cloudposse · milldr · Aug 16, 2023 · Aug 16, 2023 · Aug 16, 2023 · Aug 16, 2023
@@ -313,7 +313,7 @@ Available targets:
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
 | <a name="input_waf_policies"></a> [waf\_policies](#input\_waf\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  default\_action:<br>    The action that you want AWS WAF to take.<br>    Possible values: `ALLOW`, `BLOCK` or `COUNT`.<br>  rule\_groups:<br>    A list of rule groups. | `list(any)` | `[]` | no |
-| <a name="input_waf_v2_policies"></a> [waf\_v2\_policies](#input\_waf\_v2\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  default\_action:<br>    The action that you want AWS WAF to take.<br>    Possible values: `ALLOW`, `BLOCK` or `COUNT`.<br>  override\_customer\_web\_acl\_association:<br>    Wheter to override customer Web ACL association<br>  logging\_configuration:<br>    The WAFv2 Web ACL logging configuration.<br>  pre\_process\_rule\_groups:<br>    A list of pre-proccess rule groups.<br>  post\_process\_rule\_groups:<br>    A list of post-proccess rule groups. | `list(any)` | `[]` | no |
+| <a name="input_waf_v2_policies"></a> [waf\_v2\_policies](#input\_waf\_v2\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  default\_action:<br>    The action that you want AWS WAF to take.<br>    Possible values: `ALLOW`, `BLOCK` or `COUNT`.<br>  override\_customer\_web\_acl\_association:<br>    Wheter to override customer Web ACL association<br>  logging\_configuration:<br>    The WAFv2 Web ACL logging configuration.<br>  pre\_process\_rule\_groups:<br>    A list of pre-proccess rule groups.<br>  post\_process\_rule\_groups:<br>    A list of post-proccess rule groups.<br>  custom\_request\_handling:<br>    A custom header for custom request and response handling.<br>    Defaults to null.<br>  custom\_response:<br>    A custom response for the web request.<br>    Defaults to null.<br>  sampled\_requests\_enabled\_for\_default\_actions:<br>    Whether WAF should store a sampling of the web requests that match the rules.<br>    Possible values: `true` or `false`. | `list(any)` | `[]` | no |
 
 ## Outputs
 

@@ -79,7 +79,7 @@
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
 | <a name="input_waf_policies"></a> [waf\_policies](#input\_waf\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  default\_action:<br>    The action that you want AWS WAF to take.<br>    Possible values: `ALLOW`, `BLOCK` or `COUNT`.<br>  rule\_groups:<br>    A list of rule groups. | `list(any)` | `[]` | no |
-| <a name="input_waf_v2_policies"></a> [waf\_v2\_policies](#input\_waf\_v2\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  default\_action:<br>    The action that you want AWS WAF to take.<br>    Possible values: `ALLOW`, `BLOCK` or `COUNT`.<br>  override\_customer\_web\_acl\_association:<br>    Wheter to override customer Web ACL association<br>  logging\_configuration:<br>    The WAFv2 Web ACL logging configuration.<br>  pre\_process\_rule\_groups:<br>    A list of pre-proccess rule groups.<br>  post\_process\_rule\_groups:<br>    A list of post-proccess rule groups. | `list(any)` | `[]` | no |
+| <a name="input_waf_v2_policies"></a> [waf\_v2\_policies](#input\_waf\_v2\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  default\_action:<br>    The action that you want AWS WAF to take.<br>    Possible values: `ALLOW`, `BLOCK` or `COUNT`.<br>  override\_customer\_web\_acl\_association:<br>    Wheter to override customer Web ACL association<br>  logging\_configuration:<br>    The WAFv2 Web ACL logging configuration.<br>  pre\_process\_rule\_groups:<br>    A list of pre-proccess rule groups.<br>  post\_process\_rule\_groups:<br>    A list of post-proccess rule groups.<br>  custom\_request\_handling:<br>    A custom header for custom request and response handling.<br>    Defaults to null.<br>  custom\_response:<br>    A custom response for the web request.<br>    Defaults to null.<br>  sampled\_requests\_enabled\_for\_default\_actions:<br>    Whether WAF should store a sampling of the web requests that match the rules.<br>    Possible values: `true` or `false`. | `list(any)` | `[]` | no |
 
 ## Outputs
 

@@ -239,6 +239,15 @@ variable "waf_v2_policies" {
         A list of pre-proccess rule groups.
       post_process_rule_groups:
         A list of post-proccess rule groups.
+      custom_request_handling:
+        A custom header for custom request and response handling.
+        Defaults to null.
+      custom_response:
+        A custom response for the web request.
+        Defaults to null.
+      sampled_requests_enabled_for_default_actions:
+        Whether WAF should store a sampling of the web requests that match the rules.
+        Possible values: `true` or `false`.
   DOC
 }
 

@@ -47,8 +47,11 @@ resource "aws_fms_policy" "waf_v2" {
         type = upper(each.value.policy_data.default_action)
       }
 
-      overrideCustomerWebACLAssociation = lookup(each.value.policy_data, "override_customer_web_acl_association", false)
-      loggingConfiguration              = lookup(each.value.policy_data, "logging_configuration", local.logging_configuration)
+      overrideCustomerWebACLAssociation       = lookup(each.value.policy_data, "override_customer_web_acl_association", false)
+      loggingConfiguration                    = lookup(each.value.policy_data, "logging_configuration", local.logging_configuration)
+      customRequestHandling                   = lookup(each.value.policy_data, "custom_request_handling", null)
+      customResponse                          = lookup(each.value.policy_data, "custom_response", null)
+      sampledRequestsEnabledForDefaultActions = lookup(each.value.policy_data, "sampled_requests_enabled_for_default_actions", false)
     })
   }
 }