "ask to resolve conflict" + conditions: + - "conflict" + - "-closed" + actions: + comment: + message: "This pull request is now in conflict. Could you fix it @{{author}}? 🙏" + +- name: "remove outdated reviews" + conditions: + - or: + - "base=master" + - "base=main" + - "base~=^release/v\\d{1,2}$" + actions: + dismiss_reviews: + changes_requested: true + approved: true + message: "This Pull Request has been updated, so we're dismissing all reviews." + +- name: "close Pull Requests without files changed" + conditions: + - "#files=0" + actions: + close: + message: "This pull request has been automatically closed by Mergify because there are no longer any changes." diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index ebd8854..8faa955 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -11,9 +11,9 @@ permissions: pull-requests: write id-token: write contents: write - issues: write jobs: terraform-module: uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/feature-branch.yml@main - secrets: inherit + secrets: + github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 852d5e3..b30901e 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -4,17 +4,20 @@ on: push: branches: - main - - release/v* + - release/** paths-ignore: - '.github/**' - 'docs/**' - 'examples/**' - 'test/**' - - 'README.md' + - 'README.*' -permissions: {} +permissions: + contents: write + id-token: write jobs: terraform-module: uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-branch.yml@main - secrets: inherit + secrets: + github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index 1b0aaca..b31232b 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -5,9 +5,10 @@ on: types: - published -permissions: {} +permissions: + contents: write + id-token: write jobs: terraform-module: uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main - secrets: inherit diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index 7bc09ab..163be0b 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -13,4 +13,5 @@ permissions: jobs: scheduled: uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/scheduled.yml@main - secrets: inherit + secrets: + github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} diff --git a/README.md b/README.md index 1d36589..ac775a3 100644 --- a/README.md +++ b/README.md @@ -181,6 +181,7 @@ Available targets: | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [custom\_response\_body](#input\_custom\_response\_body) | Defines custom response bodies that can be referenced by custom\_response actions.
The map keys are used as the `key` attribute which is a unique key identifying the custom response body.
content:
Payload of the custom response.
The response body can be plain text, HTML or JSON and cannot exceed 4KB in size.
content\_type:
Content Type of Response Body.
Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. | 
map(object({
    content      = string
    content_type = string
  }))
| `{}` | no | | [default\_action](#input\_default\_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no | +| [default\_block\_custom\_response\_body\_key](#input\_default\_block\_custom\_response\_body\_key) | References the default response body that you want AWS WAF to return to the web request client.
This must reference a key defined in a custom\_response\_body block of this resource.
Only takes effect if default\_action is set to `block`. | `string` | `null` | no | | [default\_block\_response](#input\_default\_block\_response) | A HTTP response code that is sent when default block action is used. Only takes effect if default\_action is set to `block`. | `string` | `null` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | | [description](#input\_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no | diff --git a/docs/terraform.md b/docs/terraform.md index f82f700..c0a79bd 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -39,6 +39,7 @@ | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [custom\_response\_body](#input\_custom\_response\_body) | Defines custom response bodies that can be referenced by custom\_response actions.
The map keys are used as the `key` attribute which is a unique key identifying the custom response body.
content:
Payload of the custom response.
The response body can be plain text, HTML or JSON and cannot exceed 4KB in size.
content\_type:
Content Type of Response Body.
Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. | 
map(object({
    content      = string
    content_type = string
  }))
| `{}` | no | | [default\_action](#input\_default\_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no | +| [default\_block\_custom\_response\_body\_key](#input\_default\_block\_custom\_response\_body\_key) | References the default response body that you want AWS WAF to return to the web request client.
This must reference a key defined in a custom\_response\_body block of this resource.
Only takes effect if default\_action is set to `block`. | `string` | `null` | no | | [default\_block\_response](#input\_default\_block\_response) | A HTTP response code that is sent when default block action is used. Only takes effect if default\_action is set to `block`. | `string` | `null` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | | [description](#input\_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no | diff --git a/rules.tf b/rules.tf index 74522c8..ffa76c1 100644 --- a/rules.tf +++ b/rules.tf @@ -88,6 +88,8 @@ locals { rule.action, ) => rule } : {} + + default_custom_response_body_key = var.default_block_custom_response_body_key != null ? contains(keys(var.custom_response_body),var.default_block_custom_response_body_key ) ? var.default_block_custom_response_body_key : null: null } resource "aws_wafv2_web_acl" "default" { @@ -112,6 +114,7 @@ resource "aws_wafv2_web_acl" "default" { for_each = var.default_block_response != null ? [true] : [] content { response_code = var.default_block_response + custom_response_body_key = local.default_custom_response_body_key } } } diff --git a/variables.tf b/variables.tf index d5384be..3d5e991 100644 --- a/variables.tf +++ b/variables.tf @@ -1047,3 +1047,14 @@ variable "default_block_response" { DOC nullable = true } + +variable "default_block_custom_response_body_key" { + type = string + default = null + description = <<-DOC + References the default response body that you want AWS WAF to return to the web request client. + This must reference a key defined in a custom_response_body block of this resource. + Only takes effect if default_action is set to `block`. + DOC + nullable = true +} From 82bf284e17c4a9c7b40b46cf8305121cec0170f6 Mon Sep 17 00:00:00 2001 From: Duleendra Date: Fri, 17 May 2024 06:21:51 +0800 Subject: [PATCH 2/3] remove github workflow file changes --- .github/mergify.yml | 77 +------------------------ .github/workflows/feature-branch.yml | 4 +- .github/workflows/release-branch.yml | 11 ++-- .github/workflows/release-published.yml | 5 +- .github/workflows/scheduled.yml | 3 +- 5 files changed, 10 insertions(+), 90 deletions(-) diff --git a/.github/mergify.yml b/.github/mergify.yml index 148d85c..526045d 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -1,76 +1 @@ -# https://docs.mergify.io/conditions.html -# https://docs.mergify.io/actions.html -pull_request_rules: -- name: "approve automated PRs that have passed checks" - conditions: - - "author~=^(cloudpossebot|renovate\\[bot\\])$" - - "-closed" - - "head~=^(auto-update|renovate)/.*" - - "check-success=test/bats" - - "check-success=test/readme" - - "check-success=test/terratest" - - "check-success=validate-codeowners" - - or: - - "base=master" - - "base=main" - - "base~=^release/v\\d{1,2}$" - - actions: - review: - type: "APPROVE" - bot_account: "cloudposse-mergebot" - message: "We've automatically approved this PR because the checks from the automated Pull Request have passed." - -- name: "merge automated PRs when approved and tests pass" - conditions: - - "author~=^(cloudpossebot|renovate\\[bot\\])$" - - "-closed" - - "head~=^(auto-update|renovate)/.*" - - "check-success=test/bats" - - "check-success=test/readme" - - "check-success=test/terratest" - - "check-success=validate-codeowners" - - "#approved-reviews-by>=1" - - "#changes-requested-reviews-by=0" - - "#commented-reviews-by=0" - - or: - - "base=master" - - "base=main" - - "base~=^release/v\\d{1,2}$" - - actions: - merge: - method: "squash" - -- name: "delete the head branch after merge" - conditions: - - "merged" - actions: - delete_head_branch: {} - -- name: "ask to resolve conflict" - conditions: - - "conflict" - - "-closed" - actions: - comment: - message: "This pull request is now in conflict. Could you fix it @{{author}}? 🙏" - -- name: "remove outdated reviews" - conditions: - - or: - - "base=master" - - "base=main" - - "base~=^release/v\\d{1,2}$" - actions: - dismiss_reviews: - changes_requested: true - approved: true - message: "This Pull Request has been updated, so we're dismissing all reviews." - -- name: "close Pull Requests without files changed" - conditions: - - "#files=0" - actions: - close: - message: "This pull request has been automatically closed by Mergify because there are no longer any changes." +extends: .github diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index 8faa955..ebd8854 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -11,9 +11,9 @@ permissions: pull-requests: write id-token: write contents: write + issues: write jobs: terraform-module: uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/feature-branch.yml@main - secrets: - github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} + secrets: inherit diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index b30901e..852d5e3 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -4,20 +4,17 @@ on: push: branches: - main - - release/** + - release/v* paths-ignore: - '.github/**' - 'docs/**' - 'examples/**' - 'test/**' - - 'README.*' + - 'README.md' -permissions: - contents: write - id-token: write +permissions: {} jobs: terraform-module: uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-branch.yml@main - secrets: - github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} + secrets: inherit diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index b31232b..1b0aaca 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -5,10 +5,9 @@ on: types: - published -permissions: - contents: write - id-token: write +permissions: {} jobs: terraform-module: uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main + secrets: inherit diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index 163be0b..7bc09ab 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -13,5 +13,4 @@ permissions: jobs: scheduled: uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/scheduled.yml@main - secrets: - github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} + secrets: inherit From ed8a5d3ae41277f00f547d829149fda614b777a3 Mon Sep 17 00:00:00 2001 From: Duleendra Date: Fri, 17 May 2024 06:54:02 +0800 Subject: [PATCH 3/3] fix lint issue --- rules.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules.tf b/rules.tf index ffa76c1..459f147 100644 --- a/rules.tf +++ b/rules.tf @@ -89,7 +89,7 @@ locals { ) => rule } : {} - default_custom_response_body_key = var.default_block_custom_response_body_key != null ? contains(keys(var.custom_response_body),var.default_block_custom_response_body_key ) ? var.default_block_custom_response_body_key : null: null + default_custom_response_body_key = var.default_block_custom_response_body_key != null ? contains(keys(var.custom_response_body), var.default_block_custom_response_body_key) ? var.default_block_custom_response_body_key : null : null } resource "aws_wafv2_web_acl" "default" { @@ -113,7 +113,7 @@ resource "aws_wafv2_web_acl" "default" { dynamic "custom_response" { for_each = var.default_block_response != null ? [true] : [] content { - response_code = var.default_block_response + response_code = var.default_block_response custom_response_body_key = local.default_custom_response_body_key } }