From 92c326db33695d8ee1601838d893d4d1dda79d42 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Mon, 27 Jun 2022 22:19:37 +0200 Subject: [PATCH 1/7] Update Wafv2 Web ACL schema to include the `oversize_handling` attribute --- internal/service/wafv2/schemas.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/service/wafv2/schemas.go b/internal/service/wafv2/schemas.go index 27f122812eb..63c44f7ec94 100644 --- a/internal/service/wafv2/schemas.go +++ b/internal/service/wafv2/schemas.go @@ -153,6 +153,11 @@ func byteMatchStatementSchema() *schema.Schema { wafv2.PositionalConstraintStartsWith, }, false), }, + "oversize_handling": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(wafv2.OversizeConstraintAction_Values(), false), + }, "search_string": { Type: schema.TypeString, Required: true, From 4773f45f35506b7ab3e140c70a6490ba40b7003f Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Mon, 27 Jun 2022 22:21:32 +0200 Subject: [PATCH 2/7] Change `OversizeConstraintAction_Values` to `OversizeHandling_Values` --- internal/service/wafv2/schemas.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/wafv2/schemas.go b/internal/service/wafv2/schemas.go index 63c44f7ec94..81657bffcfe 100644 --- a/internal/service/wafv2/schemas.go +++ b/internal/service/wafv2/schemas.go @@ -156,7 +156,7 @@ func byteMatchStatementSchema() *schema.Schema { "oversize_handling": { Type: schema.TypeString, Required: true, - ValidateFunc: validation.StringInSlice(wafv2.OversizeConstraintAction_Values(), false), + ValidateFunc: validation.StringInSlice(wafv2.OversizeHandling_Values(), false), }, "search_string": { Type: schema.TypeString, From 958698e694ff38598ae0fc7c575877a1c8c4e704 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Mon, 27 Jun 2022 22:36:34 +0200 Subject: [PATCH 3/7] Set `oversize_handling` before `positional_constraint` in the wafv2 web acl schema --- internal/service/wafv2/schemas.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/internal/service/wafv2/schemas.go b/internal/service/wafv2/schemas.go index 81657bffcfe..0cf4796840d 100644 --- a/internal/service/wafv2/schemas.go +++ b/internal/service/wafv2/schemas.go @@ -142,6 +142,11 @@ func byteMatchStatementSchema() *schema.Schema { Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "field_to_match": fieldToMatchSchema(), + "oversize_handling": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(wafv2.OversizeHandling_Values(), false), + }, "positional_constraint": { Type: schema.TypeString, Required: true, @@ -153,11 +158,6 @@ func byteMatchStatementSchema() *schema.Schema { wafv2.PositionalConstraintStartsWith, }, false), }, - "oversize_handling": { - Type: schema.TypeString, - Required: true, - ValidateFunc: validation.StringInSlice(wafv2.OversizeHandling_Values(), false), - }, "search_string": { Type: schema.TypeString, Required: true, From fa2001a3a8f6520ac5f1783fff414c875b409d0f Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Mon, 27 Jun 2022 22:41:40 +0200 Subject: [PATCH 4/7] Add `oversize_handling` to `wafv2_web_acl.html.markdown` doc --- website/docs/r/wafv2_web_acl.html.markdown | 1 + 1 file changed, 1 insertion(+) diff --git a/website/docs/r/wafv2_web_acl.html.markdown b/website/docs/r/wafv2_web_acl.html.markdown index 02f6d7552b4..0fb2fa6d3dc 100644 --- a/website/docs/r/wafv2_web_acl.html.markdown +++ b/website/docs/r/wafv2_web_acl.html.markdown @@ -404,6 +404,7 @@ The byte match statement provides the bytes to search for, the location in reque The `byte_match_statement` block supports the following arguments: * `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [Field to Match](#field-to-match) below for details. +* `oversize_handling` - (Required) Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. * `positional_constraint` - (Required) Area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. * `search_string` - (Required) String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes. * `text_transformation` - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. See [Text Transformation](#text-transformation) below for details. From 57ade2031963e72377f026b0d33d6eaf58a4fcc2 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Tue, 28 Jun 2022 09:52:42 +0200 Subject: [PATCH 5/7] Create 25589.txt --- .changelog/25589.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/25589.txt diff --git a/.changelog/25589.txt b/.changelog/25589.txt new file mode 100644 index 00000000000..6e7743f93ae --- /dev/null +++ b/.changelog/25589.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_wafv2_web_acl: Add `oversize_handling` attribute as part of `byte_match_statement`. +``` From 75b67c6721acdfb58154c3608f83ef9eed939314 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Thu, 30 Jun 2022 20:23:27 +0200 Subject: [PATCH 6/7] Add OverSize handling to Body within FieldToMatchBaseSchema --- internal/service/wafv2/schemas.go | 24 ++++++++++++++-------- website/docs/r/wafv2_web_acl.html.markdown | 12 +++++++++-- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/internal/service/wafv2/schemas.go b/internal/service/wafv2/schemas.go index 0cf4796840d..049ed5ef667 100644 --- a/internal/service/wafv2/schemas.go +++ b/internal/service/wafv2/schemas.go @@ -142,11 +142,6 @@ func byteMatchStatementSchema() *schema.Schema { Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "field_to_match": fieldToMatchSchema(), - "oversize_handling": { - Type: schema.TypeString, - Required: true, - ValidateFunc: validation.StringInSlice(wafv2.OversizeHandling_Values(), false), - }, "positional_constraint": { Type: schema.TypeString, Required: true, @@ -338,9 +333,22 @@ func fieldToMatchBaseSchema() *schema.Resource { return &schema.Resource{ Schema: map[string]*schema.Schema{ "all_query_arguments": emptySchema(), - "body": emptySchema(), - "method": emptySchema(), - "query_string": emptySchema(), + "body": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "oversize_handling": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(wafv2.OversizeHandling_Values(), false), + }, + }, + }, + }, + "method": emptySchema(), + "query_string": emptySchema(), "single_header": { Type: schema.TypeList, Optional: true, diff --git a/website/docs/r/wafv2_web_acl.html.markdown b/website/docs/r/wafv2_web_acl.html.markdown index 0fb2fa6d3dc..0e19318f25b 100644 --- a/website/docs/r/wafv2_web_acl.html.markdown +++ b/website/docs/r/wafv2_web_acl.html.markdown @@ -404,7 +404,6 @@ The byte match statement provides the bytes to search for, the location in reque The `byte_match_statement` block supports the following arguments: * `field_to_match` - (Optional) Part of a web request that you want AWS WAF to inspect. See [Field to Match](#field-to-match) below for details. -* `oversize_handling` - (Required) Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. * `positional_constraint` - (Required) Area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. * `search_string` - (Required) String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes. * `text_transformation` - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. See [Text Transformation](#text-transformation) below for details. @@ -543,7 +542,7 @@ The `field_to_match` block supports the following arguments: An empty configuration block `{}` should be used when specifying `all_query_arguments`, `body`, `method`, or `query_string` attributes. * `all_query_arguments` - (Optional) Inspect all query arguments. -* `body` - (Optional) Inspect the request body, which immediately follows the request headers. +* `body` - (Optional) Inspect the request body, which immediately follows the request headers. See [Body](#body) below for details. * `method` - (Optional) Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. * `query_string` - (Optional) Inspect the query string. This is the part of a URL that appears after a `?` character, if any. * `single_header` - (Optional) Inspect a single header. See [Single Header](#single-header) below for details. @@ -571,6 +570,15 @@ The `ip_set_forwarded_ip_config` block supports the following arguments: * `header_name` - (Required) - Name of the HTTP header to use for the IP address. * `position` - (Required) - Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + +### Body + +Inspect the body of the web request. The body immediately follows the request headers. + +The `body` block supports the following arguments: + +* `oversize_handling` - (Required) Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + ### Single Header Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` (provided as lowercase strings). From d0f40da6dcf92071258e2ac7f89f6e369e9a0afc Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Thu, 30 Jun 2022 20:24:38 +0200 Subject: [PATCH 7/7] Update 25589.txt --- .changelog/25589.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changelog/25589.txt b/.changelog/25589.txt index 6e7743f93ae..5d5e1a87047 100644 --- a/.changelog/25589.txt +++ b/.changelog/25589.txt @@ -1,3 +1,3 @@ ```release-note:enhancement -resource/aws_wafv2_web_acl: Add `oversize_handling` attribute as part of `byte_match_statement`. +resource/aws_wafv2_web_acl: Add `oversize_handling` attribute as part of `field_to_match` its `body` attribute. ```