Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

evaluation_window_sec isn`t defined? #6

Open
aufkm opened this issue Jun 7, 2024 · 0 comments
Open

evaluation_window_sec isn`t defined? #6

aufkm opened this issue Jun 7, 2024 · 0 comments

Comments

@aufkm
Copy link

aufkm commented Jun 7, 2024

Description
It appears that the evaluation_window_sec argument in the rate_based_statement block of the AWS WAFv2 module is not functioning as expected. Despite multiple attempts to set and update this argument, Terraform does not seem to recognize or apply the changes.

Steps to Reproduce
Initially set the evaluation_window_sec argument in the rate_based_statement block before deploying the infrastructure.
Deploy the infrastructure using Terraform.
Observe that the evaluation_window_sec argument does not take effect.
Attempt to update the evaluation_window_sec argument post-deployment.
Apply the changes using Terraform.
Notice that Terraform does not respond to the changes made to the evaluation_window_sec argument.
Relevant Code Snippet

module "waf" {
source = "github.com/aws-ss/terraform-aws-wafv2"
resource_arn = [aws_lb.test_alb.arn]
name = "custom_rate_based_waf"
scope = "REGIONAL"
default_action = "allow"

rule = [
{
name = "AWSManagedRulesAdminProtectionRuleSet"
priority = 1
override_action = "none"
managed_rule_group_statement = {
name = "AWSManagedRulesAdminProtectionRuleSet"
vendor_name = "AWS"
}
visibility_config = {
cloudwatch_metrics_enabled = true
metric_name = "AWSManagedRulesAdminProtectionRuleSet"
sampled_requests_enabled = true
}
},
{
name = "uri_regex_host_full"
priority = 10
action = "block"
rate_based_statement = {
limit = 150
aggregate_key_type = "IP"
evaluation_window_sec = 60
scope_down_statement = {
and_statement = {
statements = [
{
regex_pattern_set_reference_statement = {
field_to_match = {
uri_path = {}
}
arn = aws_wafv2_regex_pattern_set.uri_regex.arn
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
},
{
byte_match_statement = {
field_to_match = {
single_header = {
name = "host"
}
}
positional_constraint = "CONTAINS"
search_string = "quicklizard.com"
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
}
]
}
}
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "cloudwatch_metric_name"
sampled_requests_enabled = false
}
},
{
name = "uri_full_host_full"
priority = 13
action = "block"
rate_based_statement = {
limit = 150
aggregate_key_type = "IP"
evaluation_window_sec = 60
scope_down_statement = {
and_statement = {
statements = [
{
byte_match_statement = {
field_to_match = {
uri_path = {}
}
positional_constraint = "CONTAINS"
search_string = "/home/"
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
},
{
byte_match_statement = {
field_to_match = {
single_header = {
name = "host"
}
}
positional_constraint = "CONTAINS"
search_string = "quicklizard.com"
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
}
]
}
}
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "cloudwatch_metric_name"
sampled_requests_enabled = false
}
},
{
name = "uri_full_host_regex"
priority = 14
action = "block"
rate_based_statement = {
limit = 150
aggregate_key_type = "IP"
evaluation_window_sec = 60
scope_down_statement = {
and_statement = {
statements = [
{
regex_pattern_set_reference_statement = {
arn = aws_wafv2_regex_pattern_set.host_regex.arn
field_to_match = {
single_header = {
name = "host"
}
}
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
},
{
byte_match_statement = {
field_to_match = {
uri_path = {}
}
positional_constraint = "CONTAINS"
search_string = "/home/"
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
}
]
}
}
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "cloudwatch_metric_name"
sampled_requests_enabled = false
}
},
{
name = "uri_regex_host_regex"
priority = 100
action = "block"
rate_based_statement = {
limit = 150
aggregate_key_type = "IP"
evaluation_window_sec = 60
scope_down_statement = {
and_statement = {
statements = [
{
regex_pattern_set_reference_statement = {
arn = aws_wafv2_regex_pattern_set.host_regex.arn
field_to_match = {
single_header = {
name = "host"
}
}
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
},
{
regex_pattern_set_reference_statement = {
arn = aws_wafv2_regex_pattern_set.uri_regex.arn
field_to_match = {
uri_path = {}
}
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
}
]
}
}
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "cloudwatch_metric_name"
sampled_requests_enabled = false
}
}
]
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "cloudwatch_metric_name"
sampled_requests_enabled = false
}
}
Expected Behavior
The evaluation_window_sec argument should be recognized and applied by Terraform both during the initial deployment and subsequent updates. The specified evaluation window should be set for the rate-based statements as intended.

Actual Behavior
Terraform does not recognize or apply the evaluation_window_sec argument. There is no change in the behavior of the rate-based statements when this argument is set or updated.

Additional Information
This issue is critical as it affects the rate-limiting behavior of our WAF rules, which is essential for our application's security and performance. Any assistance or insights into resolving this issue would be greatly appreciated.

Thank you.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aufkm