Skip to content

Commit

Permalink
resource/aws_waf_web_acl: Minor adjustments to finish up #6059
Browse files Browse the repository at this point in the history
Output from acceptance testing:

```
--- PASS: TestAccAWSWafWebAcl_basic (6.55s)
--- PASS: TestAccAWSWafWebAcl_LoggingConfiguration (63.50s)
--- PASS: TestAccAWSWafWebAcl_disappears (7.44s)
--- PASS: TestAccAWSWafWebAcl_Rules (25.95s)
--- PASS: TestAccAWSWafWebAcl_changeNameForceNew (12.07s)
--- PASS: TestAccAWSWafWebAcl_DefaultAction (12.88s)
```
  • Loading branch information
bflad committed Feb 12, 2019
1 parent 34f41a4 commit 41baf98
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 17 deletions.
17 changes: 11 additions & 6 deletions aws/resource_aws_waf_web_acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package aws

import (
"fmt"
"os"
"testing"

"github.com/aws/aws-sdk-go/aws"
Expand Down Expand Up @@ -163,6 +164,10 @@ func TestAccAWSWafWebAcl_Rules(t *testing.T) {
}

func TestAccAWSWafWebAcl_LoggingConfiguration(t *testing.T) {
oldvar := os.Getenv("AWS_DEFAULT_REGION")
os.Setenv("AWS_DEFAULT_REGION", "us-east-1")
defer os.Setenv("AWS_DEFAULT_REGION", oldvar)

var webACL waf.WebACL
rName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
resourceName := "aws_waf_web_acl.test"
Expand Down Expand Up @@ -530,8 +535,8 @@ resource "aws_kinesis_firehose_delivery_stream" "test" {
func testAccAWSWafWebAclConfig_LoggingUpdate(rName string) string {
return fmt.Sprintf(`
resource "aws_waf_web_acl" "test" {
metric_name = %q
name = %q
metric_name = %[1]q
name = %[1]q
default_action {
type = "ALLOW"
Expand All @@ -543,12 +548,12 @@ resource "aws_waf_web_acl" "test" {
}
resource "aws_s3_bucket" "test" {
bucket = %q
bucket = %[1]q
acl = "private"
}
resource "aws_iam_role" "test" {
name = %q
name = %[1]q
assume_role_policy = <<EOF
{
Expand All @@ -569,7 +574,7 @@ EOF
resource "aws_kinesis_firehose_delivery_stream" "test" {
# the name must begin with aws-waf-logs-
name = "aws-waf-logs-%s"
name = "aws-waf-logs-%[1]s"
destination = "s3"
s3_configuration {
Expand All @@ -578,5 +583,5 @@ resource "aws_kinesis_firehose_delivery_stream" "test" {
}
}
`, rName, rName, rName, rName, rName)
`, rName)
}
33 changes: 22 additions & 11 deletions website/docs/r/waf_web_acl.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ resource "aws_waf_web_acl" "waf_acl" {

### Logging

~> *NOTE:* The Kinesis Firehose Delivery Stream name must begin with `aws-waf-logs-`. See the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) for more information about enabling WAF logging.
~> *NOTE:* The Kinesis Firehose Delivery Stream name must begin with `aws-waf-logs-` and be located in `us-east-1` region. See the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) for more information about enabling WAF logging.

```hcl
resource "aws_waf_web_acl" "example" {
Expand All @@ -81,25 +81,36 @@ resource "aws_waf_web_acl" "example" {

The following arguments are supported:

* `default_action` - (Required) The action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
* `default_action` - (Required) Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
* `metric_name` - (Required) The name or description for the Amazon CloudWatch metric of this web ACL.
* `name` - (Required) The name or description of the web ACL.
* `rules` - (Required) The rules to associate with the web ACL and the settings for each rule.
* `rules` - (Required) Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
* `logging_configuration` - (Optional) Configuration block to enable WAF logging. Detailed below.

## Nested Blocks

### `default_action`

#### Arguments
### `default_action` Configuration Block

* `type` - (Required) Specifies how you want AWS WAF to respond to requests that match the settings in a rule.
e.g. `ALLOW`, `BLOCK` or `COUNT`

### `rules`
### `logging_configuration` Configuration Block

See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ActivatedRule.html) for all details and supported values.
* `log_destination` - (Required) Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
* `redacted_fields` - (Optional) Configuration block containing parts of the request that you want redacted from the logs. Detailed below.

#### `redacted_fields` Configuration Block

* `field_to_match` - (Required) Set of configuration blocks for fields to redact. Detailed below.

#### Arguments
##### `field_to_match` Configuration Block

-> Additional information about this configuration can be found in the [AWS WAF Regional API Reference](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_FieldToMatch.html).

* `data` - (Optional) When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`.
* `type` - (Required) The part of the web request that you want AWS WAF to search for a specified string. e.g. `HEADER` or `METHOD`

### `rules` Configuration Block

See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ActivatedRule.html) for all details and supported values.

* `action` - (Optional) The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`.
* `type` - (Required) valid values are: `BLOCK`, `ALLOW`, or `COUNT`
Expand Down

0 comments on commit 41baf98

Please sign in to comment.