Releases: umotif-public/terraform-aws-waf-webaclv2
Releases · umotif-public/terraform-aws-waf-webaclv2
3.0.0 - Support for byte_match, AND, OR, and NOT statements
BREAKING CHANGES:
ip_set_rules, geo_match_rules, and ip_rate_based_rule variables have been removed.
This release moves all rules into one block so IP set rules, Geo set rules, and IP rate-based rules, which previously had their own blocks, now need to be moved under the rules list.
v3.0.0 Code (New code format):
rules = [
{
name = "allow-custom-ip-set"
priority = 1
action = "count"
ip_set_reference_statement = {
arn = aws_wafv2_ip_set.custom_ip_set.arn
}
visibility_config = {
cloudwatch_metrics_enabled = false
sampled_requests_enabled = false
}
},
{
name = "block_country_codes"
priority = "2"
action = "block"
geo_match_statement = {
country_codes = ["US", "NL"]
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "block_country_codes-metric"
sampled_requests_enabled = false
}
},
{
name = "ip-rate-limit"
priority = 2
action = "count"
rate_based_statement = {
limit = 100
aggregate_key_type = "IP"
}
visibility_config = {
cloudwatch_metrics_enabled = false
sampled_requests_enabled = false
}
}
]v2.0.0 Code (deprecated in 3.0.0):
ip_set_rules = [
{
name = "allow-custom-ip-set"
priority = 1
# action = "count" # if not set, action defaults to allow
ip_set_reference_statement = {
arn = aws_wafv2_ip_set.custom_ip_set.arn
}
visibility_config = {
cloudwatch_metrics_enabled = false
sampled_requests_enabled = false
}
}
]
geo_match_rules = [
{
name = "block_country_codes"
priority = "2"
action = "block"
geo_match_statement = {
country_codes = ["US", "NL"]
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "block_country_codes-metric"
sampled_requests_enabled = false
}
}
]
ip_rate_based_rule = {
name = "ip-rate-limit"
priority = 2
# action = "count" # if not set, action defaults to block
rate_based_statement = {
limit = 100
aggregate_key_type = "IP"
}
visibility_config = {
cloudwatch_metrics_enabled = false
sampled_requests_enabled = false
}
}New Features
-
Support for Byte Match Rules
- Allowing rules to be matched based on uri_path, all_query_arguments, body, method, query_string, and single_header
- Please refer to the Examples directory for syntax and to Terraform Byte Match Statements for possible values
-
Support for AND, OR, and NOT Rules
- All rules other than Managed Rule Groups (IP set, Geo set, Byte match, and IP rate-based) can now be paired with AND, OR, and NOT logic
- Logical operators are now also supported under scopedown statements
- Please refer to the Examples directory for syntax with the logical operators
-
Scopedown Statements now supported for rate-based rules
- Rate-based rules can now be scoped down with IP set, Geo set, and Byte match rules
- Logical operators can also be applied to allow multiple scopedowns in the same rule
2.0.0: Upgrade + logging filter support
Minimum versions required:
aws provider- 3.38.0
terraform- 13.0.0
1.6.0: Added actions, geo match and IP set (#18)
* added ip and geo * fix(override): allow block override * added action block * fix(geo): moved geo rules to its own variable to not change behaviour of current rule var
1.5.1: Support terraform 0.14
Update module to remove 0.14 limit (#17) * Update module to remove 0.14 limit * Update pre-commit config
1.5.0: Add support for IP sets and rate limiting
Add support for IP sets and rate limiting (#15)
1.4.1: v3 aws provider support (#14)
* Update module versions to support v3 provider * update CHANGELOG
1.4.0: Add ability to support multiple ALBs (#13)
* Add ability to support multiple ALBs * keeping var.create_alb_association
1.3.0
Add ability to change WAF scope (#11)
1.2.0
Allow setting of override_action and default_action (#10)
1.1.0: Feature/wafv2 improvements (#8)
* Upgrade provider and add logging configuration * Update docs