Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support for X-Forwarded-For header in aws_wafv2_web_acl rate_based_statement #14480

Closed
mkubenka opened this issue Aug 5, 2020 · 7 comments · Fixed by #14685
Closed

Support for X-Forwarded-For header in aws_wafv2_web_acl rate_based_statement #14480

mkubenka opened this issue Aug 5, 2020 · 7 comments · Fixed by #14685
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Milestone
v3.3.0

Comments

@mkubenka
Copy link

mkubenka commented Aug 5, 2020

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS WAF now supports inspecting the X-Forwarded-For (XFF), True-Client-IP, or other custom header that includes the originating IP address of a client connecting to your application through an HTTP proxy or a third-party CDN. With this feature, you can reference these headers to write rate-based rules, geographic match rules, or IP match rules, allowing you to take action on IPs that are found within these headers. Both IPv4 and IPv6 addresses are supported.

New or Affected Resource(s)

  • aws_wafv2_web_acl

Potential Terraform Configuration

resource "aws_wafv2_web_acl" "example" {
  name        = "rate-based-example"
  description = "Example of a rate based statement."
  scope       = "REGIONAL"

  default_action {
    block {}
  }

  rule {
    name     = "rule-1"
    priority = 1

    action {
      count {}
    }

    statement {
      rate_based_statement {
        limit              = 10000
        aggregate_key_type = "FORWARDED_IP"

        forwarded_ip_config {
          header_name = "X-Forwarded-For"
          fallback_behavior = "MATCH"
        }

        scope_down_statement {
          geo_match_statement {
            country_codes = ["US", "NL"]
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

References
@mkubenka mkubenka added the enhancement Requests to existing resources that expand the functionality or scope. label Aug 5, 2020
@ghost ghost added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Aug 5, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Aug 5, 2020
@anGie44 anGie44 added dependencies Used to indicate dependency changes. and removed needs-triage Waiting for first response or review from a maintainer. labels Aug 6, 2020
@anGie44
Copy link
Contributor

anGie44 commented Aug 6, 2020
edited
Loading

Hi @mkubenka, thank you for submitting this issue! We'll first need to update our aws-sdk-go dependency to atleast v1.33.5 (aws/aws-sdk-go#3416) to support this forwarded_ip_config attribute w/in the rate_based_statement in addition to the new aggregate_key_type value as we're currently on v1.32.12. Luckily #14000 will include these API changes and will unblock development efforts to address this enhancement 😃

@cisnerosk
Copy link

@anGie44 thanks for looking at this request.. it's also a blocker for us in having a more robust WAFV2 w/ Terraform. Just for my clarification, will the update only support within the rate_base_statement/aggregate_key_type or will this also work for geo_match_statements & or_statements? I have a use case where I need to have a geo_match nested inside an or_based statement that relies on the X-Forwarded-For match. Please let me know if I should submit a new ticket or wait for updates on this one.

@anGie44 anGie44 changed the title Support for X-Forwarded-For header in aws_wafv2_web_acl Support for X-Forwarded-For header in aws_wafv2_web_acl rate_based_statement Aug 16, 2020
@anGie44
Copy link
Contributor

anGie44 commented Aug 16, 2020

Hi @cisnerosk, apologies for the delay! We can add the IPForwardedConfig to the geo match statement as well to align with the support now added in the AWS Go SDK. If you don't mind, could you create an issue for that specific statement type to keep track of it? It will affect both the webACL and rule group resources.

@anGie44 anGie44 mentioned this issue Aug 17, 2020
Merged
@anGie44 anGie44 removed the dependencies Used to indicate dependency changes. label Aug 17, 2020
@cisnerosk cisnerosk mentioned this issue Aug 18, 2020
Closed
@cisnerosk
Copy link

Hello @anGie44 thank you so much for the response! I've created this issue here: #14725 I hope it helps, and I'll keep track of that one.

Thank you!

@anGie44 anGie44 added this to the v3.3.0 milestone Aug 20, 2020
@anGie44
Copy link
Contributor

anGie44 commented Aug 20, 2020

This feature has been merged and will release with v3.3.0 of the Terraform AWS Provider, likely out later this evening (EST).

@ghost
Copy link

ghost commented Aug 20, 2020

This has been released in version 3.3.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@adamhathcock adamhathcock mentioned this issue Aug 27, 2020
Closed
@ghost
Copy link

ghost commented Sep 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 19, 2020
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
v3.3.0
3 participants
@mkubenka @anGie44 @cisnerosk