From a933d4e40894bb7a88c757ba3d1449f658efb8ff Mon Sep 17 00:00:00 2001
From: Claude Paret <claude.paret@digital.cabinet-office.gov.uk>
Date: Mon, 1 Aug 2022 11:36:25 +0100
Subject: [PATCH] 350-SD/CP Add message to manually add oversized request
 config

This has been added as an output when applying blocks or modules rather than in documentation so as to keep it at the forefront of developers' minds.

This is a temporary workaround whilst Terraform implement support for the feature.

This was prompted by a notification from AWS:

"... With AWS WAF, customers can configure rules that allow, block, captcha, or monitor (count) web requests based on conditions they define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting. When customers enable AWS WAF for CloudFront, Application Load Balancer, API Gateway or AppSync, only the first 8 KB of the request body are forwarded to AWS WAF for inspection. The 8 KB limit helps maintain high WAF performance and low latency, even during conditions of exceptional load. However, some bypass attempts intentionally put data towards the end of large (> 8 KB) requests. If your application does not expect requests greater than 8 KB in size, you can prevent them from passing through with a WAF size constraint rule statement. This will result in large requests being denied.

We have detected you have one or more rules in your WAF web ACL that inspect the HTTP request body (or JSON body) but do not have a size constraint rule statement. As a result, we may not be inspecting all traffic, specifically requests > 8 KB, to your application. On April 29, 2022, we launched the ability to specify how oversized requests should be handled as part of your web ACL when you configure WAF to inspect Body or JSON body. Although defining oversize handling behavior is optional today, on October 1, 2022, we will make specifying the handling behavior for oversized requests required when there is no size constraint on the Body or JSON body rule. After October 1, 2022, if you have not updated your web ACL to either add a size constraint statement on Body or JSON body rules in your web ACL, or define the oversize handling behavior for these rules, updates to your WAF rules using the API will fail. You can learn more about configuring oversize handling behavior by visiting the AWS WAF documentation [1]. ..."

See more:
https://github.com/hashicorp/terraform-provider-aws/issues/25832
---
 blocks/app-cluster/output.tf   | 4 ++++
 modules/app-cluster/outputs.tf | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/blocks/app-cluster/output.tf b/blocks/app-cluster/output.tf
index bd2bf13..04a6c35 100644
--- a/blocks/app-cluster/output.tf
+++ b/blocks/app-cluster/output.tf
@@ -37,3 +37,7 @@ output "rapid_metric_log_error_alarm_arn" {
   value       = module.app_cluster.rapid_metric_log_error_alarm_arn
   description = "The arn of the log error alarm metric"
 }
+
+output "warnings" {
+  value       = "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n✸ Please add Oversize Request Handling configuration to the SQL Injection WAF Statement after applying changes (every time!). This is to satisfy requirements from 1st October 2022 and until the required functionality is added to Terraform to do it automatically (https://github.com/hashicorp/terraform-provider-aws/issues/25832)\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
+}
diff --git a/modules/app-cluster/outputs.tf b/modules/app-cluster/outputs.tf
index 254dcf1..35a225c 100644
--- a/modules/app-cluster/outputs.tf
+++ b/modules/app-cluster/outputs.tf
@@ -32,3 +32,7 @@ output "rapid_metric_log_error_alarm_arn" {
   value       = aws_cloudwatch_metric_alarm.log-error-alarm.arn
   description = "The arn of the log error alarm metric"
 }
+
+output "warnings" {
+  value       = "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n✸ Please add Oversize Request Handling configuration to the SQL Injection WAF Statement after applying changes (every time!). This is to satisfy requirements from 1st October 2022 and until the required functionality is added to Terraform to do it automatically (https://github.com/hashicorp/terraform-provider-aws/issues/25832)\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
+}