Terraform-provider-aws: Feature Request: WAFv2 Web ACL Resource
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
In November 2019, AWS released a new version of the WAF API, WAFv2, which offers improved functionality over the previous WAF API ("WAF Classic") such as Managed Rules and WAF Capacity Units. This new API requires separate Terraform resource implementations from the previous resource implementations.
New or Affected Resource(s)
- aws_wafv2_web_acl
Potential Terraform Configuration
resource "aws_wafv2_web_acl" "example" {
default_action {
allow {}
block {}
}
description = ""
name = ""
scope = ""
tags = {}
rule {
action {
# The below shows the current API structure, which means there may be intention to include
# additional settings with each action type in the future
# Purposefully empty configuration blocks are awkward in Terraform configurations and the Plugin SDK though, so we may want to shy away from the pure API schema mapping here if they cause any trouble
allow {}
block {}
count {}
}
name = ""
override_action {
count {}
none {}
}
priority = 1
# these are not fully shown and appear to be recursive in some cases
statement {
and_statement {
statement {}
statement {}
}
byte_match_statement {
field_to_match {
all_query_arguments {}
body {}
method {}
query_string {}
single_header {
name = ""
}
single_query_argument {
name = ""
}
uri_path {}
}
positional_constraint = ""
search_string = ""
text_transformation {
priority = 1
type = ""
}
}
geo_match_statement {
country_codes = []
}
ip_set_reference_statement {
arn = ""
}
managed_rule_group_statement {
excluded_rule {
name = ""
}
name = ""
vendor_name = ""
}
not_statement {
statement {}
}
or_statement {
statement {}
statement {}
}
rate_based_statement {
aggregate_key_type = ""
limit = 100
scope_down_statement {}
}
regex_pattern_set_reference_statement {
arn = ""
field_to_match {} # see above
text_transformation {} # see above
}
rule_group_reference_statement {
arn = ""
excluded_rule {
name = ""
}
}
size_constraint_statement {
comparison_operator = ""
field_to_match {} # see above
size = 1
text_transformation {} # see above
}
sqli_match_statement {
field_to_match {} # see above
text_transformation {} # see above
}
xss_match_statement {
field_to_match {} # see above
text_transformation {} # see above
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = ""
sampled_requests_enabled = true
}
}
References
bflad
All 11 comments
Will this encompass the "wafregional" equivalent here or is there a unified schema in V2 for both types?
tobypinder
on 23 Jan 2020
@tobypinder WAFv2 does include the classic/legacy WAF Regional functionality: https://docs.aws.amazon.com/waf/latest/APIReference/API_Operations.html.
ewbankkit
on 19 Feb 2020
To add, the proposed terraform configuration should also take into account the PutLoggingConfiguration for the Web ACL, similar to WAF Classic aws_waf_web_acl.
rsclarke-vgw
on 9 Mar 2020
Is there a link for the updated v2 documentation?
Thank You,
wicked-rides
on 23 Mar 2020
Is there any update on when this feature might be implemented and available for use via Terraform? Additionally need to be able to use the AWS managed rule groups with regional WAFv2 web ACLs, and configure the CloudWatch metrics, etc... with the WAFv2 web ACLs.
briensherman
on 25 Mar 2020
Is there any update on when this feature ( WAF v2 ), might be implemented and available for use via Terraform? for the moment i don't find any ressource or terraform documentation about it.
thanks
shadbi
on 27 Mar 2020
@briensherman @shadbi I'm currently busy implementing the resources, already did #12119 #12284 and I'm now busy with wafv2_rule_group. I'm at about 80% and will start with this one once finished.
pvanbuijtene
on 30 Mar 2020
This feature has been merged and will release with v2.67.0 of the Terraform AWS Provider, expected next week.
anGie44
on 12 Jun 2020
This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 19 Jun 2020
@anGie44 Did we miss the PutLoggingConfiguration for some reason or was it not part of the scope for this resource or should we expect a new resource for it to match the API behaviour? Any timelines for it?
itsSaad
on 19 Jun 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 13 Jul 2020
Related issues
hashibot
·
3Comments
hazmeister
·
3Comments
ccslamstack
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
Most helpful comment
@briensherman @shadbi I'm currently busy implementing the resources, already did #12119 #12284 and I'm now busy with
wafv2_rule_group. I'm at about 80% and will start with this one once finished.