Add Oversize_Handling to AWS WAF v2

[KnightOfReyn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add oversize_handling configuration to AWS WAF

New or Affected Resource(s)

• aws_wafv2_web_acl

Potential Terraform Configuration

statement {
      byte_match_statement {
        field_to_match {
          uri_path {}
        }
        positional_constraint = "CONTAINS"
        search_string         = "path"
        oversize_handling = "CONTINUE"
        text_transformation {
          priority = 0
          type     = "NONE"
        }
      }
    }

[don-code]

Per an inbound e-mail from AWS, this could become a blocker to using AWS WAFv2 with Terraform by October 1st. AWS will be requiring oversize handling to be specified on all rules. This would make any creates or updates with the provider to fail until oversize_handling is specified.

Here's the e-mail we received:

Hello,

We are reaching out to request that you inspect your AWS WAF (Web Application Firewall) rules and apply a size restraint rule, or define oversize handling behavior, by October 1, 2022.

With AWS WAF, customers can configure rules that allow, block, captcha, or monitor (count) web requests based on conditions they define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting. When customers enable AWS WAF for CloudFront, Application Load Balancer, API Gateway or AppSync, only the first 8 KB of the request body are forwarded to AWS WAF for inspection. The 8 KB limit helps maintain high WAF performance and low latency, even during conditions of exceptional load. However, some bypass attempts intentionally put data towards the end of large (> 8 KB) requests. If your application does not expect requests greater than 8 KB in size, you can prevent them from passing through with a WAF size constraint rule statement. This will result in large requests being denied.

We have detected you have one or more rules in your WAF web ACL that inspect the HTTP request body (or JSON body) but do not have a size constraint rule statement. As a result, we may not be inspecting all traffic, specifically requests > 8 KB, to your application. On April 29, 2022, we launched the ability to specify how oversized requests should be handled as part of your web ACL when you configure WAF to inspect Body or JSON body. Although defining oversize handling behavior is optional today, on October 1, 2022, we will make specifying the handling behavior for oversized requests required when there is no size constraint on the Body or JSON body rule. After October 1, 2022, if you have not updated your web ACL to either add a size constraint statement on Body or JSON body rules in your web ACL, or define the oversize handling behavior for these rules, updates to your WAF rules using the API will fail. You can learn more about configuring oversize handling behavior by visiting the AWS WAF documentation [1].

In order to determine if your application is currently processing large requests, you can check your application logs for requests with a content-length header larger than 8 KB, you can configure a rule in AWS WAF to count large requests, or if you have WAF logging enabled you can use the oversizeFields log field to obtain the list of fields in the web request that were inspected by the web ACL and that are over the AWS WAF inspection limit [2]. For more detail on configuring this rule, please see the 'Size constraint rule statement' documentation [3].

Additionally, if you rely on large requests containing bytes not inspected by WAF, we recommend you follow the OWASP SQL recommendations [4] for protecting applications from SQLi [5], including using prepared statements with parameterized queries, using stored procedures where applicable, allow-listing input validation, and escaping all user supplied input. To learn more about web request body inspection with AWS WAF, please see the AWS WAF Developer Guide [6].

The followinng is a list of your WAF web ACL ID(s):
(removed for brevity)

If you have any questions or concerns, please reach out to AWS Support [7].

[1] https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html
[2] https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html
[3] https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-size-constraint-match.html
[4] https://owasp.org/www-community/attacks/SQL_Injection
[5] https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
[6] https://docs.aws.amazon.com/waf/latest/developerguide/web-request-body-inspection.html
[7] https://aws.amazon.com/support

[cyn110]

@KnightOfReyn I think this is soon to be a bug instead of enhancement.

[KnightOfReyn]

@KnightOfReyn I think this is soon to be a bug instead of enhancement.

I agree. New to raising issues on this, so do you know a way I can update labels to reflect that?

[bschaatsbergen]

Please note that as per the docs here, Oversize Handling applies to the following places in the WAFv2 Web ACL; Body, JsonBody, Headers and Cookies.

[daveihart]

Hi, is the "body" field still on the roadmap?

Currently I cannot assign the oversize_handling configuration to "body" type field? (Its not on the provider docs so thought I would ask)

An argument named "oversize_handling" is not expected here.

Managed to assign oversize_handling fine to "json_body" type

Cheers

[fcheung]

Weirdly, oversize_handling body was removed here: 7a292ba - I can't say I understand why

[catej-clayton]

@fcheung

Weirdly, oversize_handling body was removed here: 7a292ba - I can't say I understand why

This is because adding oversize_handling as a required property to body's schema would have been a breaking change, requiring a new major version of the aws provider. Since the deadline/urgency got pushed back to Feb 2023, tf didn't want to do a whole major version just for this. This is why we've gotten the update for some objects like header and cookies, that didn't have a present schema, and didn't require this breaking change.

You can view the issues whole history for detailed explanation, but I gave a summary.

[phillipsbrianj]

It would be great if we could add in the oversize handling as optional now avoiding the breaking change that would occur if it were required, at the same time allowing it to be configured in advance of AWS requiring the field in Q1 2023.

[fclerg]

When creating a body rule there are 2 kind of possible content-type : "Plain text" or "JSON" :

In the aws_wafv2_rule_group terraform resource they are respectively equivalent to attributes

field_to_match {
     body {}
}

and

field_to_match {
     json_body { ... }
}

---

Currently something like this works :

field_to_match {
     json_body {
         oversize_handling = "..."
      }
}

but not :

field_to_match {
     body {
         oversize_handling = "..."
      }
}

So it looks like the issue has partly been solved but the missing oversize_handling attribute in the latter example still needs to be addressed.

Any chance for the aws provider to support it before February 2023, when setting Oversize Handling will become mandatory ?

[Maxi3315]

When creating a body rule there are 2 kind of possible content-type : "Plain text" or "JSON" :

In the aws_wafv2_rule_group terraform resource they are respectively equivalent to attributes

field_to_match {
     body {}
}

and

field_to_match {
     json_body { ... }
}

Currently something like this works :

field_to_match {
     json_body {
         oversize_handling = "..."
      }
}

but not :

field_to_match {
     body {
         oversize_handling = "..."
      }
}

So it looks like the issue has partly been solved but the missing oversize_handling attribute in the latter example still needs to be addressed.

Any chance for the aws provider to support it before February 2023, when setting Oversize Handling will become mandatory ?

Hello,

Any news for this case highlighted by @fclerg ?

I noticed that oversize_handling is now available for json_body, header and cookies in aws provider, but what about for body ?

[mahela-aws]

When creating a body rule there are 2 kind of possible content-type : "Plain text" or "JSON" :

In the aws_wafv2_rule_group terraform resource they are respectively equivalent to attributes

field_to_match {
     body {}
}

and

field_to_match {
     json_body { ... }
}

Currently something like this works :

field_to_match {
     json_body {
         oversize_handling = "..."
      }
}

but not :

field_to_match {
     body {
         oversize_handling = "..."
      }
}

So it looks like the issue has partly been solved but the missing oversize_handling attribute in the latter example still needs to be addressed.

Any chance for the aws provider to support it before February 2023, when setting Oversize Handling will become mandatory ?

I have tried the below

field_to_match {
  json_body {
    oversize_handling = "MATCH"
  }
}

in aws_wafv2_rule_group resource, but looks like this doesn't work either. it says unsupported block json_body

[mahela-aws]

after upgrading aws provider to latest, above block actually worked

[an4oh]

Confirm that with json_body is working but not with body. In February will not be possible to deploy a rule with the body as field to inspect. There is any update?

[Unibozu]

Confirm this is still not working with body using provider v4.51.0.

[ch0ppy35]

This still isn't fixed.

This has been known about since before October, and the February deadline is fast approaching. When can we expect the provider to handle this properly?

[AndyLonghurstHESA]

Just tried adding to body with 4.49.0 and not working

[breathingdust]

Just to note to say that we will be adding oversize_handling as an optional attribute to body as soon as we can. We have reached out to AWS for more details on the timing of the API behavior change and will work to align a provider release to AWS's schedule.

[Unibozu]

@breathingdust It's appreciated, thanks. If that helps, AWS has sent another email recently detailing the new deadline to make that change (Feb 28)

We are reaching out regarding the notification you received in October 2022, stating that you need to apply a size constraint rule or define oversize handling behavior on Body or JSON body rules for all of your AWS WAF web ACLs. We still recommend that you update your AWS WAF configuration as soon as possible, but no later than February 28, 2023. After February 28, 2023 attempts to update web ACLs will fail if a size constraint rule or oversize handling behavior has not been defined for Body or JSON body rules. This applies to updates made using the WAF console, WAF APIs, or AWS CloudFormation templates. If you have multiple non-compliant rules after February 28, 2023, you will need to use API, CloudFormation, or the tool discussed below.

[github-actions]

This functionality has been released in v4.52.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.