Skip to content

Releases: cloudposse-terraform-components/aws-waf

v1.537.3

12 Aug 19:45
69bdb26
Compare
Choose a tag to compare
feat: add `scope_down_statement` for managed rules @RoseSecurity (#40) ## what
  • Add a scope_down_not_statement_enabled to allow not_statements

  • AWS recommends bypassing bot control rules via the following method, which adds a not_statement to the scope_down_statement for managed rules. The current implementation does not allow for this, but this addition will allow the following:

{
  "Name": "AWS-AWSBotControl-Example",
  "Priority": 5,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesBotControlRuleSet",
      "ManagedRuleGroupConfigs": [
        {
          "AWSManagedRulesBotControlRuleSet": {
            "InspectionLevel": "COMMON"
          }
        }
      ],
      "RuleActionOverrides": [],
      "ExcludedRules": []
    },
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "AWS-AWSBotControl-Example"
    },
    "ScopeDownStatement": {
      "NotStatement": {
        "Statement": {
          "ByteMatchStatement": {
            "SearchString": "YSBzZWNyZXQ=",
            "FieldToMatch": {
              "SingleHeader": {
                "Name": "x-bypass-secret"
              }
            },
            "TextTransformations": [
              {
                "Priority": 0,
                "Type": "NONE"
              }
            ],
            "PositionalConstraint": "EXACTLY"
          }
        }
      }
    }
  }
}

testing

  • Successfully ran the following:
atmos validate stacks
atmos terraform apply waf -s <stack>

Summary by CodeRabbit

  • New Features

    • Added optional scope-down configuration for managed rule group statements, including:
      • Ability to wrap scope-down logic in a NOT condition.
      • Byte match criteria (positional constraint, search string).
      • Target selection across headers, query, path, body, and method.
      • Support for text transformations with priority and type.
  • Documentation

    • Updated variable descriptions to cover the new scope-down options and configuration details.

🤖 Automatic Updates

Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#41) ## what This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

v1.537.2

08 Aug 01:42
c9dba09
Compare
Choose a tag to compare

🤖 Automatic Updates

Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#39) ## what This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

chore(deps): update terraform cloudposse/waf/aws to v1.9.0 @[renovate[bot]](https://github.com/apps/renovate) (#38) This PR contains the following updates:
Package Type Update Change
cloudposse/waf/aws (source) module minor 1.8.1 -> 1.9.0

Release Notes

cloudposse/terraform-aws-waf (cloudposse/waf/aws)

v1.9.0

Compare Source

feat: add the ability to negate `scope_down_statements` in managed rules @​RoseSecurity (#​116)

what

[!WARNING]
The WAF rules are convoluted and complex, so this change just adds a simple toggle to allow negating scope_down_statements to work with AWS' recommendation for bypassing bot control rules. This change has been testing with existing infrastructure to ensure it's backward compatible

  • Add a scope_down_not_statement_enabled to allow not_statements (NOTE: This name is not pretty, so I'm open to better names if you have any)

why

  • AWS recommends bypassing bot control rules via the following method, which adds a not_statement to the scope_down_statement for managed rules. The current implementation does not allow for this, but this addition will allow the following:
{
  "Name": "AWS-AWSBotControl-Example",
  "Priority": 5,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesBotControlRuleSet",
      "ManagedRuleGroupConfigs": [
        {
          "AWSManagedRulesBotControlRuleSet": {
            "InspectionLevel": "COMMON"
          }
        }
      ],
      "RuleActionOverrides": [],
      "ExcludedRules": []
    },
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "AWS-AWSBotControl-Example"
    },
    "ScopeDownStatement": {
      "NotStatement": {
        "Statement": {
          "ByteMatchStatement": {
            "SearchString": "YSBzZWNyZXQ=",
            "FieldToMatch": {
              "SingleHeader": {
                "Name": "x-bypass-secret"
              }
            },
            "TextTransformations": [
              {
                "Priority": 0,
                "Type": "NONE"
              }
            ],
            "PositionalConstraint": "EXACTLY"
          }
        }
      }
    }
  }
}

testing

  • Successfully ran the following:
atmos validate stacks
atmos terraform apply waf -s <stack>

references


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

v1.537.1

05 Aug 14:22
d0757bf
Compare
Choose a tag to compare

🤖 Automatic Updates

Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#36) ## what This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

chore(deps): update terraform cloudposse/waf/aws to v1.8.1 @[renovate[bot]](https://github.com/apps/renovate) (#35) This PR contains the following updates:
Package Type Update Change
cloudposse/waf/aws (source) module patch 1.8.0 -> 1.8.1

Release Notes

cloudposse/terraform-aws-waf (cloudposse/waf/aws)

v1.8.1

Compare Source

Add scope_down_statement to managed_rule_group_configs @​bsipiak (#​114)

what

Expanding managed_rule_group_statement by adding scope_down_statement with byte matching support

why

Adding missing configuration option

references

It's the same functionality that was introduced for rate_based_statement in this PR:
https://github.com/cloudposse/terraform-aws-waf/pull/87

closes #​99

🤖 Automatic Updates

Fix go version in tests @​osterman (#​113)

what

  • Update go 1.24

why

  • Error loading shared library libresolv.so.2 in Go 1.20

References

Replace Makefile with atmos.yaml @​osterman (#​112)

what

  • Remove Makefile
  • Add atmos.yaml

why

  • Replace build-harness with atmos for readme genration

References

  • DEV-3229 Migrate from build-harness to atmos
Update terratest to '>= 0.46.0' @​osterman (#​83)

what

  • Update terratest >= 0.46.0

why

  • Support OpenTofu for testing

References

Migrate new test account @​osterman (#​97)

what

  • Update .github/settings.yml
  • Update .github/chatops.yml files

why

  • Re-apply .github/settings.yml from org level to get terratest environment
  • Migrate to new test account

References

  • DEV-388 Automate clean up of test account in new organization
  • DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
  • DEV-386 Update terratest to use new testing account with GitHub OIDC
Update .github/settings.yml @​osterman (#​96)

what

  • Update .github/settings.yml
  • Drop .github/auto-release.yml files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

chore(deps): update tflint plugin terraform-linters/tflint-ruleset-aws to v0.41.0 @[renovate[bot]](https://github.com/apps/renovate) (#34) This PR contains the following updates:
Package Type Update Change
terraform-linters/tflint-ruleset-aws plugin minor 0.40.0 -> 0.41.0

Release Notes

terraform-linters/tflint-ruleset-aws (terraform-linters/tflint-ruleset-aws)

v0.41.0

Compare Source

What's Changed

Breaking Changes
Enhancements
Chores
Read more

v1.537.0

28 Jun 20:28
2564116
Compare
Choose a tag to compare
chore(deps): restrict aws provider version to < 6.0.0 @Benbentwo (#31) This pull request includes a version constraint update for the AWS provider in the Terraform configuration file `src/versions.tf`. The change ensures compatibility with versions up to but not including 6.0.0.
  • src/versions.tf: Updated the version constraint for the aws provider to >= 4.9.0, < 6.0.0 to ensure compatibility with future versions while avoiding potential breaking changes in version 6.0.0.

🤖 Automatic Updates

Enable merge queue @goruha (#30) ## what - Added `auto-merge` workflow - Update `settings.yaml` - Fix CodeOwners files

why

  • Support auto merge PRs
  • Create merge queue
  • Implement new CodeOwners policy
Enable merge queue @goruha (#29) ## what - Added `auto-merge` workflow - Update `settings.yaml` - Fix CodeOwners files

why

  • Support auto merge PRs
  • Create merge queue
  • Implement new CodeOwners policy
chore(deps): bump golang.org/x/crypto from 0.32.0 to 0.35.0 in /test @[dependabot[bot]](https://github.com/apps/dependabot) (#20) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.32.0 to 0.35.0.
Commits
  • 7292932 ssh: limit the size of the internal packet queue while waiting for KEX
  • f66f74b acme/autocert: check host policy before probing the cache
  • b0784b7 x509roots/fallback: drop obsolete build constraint
  • 911360c all: bump golang.org/x/crypto dependencies of asm generators
  • 89ff08d all: upgrade go directive to at least 1.23.0 [generated]
  • e47973b all: update certs for go1.24
  • 9290511 go.mod: update golang.org/x dependencies
  • fa5273e x509roots/fallback: update bundle
  • a8ea4be ssh: add ServerConfig.PreAuthConnCallback, ServerPreAuthConn (banner) interface
  • 71d3a4c acme: support challenges that require the ACME client to send a non-empty JSO...
  • See full diff in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

chore(deps): update tflint plugin terraform-linters/tflint-ruleset-aws to v0.40.0 @[renovate[bot]](https://github.com/apps/renovate) (#4) This PR contains the following updates:
Package Type Update Change
terraform-linters/tflint-ruleset-aws plugin minor 0.23.1 -> 0.40.0

Release Notes

terraform-linters/tflint-ruleset-aws (terraform-linters/tflint-ruleset-aws)

v0.40.0

Compare Source

What's Changed

Enhancements
Chores

Full Changelog: ...

Read more

v1.536.1

12 Mar 19:20
06264c0
Compare
Choose a tag to compare
Add tests @goruha (#16) ## what * Add tests

Summary by CodeRabbit

  • New Features

    • Added comprehensive testing framework for AWS WAFv2 components.
    • Introduced Atmos CLI configuration for managing infrastructure components.
    • Created new Terraform configurations for VPC, DNS, ACM, ALB, and WAF.
    • Added new configurations for managing account mapping and DNS settings.
  • Configuration Updates

    • Updated remote state module versions.
    • Added new stack and vendor configurations for infrastructure management.
    • Introduced new configurations for WAF rules based on various criteria (by name, by tags, disabled).
  • Testing Improvements

    • Developed Go-based test suite for AWS security and networking components.
    • Added detailed test cases for WAF rules, IP restrictions, and security configurations.
  • Chores

    • Updated .gitignore to exclude specific test and state directories.
    • Removed obsolete test script.

🤖 Automatic Updates

Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#17) ## what This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

v1.536.0

22 Jan 22:03
fb9bb6a
Compare
Choose a tag to compare
fix: remove duplicate variable declarations @RoseSecurity (#14) ## what
  • Runs pre-commit hooks on all files
  • Removes duplicate variable declarations for logging configurations

why

  • After vendoring the waf component, I was met with the following error when running a terraform plan

Error:

Initializing modules...

│ Error: Duplicate variable declaration

│   on variables.tf line 1151:
│ 1151: variable "log_destination_configs" {

│ A variable named "log_destination_configs" was already declared at variables.tf:112,1-35. Variable
│ names must be unique within a module.


│ Error: Duplicate variable declaration

│   on variables.tf line 1161:
│ 1161: variable "redacted_fields" {

│ A variable named "redacted_fields" was already declared at variables.tf:118,1-27. Variable names must
│ be unique within a module.


│ Error: Duplicate variable declaration

│   on variables.tf line 1188:
│ 1188: variable "logging_filter" {

│ A variable named "logging_filter" was already declared at variables.tf:145,1-26. Variable names must be
│ unique within a module.


│ Error: Duplicate variable declaration

│   on variables.tf line 1239:
│ 1239: variable "association_resource_arns" {

│ A variable named "association_resource_arns" was already declared at variables.tf:169,1-37. Variable
│ names must be unique within a module.


│ Error: Duplicate variable declaration

│   on variables.tf line 1253:
│ 1253: variable "association_resource_component_selectors" {

│ A variable named "association_resource_component_selectors" was already declared at
│ variables.tf:197,1-52. Variable names must be unique within a module.

Summary by CodeRabbit

  • Chores

    • Updated .github/renovate.json with a minor formatting change
    • Removed .gitkeep file from docs directory
  • Configuration

    • Removed several logging and resource association variables from Terraform configuration

v1.535.0

04 Jan 11:30
58441f9
Compare
Choose a tag to compare

Migrate component from cloudposse/terraform-aws-components

v1.534.0

04 Jan 11:15
58441f9
Compare
Choose a tag to compare

Migrate component from cloudposse/terraform-aws-components

v1.533.0

13 Dec 19:59
11e721b
Compare
Choose a tag to compare

Migrate component from cloudposse/terraform-aws-components

v1.532.0

27 Nov 12:09
f22006d
Compare
Choose a tag to compare

Migrate component from cloudposse/terraform-aws-components