feat: Add support for large req body inspection for regional resource…

…s for aws_wafv2_web_acl
hashicorp · May 19, 2024 · ea3a1bd · ea3a1bd
1 parent 08f7629
commit ea3a1bd
Show file tree

Hide file tree

Showing 5 changed files with 233 additions and 16 deletions.
diff --git a/.changelog/37588.txt b/.changelog/37588.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_wafv2_web_acl: Add `api_gateway`, `app_runner_service`, `cognito_user_pool`, and `verified_access_instance` configuration blocks to the `association_config.request_body` argument
+```
diff --git a/internal/service/wafv2/flex.go b/internal/service/wafv2/flex.go
@@ -4,6 +4,8 @@
 package wafv2
 
 import (
+	"strings"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awstypes "github.com/aws/aws-sdk-go-v2/service/wafv2/types"
 	"github.com/aws/aws-sdk-go/service/wafv2"
@@ -115,11 +117,14 @@ func expandAssociationConfig(l []interface{}) *awstypes.AssociationConfig {
 		m = inner[0].(map[string]interface{})
 		if len(m) > 0 {
 			configuration.RequestBody = make(map[string]awstypes.RequestBodyAssociatedResourceTypeConfig)
-		}
-
-		if v, ok := m["cloudfront"]; ok {
-			inner = v.([]interface{})
-			configuration.RequestBody[wafv2.AssociatedResourceTypeCloudfront] = expandRequestBodyConfigItem(inner)
+			for _, resourceType := range wafv2.AssociatedResourceType_Values() {
+				if v, ok := m[strings.ToLower(resourceType)]; ok {
+					m := v.([]interface{})
+					if len(m) > 0 {
+						configuration.RequestBody[resourceType] = expandRequestBodyConfigItem(m)
+					}
+				}
+			}
 		}
 	}
 
@@ -1765,13 +1770,18 @@ func flattenAssociationConfig(config *awstypes.AssociationConfig) interface{} {
 		return associationConfig
 	}
 
-	cloudfrontRequestBodyConfig := config.RequestBody[wafv2.AssociatedResourceTypeCloudfront]
+	requestBodyConfig := map[string]interface{}{}
+	for _, resourceType := range wafv2.AssociatedResourceType_Values() {
+		if requestBodyAssociatedResourceTypeConfig, ok := config.RequestBody[resourceType]; ok {
+			requestBodyConfig[strings.ToLower(resourceType)] = []map[string]interface{}{{
+				"default_size_inspection_limit": string(requestBodyAssociatedResourceTypeConfig.DefaultSizeInspectionLimit),
+			}}
+		}
+	}
 	associationConfig = append(associationConfig, map[string]interface{}{
-		"request_body": []map[string]interface{}{{
-			"cloudfront": []map[string]interface{}{{
-				"default_size_inspection_limit": string(cloudfrontRequestBodyConfig.DefaultSizeInspectionLimit),
-			}},
-		}},
+		"request_body": []map[string]interface{}{
+			requestBodyConfig,
+		},
 	})
 
 	return associationConfig

diff --git a/internal/service/wafv2/schemas.go b/internal/service/wafv2/schemas.go
@@ -539,6 +539,32 @@ func requestBodySchema() *schema.Schema {
 		Optional: true,
 		Elem: &schema.Resource{
 			Schema: map[string]*schema.Schema{
+				"api_gateway": {
+					Type:     schema.TypeList,
+					Optional: true,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"default_size_inspection_limit": {
+								Type:             schema.TypeString,
+								Required:         true,
+								ValidateDiagFunc: enum.Validate[awstypes.SizeInspectionLimit](),
+							},
+						},
+					},
+				},
+				"app_runner_service": {
+					Type:     schema.TypeList,
+					Optional: true,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"default_size_inspection_limit": {
+								Type:             schema.TypeString,
+								Required:         true,
+								ValidateDiagFunc: enum.Validate[awstypes.SizeInspectionLimit](),
+							},
+						},
+					},
+				},
 				"cloudfront": {
 					Type:     schema.TypeList,
 					Optional: true,
@@ -552,6 +578,32 @@ func requestBodySchema() *schema.Schema {
 						},
 					},
 				},
+				"cognito_user_pool": {
+					Type:     schema.TypeList,
+					Optional: true,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"default_size_inspection_limit": {
+								Type:             schema.TypeString,
+								Required:         true,
+								ValidateDiagFunc: enum.Validate[awstypes.SizeInspectionLimit](),
+							},
+						},
+					},
+				},
+				"verified_access_instance": {
+					Type:     schema.TypeList,
+					Optional: true,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"default_size_inspection_limit": {
+								Type:             schema.TypeString,
+								Required:         true,
+								ValidateDiagFunc: enum.Validate[awstypes.SizeInspectionLimit](),
+							},
+						},
+					},
+				},
 			},
 		},
 	}

diff --git a/internal/service/wafv2/web_acl_test.go b/internal/service/wafv2/web_acl_test.go
@@ -2867,7 +2867,7 @@ func TestAccWAFV2WebACL_tokenDomains(t *testing.T) {
 	})
 }
 
-func TestAccWAFV2WebACL_associationConfig(t *testing.T) {
+func TestAccWAFV2WebACL_associationConfigCloudFront(t *testing.T) {
 	ctx := acctest.Context(t)
 	var v awstypes.WebACL
 	webACLName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -2883,7 +2883,7 @@ func TestAccWAFV2WebACL_associationConfig(t *testing.T) {
 		CheckDestroy:             testAccCheckWebACLDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccWebACLConfig_associationConfig(webACLName),
+				Config: testAccWebACLConfig_associationConfigCloudFront(webACLName),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckWebACLExists(ctx, resourceName, &v),
 					acctest.MatchResourceAttrRegionalARN(resourceName, names.AttrARN, "wafv2", regexache.MustCompile(`global/webacl/.+$`)),
@@ -2913,6 +2913,57 @@ func TestAccWAFV2WebACL_associationConfig(t *testing.T) {
 	})
 }
 
+func TestAccWAFV2WebACL_associationConfigRegional(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v awstypes.WebACL
+	webACLName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_wafv2_web_acl.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.WAFV2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckWebACLDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWebACLConfig_associationConfigRegional(webACLName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckWebACLExists(ctx, resourceName, &v),
+					acctest.MatchResourceAttrRegionalARN(resourceName, names.AttrARN, "wafv2", regexache.MustCompile(`regional/webacl/.+$`)),
+					resource.TestCheckResourceAttr(resourceName, "association_config.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.0.api_gateway.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.0.api_gateway.0.default_size_inspection_limit", "KB_16"),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.0.cognito_user_pool.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.0.cognito_user_pool.0.default_size_inspection_limit", "KB_32"),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.0.app_runner_service.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.0.app_runner_service.0.default_size_inspection_limit", "KB_48"),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.0.verified_access_instance.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "association_config.0.request_body.0.verified_access_instance.0.default_size_inspection_limit", "KB_64"),
+					resource.TestCheckResourceAttr(resourceName, "default_action.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "default_action.0.allow.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "default_action.0.block.#", acctest.Ct0),
+					resource.TestCheckResourceAttr(resourceName, names.AttrDescription, webACLName),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, webACLName),
+					resource.TestCheckResourceAttr(resourceName, names.AttrScope, string(awstypes.ScopeRegional)),
+					resource.TestCheckResourceAttr(resourceName, "visibility_config.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
+					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
+					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: testAccWebACLImportStateIdFunc(resourceName),
+			},
+		},
+	})
+}
+
 func TestAccWAFV2WebACL_CloudFrontScope(t *testing.T) {
 	ctx := acctest.Context(t)
 	var v awstypes.WebACL
@@ -5938,7 +5989,7 @@ resource "aws_wafv2_web_acl" "test" {
 `, rName)
 }
 
-func testAccWebACLConfig_associationConfig(rName string) string {
+func testAccWebACLConfig_associationConfigCloudFront(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_wafv2_web_acl" "test" {
   name        = %[1]q
@@ -5965,3 +6016,40 @@ resource "aws_wafv2_web_acl" "test" {
 }
 `, rName)
 }
+
+func testAccWebACLConfig_associationConfigRegional(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_wafv2_web_acl" "test" {
+  name        = %[1]q
+  description = %[1]q
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  association_config {
+    request_body {
+      api_gateway {
+        default_size_inspection_limit = "KB_16"
+      }
+      cognito_user_pool {
+        default_size_inspection_limit = "KB_32"
+      }
+      app_runner_service {
+        default_size_inspection_limit = "KB_48"
+      }
+      verified_access_instance {
+        default_size_inspection_limit = "KB_64"
+      }
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "friendly-metric-name"
+    sampled_requests_enabled   = false
+  }
+}
+`, rName)
+}
diff --git a/website/docs/r/wafv2_web_acl.html.markdown b/website/docs/r/wafv2_web_acl.html.markdown
@@ -417,6 +417,42 @@ resource "aws_wafv2_web_acl" "test" {
 }
 ```
 
+### Large Request Body Inspections for Regional Resources
+
+```terraform
+resource "aws_wafv2_web_acl" "example" {
+  name  = "large-request-body-example"
+  scope = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  association_config {
+    request_body {
+      api_gateway {
+        default_size_inspection_limit = "KB_64"
+      }
+      app_runner_service {
+        default_size_inspection_limit = "KB_64"
+      }
+      cognito_user_pool {
+        default_size_inspection_limit = "KB_64"
+      }
+      verified_access_instance {
+        default_size_inspection_limit = "KB_64"
+      }
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "friendly-metric-name"
+    sampled_requests_enabled   = false
+  }
+}
+```
+
 ## Argument Reference
 
 This resource supports the following arguments:
@@ -973,13 +1009,41 @@ The `immunity_time_property` block supports the following arguments:
 
 The `request_body` block supports the following arguments:
 
-* `cloudfront` - (Optional) Customizes the request body that your protected CloudFront distributions forward to AWS WAF for inspection. See [`cloudfront`](#cloudfront-block) below for details.
+* `api_gateway` - (Optional) Customizes the request body that your protected Amazon API Gateway REST APIs forward to AWS WAF for inspection. Applicable only when `scope` is set to `CLOUDFRONT`. See [`api_gateway`](#api_gateway-block) below for details.
+* `app_runner_service` - (Optional) Customizes the request body that your protected Amazon App Runner services forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See [`app_runner_service`](#app_runner_service-block) below for details.
+* `cloudfront` - (Optional) Customizes the request body that your protected Amazon CloudFront distributions forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See [`cloudfront`](#cloudfront-block) below for details.
+* `cognito_user_pool` - (Optional) Customizes the request body that your protected Amazon Cognito user pools forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See [`cognito_user_pool`](#cognito_user_pool-block) below for details.
+* `verified_access_instance` - (Optional) Customizes the request body that your protected AWS Verfied Access instances forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See [`verified_access_instance`](#verified_access_instance-block) below for details.
+
+### `api_gateway` Block
+
+The `api_gateway` block supports the following arguments:
+
+* `default_size_inspection_limit` - (Required) Specifies the maximum size of the web request body component that an associated Amazon API Gateway REST APIs should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.
+
+### `app_runner_service` Block
+
+The `app_runner_service` block supports the following arguments:
+
+* `default_size_inspection_limit` - (Required) Specifies the maximum size of the web request body component that an associated Amazon App Runner services should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.
 
 ### `cloudfront` Block
 
 The `cloudfront` block supports the following arguments:
 
-* `default_size_inspection_limit` - (Required) Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.
+* `default_size_inspection_limit` - (Required) Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.
+
+### `cognito_user_pool` Block
+
+The `cognito_user_pool` block supports the following arguments:
+
+* `default_size_inspection_limit` - (Required) Specifies the maximum size of the web request body component that an associated Amazon Cognito user pools should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.
+
+### `verified_access_instance` Block
+
+The `verified_access_instance` block supports the following arguments:
+
+* `default_size_inspection_limit` - (Required) Specifies the maximum size of the web request body component that an associated AWS Verified Access instances should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.
 
 ### `custom_key` Block