Skip to content

Commit 6551cb6

Browse files
lycbrianlycbrian
authored
Merge pull request #8 from oozou/feat/size-restriction
Feat/size restriction
2 parents 86ba47f + 2c6f6c9 commit 6551cb6

File tree

6 files changed

+218
-79
lines changed

6 files changed

+218
-79
lines changed

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,13 @@
22

33
All notable changes to this module will be documented in this file.
44

5+
## [v1.2.0] - 2024-03-27
6+
7+
### Added
8+
9+
- Add request size constraint statement
10+
- Resource: `aws_wafv2_web_acl.this`
11+
512
## [v1.1.1] - 2023-10-26
613

714
### Added

README.md

Lines changed: 37 additions & 38 deletions
Large diffs are not rendered by default.

examples/complete/README.md

Lines changed: 16 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -1,54 +1,34 @@
11
<!-- BEGIN_TF_DOCS -->
22
## Requirements
33

4-
| Name | Version |
5-
|---------------------------------------------------------------------------|-------------------|
6-
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
7-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0, < 5.0.0 |
8-
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.3.0 |
4+
| Name | Version |
5+
|------|---------|
6+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
7+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0, < 5.0.0 |
8+
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.3.0 |
99

1010
## Providers
1111

12-
| Name | Version |
13-
|------------------------------------------------------------------------------|---------|
14-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
15-
| <a name="provider_aws.virginia"></a> [aws.virginia](#provider\_aws.virginia) | 4.67.0 |
12+
No providers.
1613

1714
## Modules
1815

19-
| Name | Source | Version |
20-
|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|------------------------------------------|
21-
| <a name="module_cloudfront_distribution"></a> [cloudfront\_distribution](#module\_cloudfront\_distribution) | oozou/cloudfront/aws | 1.1.0 |
22-
| <a name="module_fargate_cluster"></a> [fargate\_cluster](#module\_fargate\_cluster) | oozou/ecs-fargate-cluster/aws | 1.0.8 |
23-
| <a name="module_s3_alb_log_bucket"></a> [s3\_alb\_log\_bucket](#module\_s3\_alb\_log\_bucket) | oozou/s3/aws | 1.1.5 |
24-
| <a name="module_s3_cloudfront_log_bucket"></a> [s3\_cloudfront\_log\_bucket](#module\_s3\_cloudfront\_log\_bucket) | oozou/s3/aws | 1.1.5 |
25-
| <a name="module_vpc"></a> [vpc](#module\_vpc) | oozou/vpc/aws | 1.2.5 |
26-
| <a name="module_web_service"></a> [web\_service](#module\_web\_service) | git@github.com:oozou/terraform-aws-ecs-fargate-service.git | feat/support-multiple-sidecard-container |
16+
| Name | Source | Version |
17+
|------|--------|---------|
18+
| <a name="module_waf_alb"></a> [waf\_alb](#module\_waf\_alb) | ../.. | n/a |
2719

2820
## Resources
2921

30-
| Name | Type |
31-
|---------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
32-
| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
33-
| [aws_acm_certificate.virginia](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
34-
| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
35-
| [aws_acm_certificate_validation.virginia](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
36-
| [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
37-
| [aws_route53_record.virginia](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
38-
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
39-
| [aws_iam_policy_document.alb_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
40-
| [aws_iam_policy_document.cloudfront_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
41-
| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
42-
| [aws_route53_zone.selected_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
22+
No resources.
4323

4424
## Inputs
4525

46-
| Name | Description | Type | Default | Required |
47-
|-----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
48-
| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. | `map(string)` | `{}` | no |
49-
| <a name="input_environment"></a> [environment](#input\_environment) | [Required] Name prefix used for resource naming in this component | `string` | n/a | yes |
50-
| <a name="input_name"></a> [name](#input\_name) | [Required] Name of Platfrom or application | `string` | n/a | yes |
51-
| <a name="input_prefix"></a> [prefix](#input\_prefix) | [Required] Name prefix used for resource naming in this component | `string` | n/a | yes |
26+
| Name | Description | Type | Default | Required |
27+
|------|-------------|------|---------|:--------:|
28+
| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. | `map(string)` | `{}` | no |
29+
| <a name="input_environment"></a> [environment](#input\_environment) | [Required] Name prefix used for resource naming in this component | `string` | n/a | yes |
30+
| <a name="input_name"></a> [name](#input\_name) | [Required] Name of Platfrom or application | `string` | n/a | yes |
31+
| <a name="input_prefix"></a> [prefix](#input\_prefix) | [Required] Name prefix used for resource naming in this component | `string` | n/a | yes |
5232

5333
## Outputs
5434

examples/complete/main.tf

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,31 @@ module "waf_alb" {
150150
country_codes = ["TH"]
151151
}
152152
]
153+
},
154+
{
155+
name = "control-body-size" #
156+
priority = 120 ##
157+
action = "block" # {count, allow, block}
158+
expression_type = "and-statements" ##
159+
statements = [ ##
160+
{
161+
inspect = "uri-path"
162+
positional_constraint = "STARTS_WITH"
163+
search_string = "/test"
164+
},
165+
{
166+
inspect = "size-constraint"
167+
is_negated_statement = true
168+
comparison_operator = "GT"
169+
size = 8000
170+
field_to_match = {
171+
body = {
172+
oversize_handling = "CONTINUE"
173+
}
174+
}
175+
176+
}
177+
]
153178
}
154179
]
155180

locals.tf

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@ locals {
5050

5151
/* ------------------------------ Custom Rules ------------------------------ */
5252
# unique_dynamic_blocks
53+
size_constraint = "size-constraint"
5354
originate_from_a_country_in = "originate-from-a-country-in"
5455
originate_from_an_ip_addresses_in = "originate-from-an-ip-addresses-in"
5556
has_a_label = "has-a-label"
@@ -61,7 +62,7 @@ locals {
6162
all_query_parameters = "all-query-parameters"
6263
uri_path = "uri-path"
6364
query_string = "query-string"
64-
# body = "body" ## Not support by this module now
65+
body = "body"
6566
# json_body = "json-body" ## Not support by this module now
6667
http_method = "http-method"
6768
# header_order = "header_order" ## Not support by this module now

main.tf

Lines changed: 131 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -256,8 +256,32 @@ resource "aws_wafv2_web_acl" "this" {
256256
}
257257
}
258258
}
259-
#### TODO:
260259
#### support size_constraint_statement (Size Match Condition)
260+
dynamic "size_constraint_statement" {
261+
for_each = user_defined_statement.value.inspect == local.size_constraint && lookup(user_defined_statement.value, "is_negated_statement", false) == false ? [1] : []
262+
content {
263+
comparison_operator = user_defined_statement.value.comparison_operator
264+
size = user_defined_statement.value.size
265+
dynamic "field_to_match" {
266+
# other fields to be added
267+
for_each = lookup(user_defined_statement.value, "field_to_match", null) == null ? [] : [lookup(user_defined_statement.value, "field_to_match")]
268+
content {
269+
dynamic "body" {
270+
for_each = lookup(field_to_match.value, "body", null) == null ? [] : [lookup(field_to_match.value, "body")]
271+
content {
272+
#oversize_handling = lookup(json_body.value, "oversize_handling", null) #not support as of now
273+
}
274+
}
275+
}
276+
}
277+
text_transformation {
278+
priority = 0
279+
type = "NONE"
280+
}
281+
282+
}
283+
}
284+
261285
#### support sqli_match_statement (Attack Match Condition)
262286
/* -------------------------------------------------------------------------- */
263287
/* (END): SINGLE MATCH STATEMEN (1) [is_negated_statement = false] */
@@ -400,6 +424,30 @@ resource "aws_wafv2_web_acl" "this" {
400424
}
401425
#### TODO:
402426
#### support size_constraint_statement (Size Match Condition)
427+
dynamic "size_constraint_statement" {
428+
for_each = user_defined_statement.value.inspect == local.size_constraint ? [1] : []
429+
content {
430+
comparison_operator = user_defined_statement.value.comparison_operator
431+
size = user_defined_statement.value.size
432+
dynamic "field_to_match" {
433+
# other fields to be added
434+
for_each = lookup(user_defined_statement.value, "field_to_match", null) == null ? [] : [lookup(user_defined_statement.value, "field_to_match")]
435+
content {
436+
dynamic "body" {
437+
for_each = lookup(field_to_match.value, "body", null) == null ? [] : [lookup(field_to_match.value, "body")]
438+
content {
439+
#oversize_handling = lookup(json_body.value, "oversize_handling", null) #not support as of now
440+
}
441+
}
442+
}
443+
}
444+
text_transformation {
445+
priority = 0
446+
type = "NONE"
447+
}
448+
449+
}
450+
}
403451
#### support sqli_match_statement (Attack Match Condition)
404452
/* -------------------------------------------------------------------------- */
405453
/* (END): SINGLE MATCH STATEMEN [is_negated_statement = true] */
@@ -552,8 +600,32 @@ resource "aws_wafv2_web_acl" "this" {
552600
}
553601
}
554602
}
555-
#### TODO:
603+
556604
#### support size_constraint_statement (Size Match Condition)
605+
dynamic "size_constraint_statement" {
606+
for_each = user_defined_statement.value.inspect == local.size_constraint && lookup(user_defined_statement.value, "is_negated_statement", false) == false ? [1] : []
607+
content {
608+
comparison_operator = user_defined_statement.value.comparison_operator
609+
size = user_defined_statement.value.size
610+
dynamic "field_to_match" {
611+
# other fields to be added
612+
for_each = lookup(user_defined_statement.value, "field_to_match", null) == null ? [] : [lookup(user_defined_statement.value, "field_to_match")]
613+
content {
614+
dynamic "body" {
615+
for_each = lookup(field_to_match.value, "body", null) == null ? [] : [lookup(field_to_match.value, "body")]
616+
content {
617+
#oversize_handling = lookup(json_body.value, "oversize_handling", null) #not support as of now
618+
}
619+
}
620+
}
621+
}
622+
text_transformation {
623+
priority = 0
624+
type = "NONE"
625+
}
626+
627+
}
628+
}
557629
#### support sqli_match_statement (Attack Match Condition)
558630
/* -------------------------------------------------------------------------- */
559631
/* (END): SINGLE MATCH STATEMEN (2) [is_negated_statement = false] */
@@ -694,8 +766,31 @@ resource "aws_wafv2_web_acl" "this" {
694766
}
695767
}
696768
}
697-
#### TODO:
698769
#### support size_constraint_statement (Size Match Condition)
770+
dynamic "size_constraint_statement" {
771+
for_each = user_defined_statement.value.inspect == local.size_constraint ? [1] : []
772+
content {
773+
comparison_operator = user_defined_statement.value.comparison_operator
774+
size = user_defined_statement.value.size
775+
dynamic "field_to_match" {
776+
# other fields to be added
777+
for_each = lookup(user_defined_statement.value, "field_to_match", null) == null ? [] : [lookup(user_defined_statement.value, "field_to_match")]
778+
content {
779+
dynamic "body" {
780+
for_each = lookup(field_to_match.value, "body", null) == null ? [] : [lookup(field_to_match.value, "body")]
781+
content {
782+
#oversize_handling = lookup(json_body.value, "oversize_handling", null) #not support as of now
783+
}
784+
}
785+
}
786+
}
787+
text_transformation {
788+
priority = 0
789+
type = "NONE"
790+
}
791+
792+
}
793+
}
699794
#### support sqli_match_statement (Attack Match Condition)
700795
/* -------------------------------------------------------------------------- */
701796
/* (END): SINGLE MATCH STATEMEN (2) [is_negated_statement = true] */
@@ -846,8 +941,40 @@ resource "aws_wafv2_web_acl" "this" {
846941
}
847942
}
848943
}
849-
#### TODO:
944+
850945
#### support size_constraint_statement (Size Match Condition)
946+
dynamic "geo_match_statement" {
947+
for_each = rule.value.expression_type == "match-statement" && rule.value.statements[0].inspect == local.originate_from_a_country_in ? [1] : []
948+
content {
949+
country_codes = rule.value.statements[0].country_codes
950+
}
951+
}
952+
953+
dynamic "size_constraint_statement" {
954+
for_each = rule.value.expression_type == "size-constraint-statement" && rule.value.statements[0].inspect == local.size_constraint ? [1] : []
955+
content {
956+
comparison_operator = rule.value.statements[0].comparison_operator
957+
size = rule.value.statements[0].size
958+
dynamic "field_to_match" {
959+
# other fields to be added
960+
for_each = lookup(rule.value.statements[0], "field_to_match", null) == null ? [] : [lookup(rule.value.statements[0], "field_to_match")]
961+
content {
962+
dynamic "body" {
963+
for_each = lookup(field_to_match.value, "body", null) == null ? [] : [lookup(field_to_match.value, "body")]
964+
content {
965+
#oversize_handling = lookup(json_body.value, "oversize_handling", null) #not support as of now
966+
}
967+
}
968+
}
969+
}
970+
text_transformation {
971+
priority = 0
972+
type = "NONE"
973+
}
974+
975+
}
976+
}
977+
#### TODO:
851978
#### support sqli_match_statement (Attack Match Condition)
852979
/* -------------------------------------------------------------------------- */
853980
/* (END): SINGLE MATCH STATEMEN */

0 commit comments

Comments
 (0)