Releases: cloudposse-terraform-components/aws-waf
v1.537.3
feat: add `scope_down_statement` for managed rules @RoseSecurity (#40)
## what-
Add a
scope_down_not_statement_enabled
to allownot_statements
-
AWS recommends bypassing bot control rules via the following method, which adds a
not_statement
to thescope_down_statement
for managed rules. The current implementation does not allow for this, but this addition will allow the following:
{
"Name": "AWS-AWSBotControl-Example",
"Priority": 5,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesBotControlRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesBotControlRuleSet": {
"InspectionLevel": "COMMON"
}
}
],
"RuleActionOverrides": [],
"ExcludedRules": []
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSBotControl-Example"
},
"ScopeDownStatement": {
"NotStatement": {
"Statement": {
"ByteMatchStatement": {
"SearchString": "YSBzZWNyZXQ=",
"FieldToMatch": {
"SingleHeader": {
"Name": "x-bypass-secret"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
}
}
}
}
testing
- Successfully ran the following:
atmos validate stacks
atmos terraform apply waf -s <stack>
Summary by CodeRabbit
-
New Features
- Added optional scope-down configuration for managed rule group statements, including:
- Ability to wrap scope-down logic in a NOT condition.
- Byte match criteria (positional constraint, search string).
- Target selection across headers, query, path, body, and method.
- Support for text transformations with priority and type.
- Added optional scope-down configuration for managed rule group statements, including:
-
Documentation
- Updated variable descriptions to cover the new scope-down options and configuration details.
🤖 Automatic Updates
Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#41)
## what This is an auto-generated PR that updates the README.md and docswhy
To have most recent changes of README.md and doc from origin templates
v1.537.2
🤖 Automatic Updates
Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#39)
## what This is an auto-generated PR that updates the README.md and docswhy
To have most recent changes of README.md and doc from origin templates
chore(deps): update terraform cloudposse/waf/aws to v1.9.0 @[renovate[bot]](https://github.com/apps/renovate) (#38)
This PR contains the following updates:Package | Type | Update | Change |
---|---|---|---|
cloudposse/waf/aws (source) | module | minor | 1.8.1 -> 1.9.0 |
Release Notes
cloudposse/terraform-aws-waf (cloudposse/waf/aws)
v1.9.0
feat: add the ability to negate `scope_down_statements` in managed rules @RoseSecurity (#116)
what
[!WARNING]
The WAF rules are convoluted and complex, so this change just adds a simple toggle to allow negatingscope_down_statements
to work with AWS' recommendation for bypassing bot control rules. This change has been testing with existing infrastructure to ensure it's backward compatible
- Add a
scope_down_not_statement_enabled
to allownot_statements
(NOTE: This name is not pretty, so I'm open to better names if you have any)
why
- AWS recommends bypassing bot control rules via the following method, which adds a
not_statement
to thescope_down_statement
for managed rules. The current implementation does not allow for this, but this addition will allow the following:
{
"Name": "AWS-AWSBotControl-Example",
"Priority": 5,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesBotControlRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesBotControlRuleSet": {
"InspectionLevel": "COMMON"
}
}
],
"RuleActionOverrides": [],
"ExcludedRules": []
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSBotControl-Example"
},
"ScopeDownStatement": {
"NotStatement": {
"Statement": {
"ByteMatchStatement": {
"SearchString": "YSBzZWNyZXQ=",
"FieldToMatch": {
"SingleHeader": {
"Name": "x-bypass-secret"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
}
}
}
}
testing
- Successfully ran the following:
atmos validate stacks
atmos terraform apply waf -s <stack>
references
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
v1.537.1
🤖 Automatic Updates
Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#36)
## what This is an auto-generated PR that updates the README.md and docswhy
To have most recent changes of README.md and doc from origin templates
chore(deps): update terraform cloudposse/waf/aws to v1.8.1 @[renovate[bot]](https://github.com/apps/renovate) (#35)
This PR contains the following updates:Package | Type | Update | Change |
---|---|---|---|
cloudposse/waf/aws (source) | module | patch | 1.8.0 -> 1.8.1 |
Release Notes
cloudposse/terraform-aws-waf (cloudposse/waf/aws)
v1.8.1
Add scope_down_statement to managed_rule_group_configs @bsipiak (#114)
what
Expanding managed_rule_group_statement
by adding scope_down_statement
with byte matching support
why
Adding missing configuration option
references
It's the same functionality that was introduced for rate_based_statement
in this PR:
https://github.com/cloudposse/terraform-aws-waf/pull/87
closes #99
🤖 Automatic Updates
Fix go version in tests @osterman (#113)
what
- Update go
1.24
why
- Error loading shared library libresolv.so.2 in Go 1.20
References
Replace Makefile with atmos.yaml @osterman (#112)
what
- Remove
Makefile
- Add
atmos.yaml
why
- Replace
build-harness
withatmos
for readme genration
References
- DEV-3229 Migrate from build-harness to atmos
Update terratest to '>= 0.46.0' @osterman (#83)
what
- Update terratest
>= 0.46.0
why
- Support OpenTofu for testing
References
- https://github.com/gruntwork-io/terratest/releases/tag/v0.46.0
- DEV-374 Add opentofu to all our Terragrunt Testing GHA matrix
Migrate new test account @osterman (#97)
what
- Update
.github/settings.yml
- Update
.github/chatops.yml
files
why
- Re-apply
.github/settings.yml
from org level to getterratest
environment - Migrate to new
test
account
References
- DEV-388 Automate clean up of test account in new organization
- DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
- DEV-386 Update terratest to use new testing account with GitHub OIDC
Update .github/settings.yml @osterman (#96)
what
- Update
.github/settings.yml
- Drop
.github/auto-release.yml
files
why
- Re-apply
.github/settings.yml
from org level - Use organization level auto-release settings
references
- DEV-1242 Add protected tags with Repository Rulesets on GitHub
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
chore(deps): update tflint plugin terraform-linters/tflint-ruleset-aws to v0.41.0 @[renovate[bot]](https://github.com/apps/renovate) (#34)
This PR contains the following updates:Package | Type | Update | Change |
---|---|---|---|
terraform-linters/tflint-ruleset-aws | plugin | minor | 0.40.0 -> 0.41.0 |
Release Notes
terraform-linters/tflint-ruleset-aws (terraform-linters/tflint-ruleset-aws)
v0.41.0
What's Changed
Breaking Changes
- fix: update mappings for AWS Provider v6 compatibility by @bendrucker in https://github.com/terraform-linters/tflint-ruleset-aws/pull/902
Enhancements
- Update AWS provider/module and generated content by @github-actions[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8888
- Update AWS provider/module and generated content by @github-actions[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/9199
Chores
- Bump the aws-sdk group with 2 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8877
- Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.222.0 to 1.224.0 in the aws-sdk group by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8899
- Bump golang.org/x/net from 0.40.0 to 0.41.0 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8911
- Bump the aws-sdk group with 6 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8922
- Bump github.com/hashicorp/aws-sdk-go-base/v2 from 2.0.0-beta.64 to 2.0.0-beta.65 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8900
- Bump actions/attest-build-provenance from 2.3.0 to 2.4.0 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8944
- Bump the aws-sdk group with 7 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8955
- Bump sigstore/cosign-installer from 3.8.2 to 3.9.0 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8966
- Bump the aws-sdk group with 7 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/8977
- Bump the aws-sdk group with 4 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/9055
- Bump sigstore/cosign-installer from 3.9.0 to 3.9.1 by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/9066
- Clarify README by @excavator-matt in https://github.com/terraform-linters/tflint-ruleset-aws/pull/907
- Bump the aws-sdk group with 3 updates by @dependabot[bot] inhttps://github.com/terraform-linters/tflint-ruleset-aws/pull/9088
- Bump golang.org/x/net from 0.41.0 to 0.42.0 by @dependabot[bot] in[https://github.com/terraform-linters/tflint-ruleset-aws/pull/909](https://redirect.github.com/terraform-linters/...
v1.537.0
chore(deps): restrict aws provider version to < 6.0.0 @Benbentwo (#31)
This pull request includes a version constraint update for the AWS provider in the Terraform configuration file `src/versions.tf`. The change ensures compatibility with versions up to but not including 6.0.0.src/versions.tf
: Updated the version constraint for theaws
provider to>= 4.9.0, < 6.0.0
to ensure compatibility with future versions while avoiding potential breaking changes in version 6.0.0.
🤖 Automatic Updates
Enable merge queue @goruha (#30)
## what - Added `auto-merge` workflow - Update `settings.yaml` - Fix CodeOwners fileswhy
- Support auto merge PRs
- Create merge queue
- Implement new CodeOwners policy
Enable merge queue @goruha (#29)
## what - Added `auto-merge` workflow - Update `settings.yaml` - Fix CodeOwners fileswhy
- Support auto merge PRs
- Create merge queue
- Implement new CodeOwners policy
chore(deps): bump golang.org/x/crypto from 0.32.0 to 0.35.0 in /test @[dependabot[bot]](https://github.com/apps/dependabot) (#20)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.32.0 to 0.35.0.Commits
7292932
ssh: limit the size of the internal packet queue while waiting for KEXf66f74b
acme/autocert: check host policy before probing the cacheb0784b7
x509roots/fallback: drop obsolete build constraint911360c
all: bump golang.org/x/crypto dependencies of asm generators89ff08d
all: upgrade go directive to at least 1.23.0 [generated]e47973b
all: update certs for go1.249290511
go.mod: update golang.org/x dependenciesfa5273e
x509roots/fallback: update bundlea8ea4be
ssh: add ServerConfig.PreAuthConnCallback, ServerPreAuthConn (banner) interface71d3a4c
acme: support challenges that require the ACME client to send a non-empty JSO...- See full diff in compare view
You can trigger a rebase of this PR by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
chore(deps): update tflint plugin terraform-linters/tflint-ruleset-aws to v0.40.0 @[renovate[bot]](https://github.com/apps/renovate) (#4)
This PR contains the following updates:Package | Type | Update | Change |
---|---|---|---|
terraform-linters/tflint-ruleset-aws | plugin | minor | 0.23.1 -> 0.40.0 |
Release Notes
terraform-linters/tflint-ruleset-aws (terraform-linters/tflint-ruleset-aws)
v0.40.0
What's Changed
Enhancements
- feat: warn against data sources with ephemeral alternatives by @aristosvo in https://github.com/terraform-linters/tflint-ruleset-aws/pull/861
- rules: Update Lambda deprecated runtimes by @wata727 in https://github.com/terraform-linters/tflint-ruleset-aws/pull/886
- Update AWS provider/module and generated content by @github-actions in https://github.com/terraform-linters/tflint-ruleset-aws/pull/870
Chores
- Bump sigstore/cosign-installer from 3.8.1 to 3.8.2 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/872
- Bump the aws-sdk group with 3 updates by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/873
- Bump actions/attest-build-provenance from 2.2.3 to 2.3.0 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/874
- Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.212.0 to 1.213.0 in the aws-sdk group by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/875
- docs: Rename aws_write_only_attributes.md -> aws_write_only_arguments.md by @wata727 in https://github.com/terraform-linters/tflint-ruleset-aws/pull/876
- Bump actions/setup-go from 5.4.0 to 5.5.0 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/877
- Bump golang.org/x/net from 0.39.0 to 0.40.0 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/879
- Bump the aws-sdk group with 2 updates by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/878
- Bump github.com/zclconf/go-cty from 1.16.2 to 1.16.3 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/883
- Bump the aws-sdk group with 3 updates by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/882
- Bump github.com/hashicorp/terraform-json from 0.24.0 to 0.25.0 by @dependabot in https://github.com/terraform-linters/tflint-ruleset-aws/pull/884
Full Changelog: ...
v1.536.1
Add tests @goruha (#16)
## what * Add testsSummary by CodeRabbit
-
New Features
- Added comprehensive testing framework for AWS WAFv2 components.
- Introduced Atmos CLI configuration for managing infrastructure components.
- Created new Terraform configurations for VPC, DNS, ACM, ALB, and WAF.
- Added new configurations for managing account mapping and DNS settings.
-
Configuration Updates
- Updated remote state module versions.
- Added new stack and vendor configurations for infrastructure management.
- Introduced new configurations for WAF rules based on various criteria (by name, by tags, disabled).
-
Testing Improvements
- Developed Go-based test suite for AWS security and networking components.
- Added detailed test cases for WAF rules, IP restrictions, and security configurations.
-
Chores
- Updated
.gitignore
to exclude specific test and state directories. - Removed obsolete test script.
- Updated
🤖 Automatic Updates
Update README.md and docs @[cloudposse-releaser[bot]](https://github.com/apps/cloudposse-releaser) (#17)
## what This is an auto-generated PR that updates the README.md and docswhy
To have most recent changes of README.md and doc from origin templates
v1.536.0
fix: remove duplicate variable declarations @RoseSecurity (#14)
## what- Runs pre-commit hooks on all files
- Removes duplicate variable declarations for logging configurations
why
- After vendoring the
waf
component, I was met with the following error when running aterraform plan
Error:
Initializing modules...
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1151:
│ 1151: variable "log_destination_configs" {
│
│ A variable named "log_destination_configs" was already declared at variables.tf:112,1-35. Variable
│ names must be unique within a module.
╵
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1161:
│ 1161: variable "redacted_fields" {
│
│ A variable named "redacted_fields" was already declared at variables.tf:118,1-27. Variable names must
│ be unique within a module.
╵
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1188:
│ 1188: variable "logging_filter" {
│
│ A variable named "logging_filter" was already declared at variables.tf:145,1-26. Variable names must be
│ unique within a module.
╵
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1239:
│ 1239: variable "association_resource_arns" {
│
│ A variable named "association_resource_arns" was already declared at variables.tf:169,1-37. Variable
│ names must be unique within a module.
╵
╷
│ Error: Duplicate variable declaration
│
│ on variables.tf line 1253:
│ 1253: variable "association_resource_component_selectors" {
│
│ A variable named "association_resource_component_selectors" was already declared at
│ variables.tf:197,1-52. Variable names must be unique within a module.
Summary by CodeRabbit
-
Chores
- Updated
.github/renovate.json
with a minor formatting change - Removed
.gitkeep
file fromdocs
directory
- Updated
-
Configuration
- Removed several logging and resource association variables from Terraform configuration