From 41baf9823c4db36e288b5c512ab71f383c68267a Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Tue, 12 Feb 2019 18:59:06 -0500 Subject: [PATCH] resource/aws_waf_web_acl: Minor adjustments to finish up #6059 Output from acceptance testing: ``` --- PASS: TestAccAWSWafWebAcl_basic (6.55s) --- PASS: TestAccAWSWafWebAcl_LoggingConfiguration (63.50s) --- PASS: TestAccAWSWafWebAcl_disappears (7.44s) --- PASS: TestAccAWSWafWebAcl_Rules (25.95s) --- PASS: TestAccAWSWafWebAcl_changeNameForceNew (12.07s) --- PASS: TestAccAWSWafWebAcl_DefaultAction (12.88s) ``` --- aws/resource_aws_waf_web_acl_test.go | 17 +++++++----- website/docs/r/waf_web_acl.html.markdown | 33 ++++++++++++++++-------- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/aws/resource_aws_waf_web_acl_test.go b/aws/resource_aws_waf_web_acl_test.go index 2769f2c266c..95ac5a8aef2 100644 --- a/aws/resource_aws_waf_web_acl_test.go +++ b/aws/resource_aws_waf_web_acl_test.go @@ -2,6 +2,7 @@ package aws import ( "fmt" + "os" "testing" "github.com/aws/aws-sdk-go/aws" @@ -163,6 +164,10 @@ func TestAccAWSWafWebAcl_Rules(t *testing.T) { } func TestAccAWSWafWebAcl_LoggingConfiguration(t *testing.T) { + oldvar := os.Getenv("AWS_DEFAULT_REGION") + os.Setenv("AWS_DEFAULT_REGION", "us-east-1") + defer os.Setenv("AWS_DEFAULT_REGION", oldvar) + var webACL waf.WebACL rName := fmt.Sprintf("wafacl%s", acctest.RandString(5)) resourceName := "aws_waf_web_acl.test" @@ -530,8 +535,8 @@ resource "aws_kinesis_firehose_delivery_stream" "test" { func testAccAWSWafWebAclConfig_LoggingUpdate(rName string) string { return fmt.Sprintf(` resource "aws_waf_web_acl" "test" { - metric_name = %q - name = %q + metric_name = %[1]q + name = %[1]q default_action { type = "ALLOW" @@ -543,12 +548,12 @@ resource "aws_waf_web_acl" "test" { } resource "aws_s3_bucket" "test" { - bucket = %q + bucket = %[1]q acl = "private" } resource "aws_iam_role" "test" { - name = %q + name = %[1]q assume_role_policy = < *NOTE:* The Kinesis Firehose Delivery Stream name must begin with `aws-waf-logs-`. See the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) for more information about enabling WAF logging. +~> *NOTE:* The Kinesis Firehose Delivery Stream name must begin with `aws-waf-logs-` and be located in `us-east-1` region. See the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) for more information about enabling WAF logging. ```hcl resource "aws_waf_web_acl" "example" { @@ -81,25 +81,36 @@ resource "aws_waf_web_acl" "example" { The following arguments are supported: -* `default_action` - (Required) The action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. +* `default_action` - (Required) Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below. * `metric_name` - (Required) The name or description for the Amazon CloudWatch metric of this web ACL. * `name` - (Required) The name or description of the web ACL. -* `rules` - (Required) The rules to associate with the web ACL and the settings for each rule. +* `rules` - (Required) Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below. +* `logging_configuration` - (Optional) Configuration block to enable WAF logging. Detailed below. -## Nested Blocks - -### `default_action` - -#### Arguments +### `default_action` Configuration Block * `type` - (Required) Specifies how you want AWS WAF to respond to requests that match the settings in a rule. e.g. `ALLOW`, `BLOCK` or `COUNT` -### `rules` +### `logging_configuration` Configuration Block -See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ActivatedRule.html) for all details and supported values. +* `log_destination` - (Required) Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream +* `redacted_fields` - (Optional) Configuration block containing parts of the request that you want redacted from the logs. Detailed below. + +#### `redacted_fields` Configuration Block + +* `field_to_match` - (Required) Set of configuration blocks for fields to redact. Detailed below. -#### Arguments +##### `field_to_match` Configuration Block + +-> Additional information about this configuration can be found in the [AWS WAF Regional API Reference](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_FieldToMatch.html). + +* `data` - (Optional) When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`. +* `type` - (Required) The part of the web request that you want AWS WAF to search for a specified string. e.g. `HEADER` or `METHOD` + +### `rules` Configuration Block + +See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ActivatedRule.html) for all details and supported values. * `action` - (Optional) The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`. * `type` - (Required) valid values are: `BLOCK`, `ALLOW`, or `COUNT`