Releases: cloudposse-terraform-components/aws-waf
Releases · cloudposse-terraform-components/aws-waf
v1.537.3
feat: add `scope_down_statement` for managed rules @RoseSecurity (#40)
## what-
Add a
scope_down_not_statement_enabledto allownot_statements -
AWS recommends bypassing bot control rules via the following method, which adds a
not_statementto thescope_down_statementfor managed rules. The current implementation does not allow for this, but this addition will allow the following:
{
"Name": "AWS-AWSBotControl-Example",
"Priority": 5,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesBotControlRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesBotControlRuleSet": {
"InspectionLevel": "COMMON"
}
}
],
"RuleActionOverrides": [],
"ExcludedRules": []
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSBotControl-Example"
},
"ScopeDownStatement": {
"NotStatement": {
"Statement": {
"ByteMatchStatement": {
"SearchString": "YSBzZWNyZXQ=",
"FieldToMatch": {
"SingleHeader": {
"Name": "x-bypass-secret"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
}
}
}
}testing
- Successfully ran the following:
atmos validate stacks
atmos terraform apply waf -s <stack>Summary by CodeRabbit
-
New Features
- Added optional scope-down configuration for managed rule group statements, including:
- Ability to wrap scope-down logic in a NOT condition.
- Byte match criteria (positional constraint, search string).
- Target selection across headers, query, path, body, and method.
- Support for text transformations with priority and type.
- Added optional scope-down configuration for managed rule group statements, including:
-
Documentation
- Updated variable descriptions to cover the new scope-down options and configuration details.
🤖 Automatic Updates
Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#41)
## what This is an auto-generated PR that updates the README.md and docswhy
To have most recent changes of README.md and doc from origin templates
Contributors
RoseSecurity
Assets 2
v1.537.2
🤖 Automatic Updates
Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#39)
## what This is an auto-generated PR that updates the README.md and docswhy
To have most recent changes of README.md and doc from origin templates
chore(deps): update terraform cloudposse/waf/aws to v1.9.0 @[renovate[bot]](https://github.com/apps/renovate) (#38)
This PR contains the following updates:| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/waf/aws (source) | module | minor | 1.8.1 -> 1.9.0 |
Release Notes
cloudposse/terraform-aws-waf (cloudposse/waf/aws)
v1.9.0
feat: add the ability to negate `scope_down_statements` in managed rules @RoseSecurity (#116)
what
[!WARNING]
The WAF rules are convoluted and complex, so this change just adds a simple toggle to allow negatingscope_down_statementsto work with AWS' recommendation for bypassing bot control rules. This change has been testing with existing infrastructure to ensure it's backward compatible
- Add a
scope_down_not_statement_enabledto allownot_statements(NOTE: This name is not pretty, so I'm open to better names if you have any)
why
- AWS recommends bypassing bot control rules via the following method, which adds a
not_statementto thescope_down_statementfor managed rules. The current implementation does not allow for this, but this addition will allow the following:
{
"Name": "AWS-AWSBotControl-Example",
"Priority": 5,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesBotControlRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesBotControlRuleSet": {
"InspectionLevel": "COMMON"
}
}
],
"RuleActionOverrides": [],
"ExcludedRules": []
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSBotControl-Example"
},
"ScopeDownStatement": {
"NotStatement": {
"Statement": {
"ByteMatchStatement": {
"SearchString": "YSBzZWNyZXQ=",
"FieldToMatch": {
"SingleHeader": {
"Name": "x-bypass-secret"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
}
}
}
}testing
- Successfully ran the following:
atmos validate stacks
atmos terraform apply waf -s <stack>references
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
v1.537.1
🤖 Automatic Updates
Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#36)
## what This is an auto-generated PR that updates the README.md and docswhy
To have most recent changes of README.md and doc from origin templates
chore(deps): update terraform cloudposse/waf/aws to v1.8.1 @[renovate[bot]](https://github.com/apps/renovate) (#35)
This PR contains the following updates:| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/waf/aws (source) | module | patch | 1.8.0 -> 1.8.1 |
Release Notes
cloudposse/terraform-aws-waf (cloudposse/waf/aws)
v1.8.1
Add scope_down_statement to managed_rule_group_configs @bsipiak (#114)
what
Expanding managed_rule_group_statement by adding scope_down_statement with byte matching support
why
Adding missing configuration option
references
It's the same functionality that was introduced for rate_based_statement in this PR:
https://github.com/cloudposse/terraform-aws-waf/pull/87
closes #99
🤖 Automatic Updates
Fix go version in tests @osterman (#113)
what
- Update go
1.24
why
- Error loading shared library libresolv.so.2 in Go 1.20
References
Replace Makefile with atmos.yaml @osterman (#112)
what
- Remove
Makefile - Add
atmos.yaml
why
- Replace
build-harnesswithatmosfor readme genration
References
- DEV-3229 Migrate from build-harness to atmos
Update terratest to '>= 0.46.0' @osterman (#83)
what
- Update terratest
>= 0.46.0
why
- Support OpenTofu for testing
References
- https://github.com/gruntwork-io/terratest/releases/tag/v0.46.0
- DEV-374 Add opentofu to all our Terragrunt Testing GHA matrix
Migrate new test account @osterman (#97)
what
- Update
.github/settings.yml - Update
.github/chatops.ymlfiles
why
- Re-apply
.github/settings.ymlfrom org level to getterratestenvironment - Migrate to new
testaccount
References
- DEV-388 Automate clean up of test account in new organization
- DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
- DEV-386 Update terratest to use new testing account with GitHub OIDC
Update .github/settings.yml @osterman (#96)
what
- Update
.github/settings.yml - Drop
.github/auto-release.ymlfiles
why
- Re-apply
.github/settings.ymlfrom org level - Use organization level auto-release settings
references
- DEV-1242 Add protected tags with Repository Rulesets on GitHub
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
chore(deps): update tflint plugin terraform-linters/tflint-ruleset-aws to v0.41.0 @[renovate[bot]](https://github.com/apps/renovate) (#34)
This PR contains the following updates:| Package | Type | Update | Change |
|---|---|---|---|
| terraform-linters/tflint-ruleset-aws | plugin | minor | 0.40.0 -> 0.41.0 |
Release Notes
terraform-linters/tflint-ruleset-aws (terraform-linters/tflint-ruleset-aws)
v0.41.0
What's Changed
Breaking Changes
- fix: update mappings for AWS Provider v6 compatibility by @bendrucker in https://github.com/terraform-linters/tflint-ruleset-aws/pull/902
Enhancements
- Update AWS provider/module and generated content by @github-actions[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8888
- Update AWS provider/module and generated content by @github-actions[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/9199
Chores
- Bump the aws-sdk group with 2 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8877
- Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.222.0 to 1.224.0 in the aws-sdk group by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8899
- Bump golang.org/x/net from 0.40.0 to 0.41.0 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8911
- Bump the aws-sdk group with 6 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8922
- Bump github.com/hashicorp/aws-sdk-go-base/v2 from 2.0.0-beta.64 to 2.0.0-beta.65 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8900
- Bump actions/attest-build-provenance from 2.3.0 to 2.4.0 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8944
- Bump the aws-sdk group with 7 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8955
- Bump sigstore/cosign-installer from 3.8.2 to 3.9.0 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8966
- Bump the aws-sdk group with 7 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8977
- Bump the aws-sdk group with 4 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/9055
- Bump sigstore/cosign-installer from 3.9.0 to 3.9.1 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/9066
- Clarify README by @excavator-matt in https://github.com/terraform-linters/tflint-ruleset-aws/pull/907
- Bump the aws-sdk group with 3 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/9088
- Bump golang.org/x/net from 0.41.0 to 0.42.0 by @dependabot[bot] in[https://github.com/terraform-linters/tflint-ruleset-aws/pull/909](https://redirect.github.com/terraform-linters/...
v1.537.0
chore(deps): restrict aws provider version to < 6.0.0 @Benbentwo (#31)
This pull request includes a version constraint update for the AWS provider in the Terraform configuration file `src/versions.tf`. The change ensures compatibility with versions up to but not including 6.0.0.src/versions.tf: Updated the version constraint for theawsprovider to>= 4.9.0, < 6.0.0to ensure compatibility with future versions while avoiding potential breaking changes in version 6.0.0.
🤖 Automatic Updates
Enable merge queue @goruha (#30)
## what - Added `auto-merge` workflow - Update `settings.yaml` - Fix CodeOwners fileswhy
- Support auto merge PRs
- Create merge queue
- Implement new CodeOwners policy
Enable merge queue @goruha (#29)
## what - Added `auto-merge` workflow - Update `settings.yaml` - Fix CodeOwners fileswhy
- Support auto merge PRs
- Create merge queue
- Implement new CodeOwners policy
chore(deps): bump golang.org/x/crypto from 0.32.0 to 0.35.0 in /test @[dependabot[bot]](https://github.com/apps/dependabot) (#20)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.32.0 to 0.35.0.Commits
7292932ssh: limit the size of the internal packet queue while waiting for KEXf66f74bacme/autocert: check host policy before probing the cacheb0784b7x509roots/fallback: drop obsolete build constraint911360call: bump golang.org/x/crypto dependencies of asm generators89ff08dall: upgrade go directive to at least 1.23.0 [generated]e47973ball: update certs for go1.249290511go.mod: update golang.org/x dependenciesfa5273ex509roots/fallback: update bundlea8ea4bessh: add ServerConfig.PreAuthConnCallback, ServerPreAuthConn (banner) interface71d3a4cacme: support challenges that require the ACME client to send a non-empty JSO...- See full diff in compare view
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
chore(deps): update tflint plugin terraform-linters/tflint-ruleset-aws to v0.40.0 @[renovate[bot]](https://github.com/apps/renovate) (#4)
This PR contains the following updates:| Package | Type | Update | Change |
|---|---|---|---|
| terraform-linters/tflint-ruleset-aws | plugin | minor | 0.23.1 -> 0.40.0 |
Release Notes
terraform-linters/tflint-ruleset-aws (terraform-linters/tflint-ruleset-aws)
v0.40.0
What's Changed
Enhancements
- feat: warn against data sources with ephemeral alternatives by @aristosvo in https://github.com/terraform-linters/tflint-ruleset-aws/pull/861
- rules: Update Lambda deprecated runtimes by @wata727 in https://github.com/terraform-linters/tflint-ruleset-aws/pull/886
- Update AWS provider/module and generated content by @github-actions in https://github.com/terraform-linters/tflint-ruleset-aws/pull/870
Chores
- Bump sigstore/cosign-installer from 3.8.1 to 3.8.2 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/872
- Bump the aws-sdk group with 3 updates by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/873
- Bump actions/attest-build-provenance from 2.2.3 to 2.3.0 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/874
- Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.212.0 to 1.213.0 in the aws-sdk group by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/875
- docs: Rename aws_write_only_attributes.md -> aws_write_only_arguments.md by @wata727 in https://github.com/terraform-linters/tflint-ruleset-aws/pull/876
- Bump actions/setup-go from 5.4.0 to 5.5.0 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/877
- Bump golang.org/x/net from 0.39.0 to 0.40.0 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/879
- Bump the aws-sdk group with 2 updates by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/878
- Bump github.com/zclconf/go-cty from 1.16.2 to 1.16.3 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/883
- Bump the aws-sdk group with 3 updates by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/882
- Bump github.com/hashicorp/terraform-json from 0.24.0 to 0.25.0 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/884
Full Changelog: ...
Contributors
goruha and Benbentwo
Assets 2
v1.536.1
Add tests @goruha (#16)
## what * Add testsSummary by CodeRabbit
-
New Features
- Added comprehensive testing framework for AWS WAFv2 components.
- Introduced Atmos CLI configuration for managing infrastructure components.
- Created new Terraform configurations for VPC, DNS, ACM, ALB, and WAF.
- Added new configurations for managing account mapping and DNS settings.
-
Configuration Updates
- Updated remote state module versions.
- Added new stack and vendor configurations for infrastructure management.
- Introduced new configurations for WAF rules based on various criteria (by name, by tags, disabled).
-
Testing Improvements
- Developed Go-based test suite for AWS security and networking components.
- Added detailed test cases for WAF rules, IP restrictions, and security configurations.
-
Chores
- Updated
.gitignoreto exclude specific test and state directories. - Removed obsolete test script.
- Updated
🤖 Automatic Updates
Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#17)
## what This is an auto-generated PR that updates the README.md and docswhy
To have most recent changes of README.md and doc from origin templates
Contributors
goruha
Assets 2
v1.536.0
fix: remove duplicate variable declarations @RoseSecurity (#14)
## what- Runs pre-commit hooks on all files
- Removes duplicate variable declarations for logging configurations
why
- After vendoring the
wafcomponent, I was met with the following error when running aterraform plan
Error:
Initializing modules...
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1151:
│ 1151: variable "log_destination_configs" {
│
│ A variable named "log_destination_configs" was already declared at variables.tf:112,1-35. Variable
│ names must be unique within a module.
╵
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1161:
│ 1161: variable "redacted_fields" {
│
│ A variable named "redacted_fields" was already declared at variables.tf:118,1-27. Variable names must
│ be unique within a module.
╵
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1188:
│ 1188: variable "logging_filter" {
│
│ A variable named "logging_filter" was already declared at variables.tf:145,1-26. Variable names must be
│ unique within a module.
╵
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1239:
│ 1239: variable "association_resource_arns" {
│
│ A variable named "association_resource_arns" was already declared at variables.tf:169,1-37. Variable
│ names must be unique within a module.
╵
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1253:
│ 1253: variable "association_resource_component_selectors" {
│
│ A variable named "association_resource_component_selectors" was already declared at
│ variables.tf:197,1-52. Variable names must be unique within a module.Summary by CodeRabbit
-
Chores
- Updated
.github/renovate.jsonwith a minor formatting change - Removed
.gitkeepfile fromdocsdirectory
- Updated
-
Configuration
- Removed several logging and resource association variables from Terraform configuration
Contributors
RoseSecurity
