Allow setting of override_action and default_action (#10)

CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 <a name="unreleased"></a>
 ## [Unreleased]
 
+- Update example and fix example config ([#9](https://github.com/umotif-public/terraform-aws-waf-webaclv2/issues/9))
+
+
+<a name="1.1.0"></a>
+## [1.1.0] - 2020-06-26
+
+- Feature/wafv2 improvements ([#8](https://github.com/umotif-public/terraform-aws-waf-webaclv2/issues/8))
+
+
+<a name="1.0.1"></a>
+## [1.0.1] - 2020-06-22
+
+- Update default values to reduce duplication ([#7](https://github.com/umotif-public/terraform-aws-waf-webaclv2/issues/7))
+- update CHANGELOG.md
 
 
 <a name="1.0.0"></a>
@@ -35,7 +49,9 @@ All notable changes to this project will be documented in this file.
 - Initial commit
 
 
-[Unreleased]: https://github.com/umotif-public/terraform-aws-waf-webaclv2/compare/1.0.0...HEAD
+[Unreleased]: https://github.com/umotif-public/terraform-aws-waf-webaclv2/compare/1.1.0...HEAD
+[1.1.0]: https://github.com/umotif-public/terraform-aws-waf-webaclv2/compare/1.0.1...1.1.0
+[1.0.1]: https://github.com/umotif-public/terraform-aws-waf-webaclv2/compare/1.0.0...1.0.1
 [1.0.0]: https://github.com/umotif-public/terraform-aws-waf-webaclv2/compare/0.2.0...1.0.0
 [0.2.0]: https://github.com/umotif-public/terraform-aws-waf-webaclv2/compare/0.1.0...0.2.0
 [0.1.0]: https://github.com/umotif-public/terraform-aws-waf-webaclv2/compare/0.0.1...0.1.0

README.md

@@ -15,13 +15,15 @@ Please pin down version of this module to exact version.
 ```hcl
 module "waf" {
   source = "umotif-public/waf-webaclv2/aws"
-  version = "~> 1.1.0"
+  version = "~> 1.2.0"
 
   name_prefix = "test-waf-setup"
   alb_arn     = module.alb.arn
 
   create_alb_association = true
 
+  allow_default_action = true # set to allow if not specified
+
   visibility_config = {
     metric_name                = "test-waf-setup-waf-main-metrics"
   }
@@ -31,6 +33,8 @@ module "waf" {
       name     = "AWSManagedRulesCommonRuleSet-rule-1"
       priority = "1"
 
+      override_action = "none" # set to none if not specified
+
       visibility_config = {
         metric_name                = "AWSManagedRulesCommonRuleSet-metric"
       }
@@ -49,6 +53,8 @@ module "waf" {
       name     = "AWSManagedRulesKnownBadInputsRuleSet-rule-2"
       priority = "2"
 
+      override_action = "count"
+
       visibility_config = {
         metric_name                = "AWSManagedRulesKnownBadInputsRuleSet-metric"
       }
@@ -57,6 +63,21 @@ module "waf" {
         name        = "AWSManagedRulesKnownBadInputsRuleSet"
         vendor_name = "AWS"
       }
+    },
+    {
+      name     = "AWSManagedRulesPHPRuleSet-rule-3"
+      priority = "3"
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = false
+        metric_name                = "AWSManagedRulesPHPRuleSet-metric"
+        sampled_requests_enabled   = false
+      }
+
+      managed_rule_group_statement = {
+        name        = "AWSManagedRulesPHPRuleSet"
+        vendor_name = "AWS"
+      }
     }
   ]
 
@@ -71,16 +92,6 @@ module "waf" {
 
 Module is to be used with Terraform > 0.12.
 
-## Current Limitations/Issues
-
-1. All rules deployed via this module are set to allowing mode. At this stage, I was unable to find a way to pass following block as an environment variable (feel free to create a PR to resolve it):
-```tf
-default_action {
-    allow {}
-}
-```
-This problem is tracked -> https://discuss.hashicorp.com/t/conditional-block-or-allow-variable-for-wafv2-resource-when-using-override-action-or-default-action/10162
-
 ## Logging configuration
 
 When you enable logging configuration for WAFv2. Remember to follow naming convention defined in https://docs.aws.amazon.com/waf/latest/developerguide/logging.html.
@@ -115,6 +126,7 @@ Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](http
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | alb\_arn | Application Load Balancer ARN | `string` | `""` | no |
+| allow\_default\_action | Set to `true` for WAF to allow requests by default. Set to `false` for WAF to block requests by default. | `bool` | `true` | no |
 | create\_alb\_association | Whether to create alb association with WAF web acl | `bool` | `true` | no |
 | create\_logging\_configuration | Whether to create logging configuration in order start logging from a WAFv2 Web ACL to Amazon Kinesis Data Firehose. | `bool` | `false` | no |
 | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |

examples/core/main.tf

@@ -10,7 +10,7 @@ module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "~> 2.44"
 
-  name = "simple-vpc"
+  name = "simple-waf-test-vpc"
 
   cidr = "10.0.0.0/16"
 
@@ -35,69 +35,6 @@ module "alb" {
   subnets            = module.vpc.public_subnets
 }
 
-resource "aws_lb_listener" "alb_80" {
-  load_balancer_arn = module.alb.arn
-  port              = "80"
-  protocol          = "HTTP"
-
-  default_action {
-    type             = "forward"
-    target_group_arn = module.fargate.target_group_arn
-  }
-}
-
-#####
-# Security Group Config
-#####
-resource "aws_security_group_rule" "alb_ingress_80" {
-  security_group_id = module.alb.security_group_id
-  type              = "ingress"
-  protocol          = "tcp"
-  from_port         = 80
-  to_port           = 80
-  cidr_blocks       = ["0.0.0.0/0"]
-  ipv6_cidr_blocks  = ["::/0"]
-}
-
-resource "aws_security_group_rule" "task_ingress_80" {
-  security_group_id        = module.fargate.service_sg_id
-  type                     = "ingress"
-  protocol                 = "tcp"
-  from_port                = 80
-  to_port                  = 80
-  source_security_group_id = module.alb.security_group_id
-}
-
-#####
-# ECS cluster and fargate
-#####
-resource "aws_ecs_cluster" "cluster" {
-  name = "example-ecs-cluster"
-}
-
-module "fargate" {
-  source  = "umotif-public/ecs-fargate/aws"
-  version = "~> 3.0.0"
-
-  name_prefix        = "ecs-fargate-example"
-  vpc_id             = module.vpc.vpc_id
-  private_subnet_ids = module.vpc.public_subnets
-  lb_arn             = module.alb.arn
-  cluster_id         = aws_ecs_cluster.cluster.id
-
-  task_container_image   = "marcincuber/2048-game:latest"
-  task_definition_cpu    = 256
-  task_definition_memory = 512
-
-  task_container_port             = 80
-  task_container_assign_public_ip = true
-
-  health_check = {
-    port = "traffic-port"
-    path = "/"
-  }
-}
-
 #####
 # Web Application Firewall configuration
 #####
@@ -107,6 +44,8 @@ module "waf" {
   name_prefix = "test-waf-setup"
   alb_arn     = module.alb.arn
 
+  allow_default_action = true
+
   create_alb_association = true
 
   visibility_config = {
@@ -120,6 +59,8 @@ module "waf" {
       name     = "AWSManagedRulesCommonRuleSet-rule-1"
       priority = "1"
 
+      override_action = "none"
+
       visibility_config = {
         cloudwatch_metrics_enabled = false
         metric_name                = "AWSManagedRulesCommonRuleSet-metric"
@@ -140,6 +81,8 @@ module "waf" {
       name     = "AWSManagedRulesKnownBadInputsRuleSet-rule-2"
       priority = "2"
 
+      override_action = "count"
+
       visibility_config = {
         cloudwatch_metrics_enabled = false
         metric_name                = "AWSManagedRulesKnownBadInputsRuleSet-metric"

main.tf

@@ -8,7 +8,15 @@ resource "aws_wafv2_web_acl" "main" {
   scope = "REGIONAL"
 
   default_action {
-    allow {}
+    dynamic "allow" {
+      for_each = var.allow_default_action ? [1] : []
+      content {}
+    }
+
+    dynamic "block" {
+      for_each = var.allow_default_action ? [] : [1]
+      content {}
+    }
   }
 
   dynamic "rule" {
@@ -18,7 +26,15 @@ resource "aws_wafv2_web_acl" "main" {
       priority = lookup(rule.value, "priority")
 
       override_action {
-        none {}
+        dynamic "none" {
+          for_each = length(lookup(rule.value, "override_action", {})) == 0 || lookup(rule.value, "override_action", {}) == "none" ? [1] : []
+          content {}
+        }
+
+        dynamic "count" {
+          for_each = lookup(rule.value, "override_action", {}) == "count" ? [1] : []
+          content {}
+        }
       }
 
       statement {

variables.tf

@@ -54,3 +54,9 @@ variable "redacted_fields" {
   description = "The parts of the request that you want to keep out of the logs. Up to 100 `redacted_fields` blocks are supported."
   default     = []
 }
+
+variable "allow_default_action" {
+  type        = bool
+  description = "Set to `true` for WAF to allow requests by default. Set to `false` for WAF to block requests by default."
+  default     = true
+}