350-SD/CP Add message to manually add oversized request config

This has been added as an output when applying blocks or modules rather than in documentation so as to keep it at the forefront of developers' minds. This is a temporary workaround whilst Terraform implement support for the feature. This was prompted by a notification from AWS: "... With AWS WAF, customers can configure rules that allow, block, captcha, or monitor (count) web requests based on conditions they define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting. When customers enable AWS WAF for CloudFront, Application Load Balancer, API Gateway or AppSync, only the first 8 KB of the request body are forwarded to AWS WAF for inspection. The 8 KB limit helps maintain high WAF performance and low latency, even during conditions of exceptional load. However, some bypass attempts intentionally put data towards the end of large (> 8 KB) requests. If your application does not expect requests greater than 8 KB in size, you can prevent them from passing through with a WAF size constraint rule statement. This will result in large requests being denied. We have detected you have one or more rules in your WAF web ACL that inspect the HTTP request body (or JSON body) but do not have a size constraint rule statement. As a result, we may not be inspecting all traffic, specifically requests > 8 KB, to your application. On April 29, 2022, we launched the ability to specify how oversized requests should be handled as part of your web ACL when you configure WAF to inspect Body or JSON body. Although defining oversize handling behavior is optional today, on October 1, 2022, we will make specifying the handling behavior for oversized requests required when there is no size constraint on the Body or JSON body rule. After October 1, 2022, if you have not updated your web ACL to either add a size constraint statement on Body or JSON body rules in your web ACL, or define the oversize handling behavior for these rules, updates to your WAF rules using the API will fail. You can learn more about configuring oversize handling behavior by visiting the AWS WAF documentation [1]. ..." See more: hashicorp/terraform-provider-aws#25832
no10ds · Aug 1, 2022 · a933d4e · a933d4e
1 parent 0bbd0e9
commit a933d4e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/blocks/app-cluster/output.tf b/blocks/app-cluster/output.tf
@@ -37,3 +37,7 @@ output "rapid_metric_log_error_alarm_arn" {
   value       = module.app_cluster.rapid_metric_log_error_alarm_arn
   description = "The arn of the log error alarm metric"
 }
+
+output "warnings" {
+  value       = "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n✸ Please add Oversize Request Handling configuration to the SQL Injection WAF Statement after applying changes (every time!). This is to satisfy requirements from 1st October 2022 and until the required functionality is added to Terraform to do it automatically (https://github.com/hashicorp/terraform-provider-aws/issues/25832)\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
+}
diff --git a/modules/app-cluster/outputs.tf b/modules/app-cluster/outputs.tf
@@ -32,3 +32,7 @@ output "rapid_metric_log_error_alarm_arn" {
   value       = aws_cloudwatch_metric_alarm.log-error-alarm.arn
   description = "The arn of the log error alarm metric"
 }
+
+output "warnings" {
+  value       = "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n✸ Please add Oversize Request Handling configuration to the SQL Injection WAF Statement after applying changes (every time!). This is to satisfy requirements from 1st October 2022 and until the required functionality is added to Terraform to do it automatically (https://github.com/hashicorp/terraform-provider-aws/issues/25832)\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
+}