From 51b59522d73bf04b428e67ea3fa267408b1291d0 Mon Sep 17 00:00:00 2001 From: Matthias Fuhrmeister Date: Thu, 5 Oct 2023 16:12:05 +0200 Subject: [PATCH] Passthrough default block response (#865) --- modules/waf/README.md | 3 ++- modules/waf/main.tf | 3 ++- modules/waf/variables.tf | 9 +++++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/modules/waf/README.md b/modules/waf/README.md index 6f8e70d8f..2fc72784c 100644 --- a/modules/waf/README.md +++ b/modules/waf/README.md @@ -58,7 +58,7 @@ components: | Name | Source | Version | |------|--------|---------| | [association\_resource\_components](#module\_association\_resource\_components) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | -| [aws\_waf](#module\_aws\_waf) | cloudposse/waf/aws | 1.2.0 | +| [aws\_waf](#module\_aws\_waf) | cloudposse/waf/aws | 1.3.0 | | [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | | [log\_destination\_components](#module\_log\_destination\_components) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | @@ -82,6 +82,7 @@ components: | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | | [custom\_response\_body](#input\_custom\_response\_body) | Defines custom response bodies that can be referenced by custom\_response actions.
The map keys are used as the `key` attribute which is a unique key identifying the custom response body.
content:
Payload of the custom response.
The response body can be plain text, HTML or JSON and cannot exceed 4KB in size.
content\_type:
Content Type of Response Body.
Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. |
map(object({
content = string
content_type = string
}))
| `{}` | no | | [default\_action](#input\_default\_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no | +| [default\_block\_response](#input\_default\_block\_response) | A HTTP response code that is sent when default action is used. Only takes effect if default\_action is set to `block`. | `string` | `null` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | | [description](#input\_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | diff --git a/modules/waf/main.tf b/modules/waf/main.tf index e2f497a33..d1e5340b8 100644 --- a/modules/waf/main.tf +++ b/modules/waf/main.tf @@ -18,7 +18,7 @@ locals { module "aws_waf" { source = "cloudposse/waf/aws" - version = "1.2.0" + version = "1.3.0" description = var.description default_action = var.default_action @@ -48,6 +48,7 @@ module "aws_waf" { size_constraint_statement_rules = var.size_constraint_statement_rules sqli_match_statement_rules = var.sqli_match_statement_rules xss_match_statement_rules = var.xss_match_statement_rules + default_block_response = var.default_block_response context = module.this.context } diff --git a/modules/waf/variables.tf b/modules/waf/variables.tf index 2b24c098c..fc165a555 100644 --- a/modules/waf/variables.tf +++ b/modules/waf/variables.tf @@ -31,6 +31,15 @@ variable "default_action" { } } +variable "default_block_response" { + type = string + default = null + description = <<-DOC + A HTTP response code that is sent when default action is used. Only takes effect if default_action is set to `block`. + DOC + nullable = true +} + variable "custom_response_body" { type = map(object({ content = string