Add waf rule to inspect for header values

thoughtbot · Apr 3, 2024 · 1f17f91 · 1f17f91
1 parent 295df88
commit 1f17f91
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 7 deletions.
diff --git a/aws/waf/jang/main.tf b/aws/waf/jang/main.tf
@@ -0,0 +1,23 @@
+variable "header_match_rules" {
+  description = "Rule statement to inspect and match the header for an incoming request."
+  type = map(object({
+    name                = string                     # Name of the header match rule group
+    priority            = number                     # Relative processing order for header match rule relative to other rules processed by AWS WAF.
+    header_name         = string                     # This is the name of the header to inspect for all incoming requests.
+    header_value        = string                     # This is the value to look out for a matching header name for all incoming requests
+    count_override      = optional(bool, true)       # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
+    country_list        = optional(list(string), []) # List of countries to apply the header match to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+    exempt_country_list = optional(list(string), []) # List of countries to exempt from the header match rule. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+  }))
+
+  #   default = {
+  #     "default-header-rule" = {
+
+  #     }
+  #   }
+  default = null
+}
+
+output "name" {
+  value = var.header_match_rules
+}
diff --git a/aws/waf/variables.tf b/aws/waf/variables.tf
@@ -46,14 +46,16 @@ variable "rate_limit_rules" {
 variable "header_match_rules" {
   description = "Rule statement to inspect and match the header for an incoming request."
   type = map(object({
-    name                = optional(string, "default-header-rule") # Name of the header match rule group
-    priority            = optional(number, 99)                    # Relative processing order for header match rule relative to other rules processed by AWS WAF.
-    header_name         = optional(string, "null")                # This is the name of the header to inspect for all incoming requests.
-    header_value        = optional(string, "null")                # This is the value to look out for a matching header name for all incoming requests
-    count_override      = optional(bool, true)                    # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
-    country_list        = optional(list(string), [])              # List of countries to apply the header match to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
-    exempt_country_list = optional(list(string), [])              # List of countries to exempt from the header match rule. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+    name                = string                     # Name of the header match rule group
+    priority            = number                     # Relative processing order for header match rule relative to other rules processed by AWS WAF.
+    header_name         = string                     # This is the name of the header to inspect for all incoming requests.
+    header_value        = string                     # This is the value to look out for a matching header name for all incoming requests
+    count_override      = optional(bool, true)       # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
+    country_list        = optional(list(string), []) # List of countries to apply the header match to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+    exempt_country_list = optional(list(string), []) # List of countries to exempt from the header match rule. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
   }))
+
+  default = null
 }
 
 variable "allowed_ip_list" {