From e25179e979520ab49e1afe350ddb58ed98e6e3f8 Mon Sep 17 00:00:00 2001 From: Angie Pinilla Date: Fri, 28 Aug 2020 17:47:05 -0400 Subject: [PATCH] add support for ForwardedIPConfig in IPSetReferenceStatement --- aws/resource_aws_wafv2_rule_group_test.go | 149 +++++++++++ aws/resource_aws_wafv2_web_acl_test.go | 249 ++++++++++++++++++ aws/wafv2_helper.go | 66 ++++- website/docs/r/wafv2_rule_group.html.markdown | 11 + website/docs/r/wafv2_web_acl.html.markdown | 11 + 5 files changed, 484 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_wafv2_rule_group_test.go b/aws/resource_aws_wafv2_rule_group_test.go index f452714eb05..4d1e8ffc398 100644 --- a/aws/resource_aws_wafv2_rule_group_test.go +++ b/aws/resource_aws_wafv2_rule_group_test.go @@ -793,6 +793,84 @@ func TestAccAwsWafv2RuleGroup_IpSetReferenceStatement(t *testing.T) { Steps: []resource.TestStep{ { Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement(ruleGroupName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2RuleGroupExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "0", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccAwsWafv2RuleGroupImportStateIdFunc(resourceName), + }, + }, + }) +} + +func TestAccAwsWafv2RuleGroup_IpSetReferenceStatement_IPSetForwardedIPConfig(t *testing.T) { + var v wafv2.RuleGroup + ruleGroupName := acctest.RandomWithPrefix("tf-acc-test") + resourceName := "aws_wafv2_rule_group.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAwsWafv2RuleGroupDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement_IPSetForwardedIPConfig(ruleGroupName, "MATCH", "X-Forwarded-For", "FIRST"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2RuleGroupExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "MATCH", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "X-Forwarded-For", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "FIRST", + }), + ), + }, + { + Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement_IPSetForwardedIPConfig(ruleGroupName, "NO_MATCH", "X-Forwarded-For", "LAST"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2RuleGroupExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "NO_MATCH", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "X-Forwarded-For", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "LAST", + }), + ), + }, + { + Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement_IPSetForwardedIPConfig(ruleGroupName, "MATCH", "Updated", "ANY"), Check: resource.ComposeTestCheckFunc( testAccCheckAwsWafv2RuleGroupExists(resourceName, &v), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)), @@ -804,6 +882,28 @@ func TestAccAwsWafv2RuleGroup_IpSetReferenceStatement(t *testing.T) { tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), }), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "MATCH", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "Updated", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "ANY", + }), + ), + }, + { + Config: testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement(ruleGroupName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2RuleGroupExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "0", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), ), }, { @@ -2098,6 +2198,55 @@ resource "aws_wafv2_rule_group" "test" { `, name, name) } +func testAccAwsWafv2RuleGroupConfig_IpSetReferenceStatement_IPSetForwardedIPConfig(name, fallbackBehavior, headerName, position string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "test" { + name = "ip-set-%[1]s" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = ["1.1.1.1/32", "2.2.2.2/32"] +} + +resource "aws_wafv2_rule_group" "test" { + capacity = 5 + name = "%[1]s" + scope = "REGIONAL" + + rule { + name = "rule-1" + priority = 1 + + action { + allow {} + } + + statement { + ip_set_reference_statement { + arn = aws_wafv2_ip_set.test.arn + ip_set_forwarded_ip_config { + fallback_behavior = "%[2]s" + header_name = "%[3]s" + position = "%[4]s" + } + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-rule-metric-name" + sampled_requests_enabled = false + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-metric-name" + sampled_requests_enabled = false + } +} +`, name, fallbackBehavior, headerName, position) +} + func testAccAwsWafv2RuleGroupConfig_GeoMatchStatement(name string) string { return fmt.Sprintf(` resource "aws_wafv2_rule_group" "test" { diff --git a/aws/resource_aws_wafv2_web_acl_test.go b/aws/resource_aws_wafv2_web_acl_test.go index 4c71daed76a..3a3737e979d 100644 --- a/aws/resource_aws_wafv2_web_acl_test.go +++ b/aws/resource_aws_wafv2_web_acl_test.go @@ -780,6 +780,154 @@ func TestAccAwsWafv2WebACL_GeoMatchStatement_ForwardedIPConfig(t *testing.T) { }) } +func TestAccAwsWafv2WebACL_IPSetReferenceStatement(t *testing.T) { + var v wafv2.WebACL + webACLName := acctest.RandomWithPrefix("tf-acc-test") + resourceName := "aws_wafv2_web_acl.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAwsWafv2WebACLDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2WebACLConfig_IPSetReferenceStatement(webACLName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2WebACLExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", webACLName), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "0", + "visibility_config.#": "1", + "visibility_config.0.cloudwatch_metrics_enabled": "false", + "visibility_config.0.metric_name": "friendly-rule-metric-name", + "visibility_config.0.sampled_requests_enabled": "false", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), + resource.TestCheckResourceAttr(resourceName, "visibility_config.#", "1"), + resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"), + resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"), + resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccAwsWafv2WebACLImportStateIdFunc(resourceName), + }, + }, + }) +} + +func TestAccAwsWafv2WebACL_IPSetReferenceStatement_IPSetForwardedIPConfig(t *testing.T) { + var v wafv2.WebACL + webACLName := acctest.RandomWithPrefix("tf-acc-test") + resourceName := "aws_wafv2_web_acl.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAwsWafv2WebACLDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2WebACLConfig_IPSetReferenceStatement_IPSetForwardedIPConfig(webACLName, "MATCH", "X-Forwarded-For", "FIRST"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2WebACLExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", webACLName), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "MATCH", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "X-Forwarded-For", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "FIRST", + }), + ), + }, + { + Config: testAccAwsWafv2WebACLConfig_IPSetReferenceStatement_IPSetForwardedIPConfig(webACLName, "NO_MATCH", "X-Forwarded-For", "LAST"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2WebACLExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", webACLName), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "NO_MATCH", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "X-Forwarded-For", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "LAST", + }), + ), + }, + { + Config: testAccAwsWafv2WebACLConfig_IPSetReferenceStatement_IPSetForwardedIPConfig(webACLName, "MATCH", "Updated", "ANY"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2WebACLExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", webACLName), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.fallback_behavior": "MATCH", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.header_name": "Updated", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.0.position": "ANY", + }), + ), + }, + { + Config: testAccAwsWafv2WebACLConfig_IPSetReferenceStatement(webACLName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsWafv2WebACLExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", webACLName), + resource.TestCheckResourceAttr(resourceName, "rule.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{ + "statement.#": "1", + "statement.0.ip_set_reference_statement.#": "1", + "statement.0.ip_set_reference_statement.0.ip_set_forwarded_ip_config.#": "0", + }), + tfawsresource.TestMatchTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]*regexp.Regexp{ + "statement.0.ip_set_reference_statement.0.arn": regexp.MustCompile(`regional/ipset/.+$`), + }), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccAwsWafv2WebACLImportStateIdFunc(resourceName), + }, + }, + }) +} + func TestAccAwsWafv2WebACL_RateBasedStatement_ForwardedIPConfig(t *testing.T) { var v wafv2.WebACL webACLName := acctest.RandomWithPrefix("tf-acc-test") @@ -1368,6 +1516,107 @@ resource "aws_wafv2_web_acl" "test" { `, name, fallbackBehavior, headerName) } +func testAccAwsWafv2WebACLConfig_IPSetReferenceStatement(name string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "test" { + name = "ip-set-%[1]s" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = ["1.1.1.1/32", "2.2.2.2/32"] +} + +resource "aws_wafv2_web_acl" "test" { + name = "%[1]s" + description = "%[1]s" + scope = "REGIONAL" + + default_action { + block {} + } + + rule { + name = "rule-1" + priority = 1 + + action { + block {} + } + + statement { + ip_set_reference_statement { + arn = aws_wafv2_ip_set.test.arn + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-rule-metric-name" + sampled_requests_enabled = false + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-metric-name" + sampled_requests_enabled = false + } +} +`, name) +} + +func testAccAwsWafv2WebACLConfig_IPSetReferenceStatement_IPSetForwardedIPConfig(name, fallbackBehavior, headerName, position string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "test" { + name = "ip-set-%[1]s" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = ["1.1.1.1/32", "2.2.2.2/32"] +} + +resource "aws_wafv2_web_acl" "test" { + name = "%[1]s" + description = "%[1]s" + scope = "REGIONAL" + + default_action { + block {} + } + + rule { + name = "rule-1" + priority = 1 + + action { + block {} + } + + statement { + ip_set_reference_statement { + arn = aws_wafv2_ip_set.test.arn + ip_set_forwarded_ip_config { + fallback_behavior = "%[2]s" + header_name = "%[3]s" + position = "%[4]s" + } + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-rule-metric-name" + sampled_requests_enabled = false + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-metric-name" + sampled_requests_enabled = false + } +} +`, name, fallbackBehavior, headerName, position) +} + func testAccAwsWafv2WebACLConfig_ManagedRuleGroupStatement(name string) string { return fmt.Sprintf(` resource "aws_wafv2_web_acl" "test" { diff --git a/aws/wafv2_helper.go b/aws/wafv2_helper.go index 81fca68239b..40e05658afe 100644 --- a/aws/wafv2_helper.go +++ b/aws/wafv2_helper.go @@ -161,6 +161,33 @@ func wafv2IpSetReferenceStatementSchema() *schema.Schema { Required: true, ValidateFunc: validateArn, }, + "ip_set_forwarded_ip_config": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "fallback_behavior": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(wafv2.FallbackBehavior_Values(), false), + }, + "header_name": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.All( + validation.StringLenBetween(1, 255), + validation.StringMatch(regexp.MustCompile(`^[a-zA-Z0-9-]+$`), "must contain only alphanumeric and hyphen characters"), + ), + }, + "position": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(wafv2.ForwardedIPPosition_Values(), false), + }, + }, + }, + }, }, }, } @@ -612,6 +639,20 @@ func expandWafv2ForwardedIPConfig(l []interface{}) *wafv2.ForwardedIPConfig { } } +func expandWafv2IPSetForwardedIPConfig(l []interface{}) *wafv2.IPSetForwardedIPConfig { + if len(l) == 0 || l[0] == nil { + return nil + } + + m := l[0].(map[string]interface{}) + + return &wafv2.IPSetForwardedIPConfig{ + FallbackBehavior: aws.String(m["fallback_behavior"].(string)), + HeaderName: aws.String(m["header_name"].(string)), + Position: aws.String(m["position"].(string)), + } +} + func expandWafv2SingleHeader(l []interface{}) *wafv2.SingleHeader { if len(l) == 0 || l[0] == nil { return nil @@ -671,9 +712,15 @@ func expandWafv2IpSetReferenceStatement(l []interface{}) *wafv2.IPSetReferenceSt m := l[0].(map[string]interface{}) - return &wafv2.IPSetReferenceStatement{ + statement := &wafv2.IPSetReferenceStatement{ ARN: aws.String(m["arn"].(string)), } + + if v, ok := m["ip_set_forwarded_ip_config"]; ok { + statement.IPSetForwardedIPConfig = expandWafv2IPSetForwardedIPConfig(v.([]interface{})) + } + + return statement } func expandWafv2GeoMatchStatement(l []interface{}) *wafv2.GeoMatchStatement { @@ -962,6 +1009,20 @@ func flattenWafv2ForwardedIPConfig(f *wafv2.ForwardedIPConfig) interface{} { return []interface{}{m} } +func flattenWafv2IPSetForwardedIPConfig(i *wafv2.IPSetForwardedIPConfig) interface{} { + if i == nil { + return []interface{}{} + } + + m := map[string]interface{}{ + "fallback_behavior": aws.StringValue(i.FallbackBehavior), + "header_name": aws.StringValue(i.HeaderName), + "position": aws.StringValue(i.Position), + } + + return []interface{}{m} +} + func flattenWafv2SingleHeader(s *wafv2.SingleHeader) interface{} { if s == nil { return []interface{}{} @@ -1003,7 +1064,8 @@ func flattenWafv2IpSetReferenceStatement(i *wafv2.IPSetReferenceStatement) inter } m := map[string]interface{}{ - "arn": aws.StringValue(i.ARN), + "arn": aws.StringValue(i.ARN), + "ip_set_forwarded_ip_config": flattenWafv2IPSetForwardedIPConfig(i.IPSetForwardedIPConfig), } return []interface{}{m} diff --git a/website/docs/r/wafv2_rule_group.html.markdown b/website/docs/r/wafv2_rule_group.html.markdown index 0ba57029e36..1c33eaa0917 100644 --- a/website/docs/r/wafv2_rule_group.html.markdown +++ b/website/docs/r/wafv2_rule_group.html.markdown @@ -365,6 +365,7 @@ A rule statement used to detect web requests coming from particular IP addresses The `ip_set_reference_statement` block supports the following arguments: * `arn` - (Required) The Amazon Resource Name (ARN) of the IP Set that this statement references. +* `ip_set_forwarded_ip_config` - (Optional) The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See [IPSet Forwarded IP Config](#ipset-forwarded-ip-config) below for more details. ### NOT Statement @@ -449,6 +450,16 @@ The `forwarded_ip_config` block supports the following arguments: * `fallback_behavior` - (Required) - The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. * `header_name` - (Required) - The name of the HTTP header to use for the IP address. +### IPSet Forwarded IP Config + +The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. + +The `ip_set_forwarded_ip_config` block supports the following arguments: + +* `fallback_behavior` - (Required) - The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. +* `header_name` - (Required) - The name of the HTTP header to use for the IP address. +* `position` - (Required) - The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + ### Single Header Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` (provided as lowercase strings). diff --git a/website/docs/r/wafv2_web_acl.html.markdown b/website/docs/r/wafv2_web_acl.html.markdown index 6b2d08baf7e..56cfa3dcaa3 100644 --- a/website/docs/r/wafv2_web_acl.html.markdown +++ b/website/docs/r/wafv2_web_acl.html.markdown @@ -360,6 +360,7 @@ A rule statement used to detect web requests coming from particular IP addresses The `ip_set_reference_statement` block supports the following arguments: * `arn` - (Required) The Amazon Resource Name (ARN) of the IP Set that this statement references. +* `ip_set_forwarded_ip_config` - (Optional) The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See [IPSet Forwarded IP Config](#ipset-forwarded-ip-config) below for more details. ### Managed Rule Group Statement @@ -484,6 +485,16 @@ The `forwarded_ip_config` block supports the following arguments: * `fallback_behavior` - (Required) - The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. * `header_name` - (Required) - The name of the HTTP header to use for the IP address. +### IPSet Forwarded IP Config + +The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. + +The `ip_set_forwarded_ip_config` block supports the following arguments: + +* `fallback_behavior` - (Required) - The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. +* `header_name` - (Required) - The name of the HTTP header to use for the IP address. +* `position` - (Required) - The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + ### Single Header Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` (provided as lowercase strings).