WAFv2: Added support for custom response bodies

[andyalm]

This adds support for adding custom response bodies to both the aws_wafv2_web_acl and aws_wafv2_rule_group resources. Here is an example:

resource "aws_wafv2_rule_group" "test" {
  name     = "sample-rule"
  scope    = "REGIONAL"

  custom_response_body {
    key          = "test_body_1"
    content      = "test response 1"
    content_type = "TEXT_PLAIN"
  }

  custom_response_body {
    key          = "throttled"
    content      = "<html><body>you have been throttled</body></html>"
    content_type = "TEXT_HTML"
  }

  rule {
    name     = "rule-1"
    priority = 1

    action {
      block {
        custom_response {
          response_code = 429
          custom_response_body_key = "throttled"
        }
      }
    }

    statement {
      geo_match_statement {
        country_codes = ["US", "NL"]
      }
    }
  }
}

This is marked as a draft as I still need to update the documentation and release notes.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #18754

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAwsWafv2WebACL_.+'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsWafv2WebACL_.+ -timeout 180m
=== RUN   TestAccAwsWafv2WebACL_basic
=== PAUSE TestAccAwsWafv2WebACL_basic
=== RUN   TestAccAwsWafv2WebACL_updateRule
=== PAUSE TestAccAwsWafv2WebACL_updateRule
=== RUN   TestAccAwsWafv2WebACL_UpdateRuleProperties
=== PAUSE TestAccAwsWafv2WebACL_UpdateRuleProperties
=== RUN   TestAccAwsWafv2WebACL_ChangeNameForceNew
=== PAUSE TestAccAwsWafv2WebACL_ChangeNameForceNew
=== RUN   TestAccAwsWafv2WebACL_Disappears
=== PAUSE TestAccAwsWafv2WebACL_Disappears
=== RUN   TestAccAwsWafv2WebACL_ManagedRuleGroupStatement
=== PAUSE TestAccAwsWafv2WebACL_ManagedRuleGroupStatement
=== RUN   TestAccAwsWafv2WebACL_Minimal
=== PAUSE TestAccAwsWafv2WebACL_Minimal
=== RUN   TestAccAwsWafv2WebACL_RateBasedStatement
=== PAUSE TestAccAwsWafv2WebACL_RateBasedStatement
=== RUN   TestAccAwsWafv2WebACL_GeoMatchStatement
=== PAUSE TestAccAwsWafv2WebACL_GeoMatchStatement
=== RUN   TestAccAwsWafv2WebACL_GeoMatchStatement_ForwardedIPConfig
=== PAUSE TestAccAwsWafv2WebACL_GeoMatchStatement_ForwardedIPConfig
=== RUN   TestAccAwsWafv2WebACL_IPSetReferenceStatement
=== PAUSE TestAccAwsWafv2WebACL_IPSetReferenceStatement
=== RUN   TestAccAwsWafv2WebACL_IPSetReferenceStatement_IPSetForwardedIPConfig
=== PAUSE TestAccAwsWafv2WebACL_IPSetReferenceStatement_IPSetForwardedIPConfig
=== RUN   TestAccAwsWafv2WebACL_RateBasedStatement_ForwardedIPConfig
=== PAUSE TestAccAwsWafv2WebACL_RateBasedStatement_ForwardedIPConfig
=== RUN   TestAccAwsWafv2WebACL_RuleGroupReferenceStatement
=== PAUSE TestAccAwsWafv2WebACL_RuleGroupReferenceStatement
=== RUN   TestAccAwsWafv2WebACL_CustomRequestHandling
=== PAUSE TestAccAwsWafv2WebACL_CustomRequestHandling
=== RUN   TestAccAwsWafv2WebACL_CustomResponse
=== PAUSE TestAccAwsWafv2WebACL_CustomResponse
=== RUN   TestAccAwsWafv2WebACL_Tags
=== PAUSE TestAccAwsWafv2WebACL_Tags
=== RUN   TestAccAwsWafv2WebACL_MaxNestedRateBasedStatements
=== PAUSE TestAccAwsWafv2WebACL_MaxNestedRateBasedStatements
=== RUN   TestAccAwsWafv2WebACL_MaxNestedOperatorStatements
=== PAUSE TestAccAwsWafv2WebACL_MaxNestedOperatorStatements
=== CONT  TestAccAwsWafv2WebACL_basic
=== CONT  TestAccAwsWafv2WebACL_IPSetReferenceStatement
=== CONT  TestAccAwsWafv2WebACL_ManagedRuleGroupStatement
=== CONT  TestAccAwsWafv2WebACL_MaxNestedOperatorStatements
=== CONT  TestAccAwsWafv2WebACL_MaxNestedRateBasedStatements
=== CONT  TestAccAwsWafv2WebACL_Tags
=== CONT  TestAccAwsWafv2WebACL_CustomResponse
=== CONT  TestAccAwsWafv2WebACL_CustomRequestHandling
=== CONT  TestAccAwsWafv2WebACL_RuleGroupReferenceStatement
=== CONT  TestAccAwsWafv2WebACL_RateBasedStatement_ForwardedIPConfig
=== CONT  TestAccAwsWafv2WebACL_IPSetReferenceStatement_IPSetForwardedIPConfig
=== CONT  TestAccAwsWafv2WebACL_GeoMatchStatement_ForwardedIPConfig
=== CONT  TestAccAwsWafv2WebACL_RateBasedStatement
=== CONT  TestAccAwsWafv2WebACL_ChangeNameForceNew
=== CONT  TestAccAwsWafv2WebACL_Disappears
=== CONT  TestAccAwsWafv2WebACL_UpdateRuleProperties
=== CONT  TestAccAwsWafv2WebACL_Minimal
=== CONT  TestAccAwsWafv2WebACL_updateRule
=== CONT  TestAccAwsWafv2WebACL_GeoMatchStatement
--- PASS: TestAccAwsWafv2WebACL_Minimal (47.10s)
--- PASS: TestAccAwsWafv2WebACL_Disappears (59.21s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedRateBasedStatements (73.74s)
--- PASS: TestAccAwsWafv2WebACL_IPSetReferenceStatement (84.03s)
--- PASS: TestAccAwsWafv2WebACL_ManagedRuleGroupStatement (91.26s)
--- PASS: TestAccAwsWafv2WebACL_RateBasedStatement (95.62s)
--- PASS: TestAccAwsWafv2WebACL_RateBasedStatement_ForwardedIPConfig (101.08s)
--- PASS: TestAccAwsWafv2WebACL_CustomRequestHandling (106.03s)
--- PASS: TestAccAwsWafv2WebACL_GeoMatchStatement (108.89s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedOperatorStatements (116.30s)
--- PASS: TestAccAwsWafv2WebACL_CustomResponse (121.01s)
--- PASS: TestAccAwsWafv2WebACL_UpdateRuleProperties (130.49s)
--- PASS: TestAccAwsWafv2WebACL_RuleGroupReferenceStatement (137.94s)
--- PASS: TestAccAwsWafv2WebACL_IPSetReferenceStatement_IPSetForwardedIPConfig (145.30s)
--- PASS: TestAccAwsWafv2WebACL_GeoMatchStatement_ForwardedIPConfig (148.79s)
--- PASS: TestAccAwsWafv2WebACL_ChangeNameForceNew (162.43s)
--- PASS: TestAccAwsWafv2WebACL_basic (168.00s)
--- PASS: TestAccAwsWafv2WebACL_updateRule (169.22s)
--- PASS: TestAccAwsWafv2WebACL_Tags (188.27s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       189.630s

[tylerhjones]

30 days open on this pr, a missing feature set for sure. thanks @andyalm for doing this work.

[anewton1980]

this is exactly what I am looking for, any update on when this will be released?

[dcastroma]

Good enhanced by @andyalm and very useful, but lost because nobody review it.

[KFoxder]

@andyalm thanks for doing this... would love to use this. Not sure how we can help prioritize it. Let me now if there is anything we can do to help move this along.

[jonnyshaw89]

We need this feature!
What is blocking this being merged?

[andyalm]

@KFoxder @jonnyshaw89 thanks for chiming in. I wish I knew how to get a review on this change. I've got two PR's that have been open for more than a month. As far as I know, I have done all of the steps on the checklist to get a review. From time to time, I have to resolve conflicts that appear in main. I just did that again so it should be ready to merge again, if we can figure out how to get some eyes on it from a reviewer.

[KFoxder]

@bflad @breathingdust @YakDriver Is there any way we can help prioritize a review on this?

[hoebelix]

We need this feature too! Maybe the problem is that there is no open issue for this? The original issue #18754 is closed although this PR is not merged yet. Can anybody reopen this issue please?

[jemstep-kerry]

This is exactly what I need! Thanks for your great work @andyalm
@apparentlymart if you're available, please can we get a review and merge on this PR?

[jemstep-kerry]

@hc-github-team-terraform-aws Please could we get a review on this?
Thank you for all your great work!

[n00borama]

Please review, in much need of this also. Thanks.

[anewton1980]

is this available in the current release ?

[iokiwi]

Also here because I need this missing feature. @hc-github-team-terraform-aws could you please review?

Would it be possible to delegate some maintainer rights to active external contributors?

[MumakiI]

Folks, how is that possible to expedite this? We need the feature very much!!!

[zhelding]

Pull request #21306 has significantly refactored the AWS Provider codebase. As a result, most PRs opened prior to the refactor now have merge conflicts that must be resolved before proceeding.

Specifically, PR #21306 relocated the code for all AWS resources and data sources from a single aws directory to a large number of separate directories in internal/service, each corresponding to a particular AWS service. This separation of code has also allowed for us to simplify the names of underlying functions -- while still avoiding namespace collisions.

We recognize that many pull requests have been open for some time without yet being addressed by our maintainers. Therefore, we want to make it clear that resolving these conflicts in no way affects the prioritization of a particular pull request. Once a pull request has been prioritized for review, the necessary changes will be made by a maintainer -- either directly or in collaboration with the pull request author.

For a more complete description of this refactor, including examples of how old filepaths and function names correspond to their new counterparts: please refer to issue #20000.

For a quick guide on how to amend your pull request to resolve the merge conflicts resulting from this refactor and bring it in line with our new code patterns: please refer to our Service Package Refactor Pull Request Guide.

[andyalm]

Thanks for the heads up @zhelding. I've updated my changes to work with the new file structure and its passing all checks again. Is there anything else I need to do to get a review?

[zhelding]

Hi @andyalm. No further action is required on your end for merging this pull request.

This pull request will now be addressed via our standard prioritization process. Unfortunately, given the large quantity of issues and pull requests we receive, we are not always able to review every pull request in a timely manner.

We prioritize contributions that provide the greatest value to the largest number of users -- which we primarily infer based on the number of 👍 reactions. Additionally, an explanation of the particular use case for a contribution can provide information on how the changes might be useful in a broader context.

You can get a view of the wider development plans for the provider via our road map, published quarterly.

Thank you again for your contribution and your patience.

[breathingdust]

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

[anGie44]

Thanks again @andyalm for contributing to this feature! 🚀

Output of acceptance tests:

--- PASS: TestAccWAFV2WebACL_disappears (387.50s)
--- PASS: TestAccWAFV2WebACL_minimal (698.41s)
--- PASS: TestAccWAFV2WebACL_GeoMatch_forwardedIP (1147.57s)
--- PASS: TestAccWAFV2WebACL_RateBased_maxNested (1428.77s)
--- PASS: TestAccWAFV2WebACL_IPSetReference_basic (1479.46s)
--- PASS: TestAccWAFV2WebACL_RateBased_forwardedIP (1479.55s)
--- PASS: TestAccWAFV2WebACL_Update_nameForceNew (1600.82s)
--- PASS: TestAccWAFV2WebACL_GeoMatch_basic (1978.72s)
--- PASS: TestAccWAFV2WebACL_Custom_response (2023.12s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_basic (2032.84s)
--- PASS: TestAccWAFV2WebACL_tags (2033.49s)
--- PASS: TestAccWAFV2WebACL_Custom_requestHandling (2033.68s)
--- PASS: TestAccWAFV2WebACL_Update_ruleProperties (2033.93s)
--- PASS: TestAccWAFV2WebACL_basic (2043.04s)
--- PASS: TestAccWAFV2WebACL_RateBased_basic (2084.49s)
--- PASS: TestAccWAFV2WebACL_Update_rule (2098.01s)
--- PASS: TestAccWAFV2WebACL_RuleGroupReference_basic (2110.78s)
--- PASS: TestAccWAFV2WebACL_Operators_maxNested (2126.08s)
--- PASS: TestAccWAFV2WebACL_IPSetReference_forwardedIP (2157.08s)

--- PASS: TestAccWAFV2RuleGroup_disappears (294.35s)
--- PASS: TestAccWAFV2RuleGroup_ipSetReferenceStatement (1131.80s)
--- PASS: TestAccWAFV2RuleGroup_minimal (1325.96s)
--- PASS: TestAccWAFV2RuleGroup_regexPatternSetReferenceStatement (1371.22s)
--- PASS: TestAccWAFV2RuleGroup_sizeConstraintStatement (1586.00s)
--- PASS: TestAccWAFV2RuleGroup_xssMatchStatement (1680.39s)
--- PASS: TestAccWAFV2RuleGroup_changeMetricNameForceNew (1707.50s)
--- PASS: TestAccWAFV2RuleGroup_updateRuleProperties (1709.58s)
--- PASS: TestAccWAFV2RuleGroup_GeoMatchStatement_forwardedIP (1742.71s)
--- PASS: TestAccWAFV2RuleGroup_changeNameForceNew (1763.20s)
--- PASS: TestAccWAFV2RuleGroupDataSource_basic (1763.22s)
--- PASS: TestAccWAFV2RuleGroup_RuleAction_customRequestHandling (1763.30s)
--- PASS: TestAccWAFV2RuleGroup_geoMatchStatement (1867.83s)
--- PASS: TestAccWAFV2RuleGroup_updateRule (1912.48s)
--- PASS: TestAccWAFV2RuleGroup_basic (542.82s)
--- PASS: TestAccWAFV2RuleGroup_tags (1962.77s)
--- PASS: TestAccWAFV2RuleGroup_sqliMatchStatement (1963.73s)
--- PASS: TestAccWAFV2RuleGroup_RuleAction_customResponse (2017.13s)
--- PASS: TestAccWAFV2RuleGroup_byteMatchStatement (886.62s)
--- PASS: TestAccWAFV2RuleGroup_logicalRuleStatements (2068.75s)
--- PASS: TestAccWAFV2RuleGroup_ruleAction (2094.63s)
--- PASS: TestAccWAFV2RuleGroup_changeCapacityForceNew (2109.83s)
--- PASS: TestAccWAFV2RuleGroup_IPSetReferenceStatement_ipsetForwardedIP (804.92s)
--- PASS: TestAccWAFV2RuleGroup_ByteMatchStatement_fieldToMatch (1860.17s)

[github-actions]

This functionality has been released in v3.67.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.