terraform-aws-waf icon indicating copy to clipboard operation
terraform-aws-waf copied to clipboard
verified publisher icon cloudposse

implement label_match_statement

Open chitopunk opened this issue 1 year ago • 5 comments

Describe the Feature

In order to build more robust rules based on 2 or more statements it would be great to add support for the AND OR LABEL statements. LABELS will help to create exclusion rules based on other managed rules.

Expected Behavior

label_match_statement must create an AND statement within the rule to an specific SCOPE and KEY to match specific attributes like user-agent, http library etc.

Use Case

WAF allows to create AND statements within the AWS console

Describe Ideal Solution

a simple block for label_match_statements based on the terraform block

Alternatives Considered

No response

Additional Context

No response

chitopunk avatar Oct 01 '24 22:10 chitopunk

Hi, would like to rise this as well, as it is required to have for example rule to allow verified bots

alianinhoaws avatar Nov 20 '24 14:11 alianinhoaws

Joining the list for this rule THank you

pintxxo avatar Feb 10 '25 13:02 pintxxo

+1

yuvalavidor avatar Feb 28 '25 09:02 yuvalavidor

Hey! I think this would be a great feature to add, I was working for a client and crashed to these limitations. Making this will allow us to add more complex WAF rules with AND, OR and NOT nested conditions. I encountered a case where I had to add a rule with:

AND_STATEMENT {
     LABEL_STATEMENT{     
      ...
     }
     NOT_STATEMENT{
          BYTE_MATCH_STATEMENT{
          ...
          }
     NOT_STATEMENT{
          BYTE_MATCH_STATEMENT{
          ...
          }
     }
}

Here we have more levels of nesting, with this module I did not find a solution to create a custom rule and make this type of constraint. I had to use the direct resource from Terraform AWS. We can maybe add something like:

 dynamic "rule" {
    for_each = local.custom_statement_rules

    content {
      name     = rule.value.name
      priority = rule.value.priority

      action {
        dynamic "allow" {
          for_each = rule.value.action == "allow" ? [1] : []

          content {}
        }
        dynamic "block" {
          for_each = rule.value.action == "block" ? [1] : []

          content {}
        }
        dynamic "count" {
          for_each = rule.value.action == "count" ? [1] : []

          content {}
        }
      }
     
      # Nothing that this attribute is going to be dynamic, allowing us to add various statements nested
      dynamic statement {
           dynamic "byte_match_statement" {
              for_each = lookup(rule.value, "statement", null) != null ? [rule.value.statement] : []

              content {
                 positional_constraint = byte_match_statement.value.positional_constraint
                 search_string         = byte_match_statement.value.search_string

What do you think?

davidnbr avatar Mar 28 '25 22:03 davidnbr

+1 - my use case is to allow no user agent header for a particular host. I want a rule that can match the awswaf:managed:aws:core-rule-set:NoUserAgent_Header label, AND match everything that doesn't match (not statement) my specific host header, and then block.

Curious if it's possible to make this module 100% generic - ie fully capable of everything the underlying resource is capable of? Or is that not feasible because it's a recursive structure?

I think my work around for now will be to make an aws_wafv2_rule_group and reference it in this module

joshsizer avatar Apr 23 '25 18:04 joshsizer