Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WAFv2 acl rules should allow JSON body and oversize content handling options #25832

Closed
MrHash opened this issue Jul 15, 2022 · 5 comments
Closed

WAFv2 acl rules should allow JSON body and oversize content handling options #25832

MrHash opened this issue Jul 15, 2022 · 5 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. good first issue Call to action for new contributors looking for a place to start. Smaller or straightforward issues. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@MrHash
Copy link

MrHash commented Jul 15, 2022
edited by ewbankkit

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The WAFv2 acl rule related resource should allow setting of the body field content-type as JSON and oversize body content handling options. Currently this does not seem to be possible via Terraform.

Screen Shot 2022-07-15 at 13 45 06

Duplicates #25545 but keeping open as both issues have a large number of upvotes and contain useful comments.

New or Affected Resource(s)

  • aws_wafv2_web_acl
  • aws_wafv2_rule_group

Potential Terraform Configuration

resource "aws_wafv2_web_acl" "example" {
  name  = "example"
  scope = "CLOUDFRONT"
  default_action {
    allow {}
  }
  rule {
    name     = "BlockXSS"
    priority = 10
    action {
      block {}
    }
    statement {
      xss_match_statement {
        field_to_match {
          body {}
        }
        text_transformation {
          priority = 1
          type     = "NONE"
        }
      }
    }
    visibility_config {
      metric_name                = "block-xss"
      cloudwatch_metrics_enabled = true
      sampled_requests_enabled   = true
    }
  }
  visibility_config {
    metric_name                = "all-rules"
    cloudwatch_metrics_enabled = true
    sampled_requests_enabled   = true
  }
}

References
@MrHash MrHash added the enhancement Requests to existing resources that expand the functionality or scope. label Jul 15, 2022
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/wafv2 Issues and PRs that pertain to the wafv2 service. labels Jul 15, 2022
@justinretzolk justinretzolk added good first issue Call to action for new contributors looking for a place to start. Smaller or straightforward issues. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 25, 2022
c-a-paret added a commit to no10ds/DEPRECATED-rapid-infrastructure that referenced this issue Aug 1, 2022
@c-a-paret
350-SD/CP Add message to manually add oversized request config
a933d4e 
This has been added as an output when applying blocks or modules rather than in documentation so as to keep it at the forefront of developers' minds.

This is a temporary workaround whilst Terraform implement support for the feature.

This was prompted by a notification from AWS:

"... With AWS WAF, customers can configure rules that allow, block, captcha, or monitor (count) web requests based on conditions they define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting. When customers enable AWS WAF for CloudFront, Application Load Balancer, API Gateway or AppSync, only the first 8 KB of the request body are forwarded to AWS WAF for inspection. The 8 KB limit helps maintain high WAF performance and low latency, even during conditions of exceptional load. However, some bypass attempts intentionally put data towards the end of large (> 8 KB) requests. If your application does not expect requests greater than 8 KB in size, you can prevent them from passing through with a WAF size constraint rule statement. This will result in large requests being denied.

We have detected you have one or more rules in your WAF web ACL that inspect the HTTP request body (or JSON body) but do not have a size constraint rule statement. As a result, we may not be inspecting all traffic, specifically requests > 8 KB, to your application. On April 29, 2022, we launched the ability to specify how oversized requests should be handled as part of your web ACL when you configure WAF to inspect Body or JSON body. Although defining oversize handling behavior is optional today, on October 1, 2022, we will make specifying the handling behavior for oversized requests required when there is no size constraint on the Body or JSON body rule. After October 1, 2022, if you have not updated your web ACL to either add a size constraint statement on Body or JSON body rules in your web ACL, or define the oversize handling behavior for these rules, updates to your WAF rules using the API will fail. You can learn more about configuring oversize handling behavior by visiting the AWS WAF documentation [1]. ..."

See more:
hashicorp/terraform-provider-aws#25832
@kyokoshome
Copy link

kyokoshome commented Aug 12, 2022
edited

Is any update? AWS will blocked API call without Oversized OversizeHandling after Oct.1

@scottwestover scottwestover mentioned this issue Aug 27, 2022
Merged
@scottwestover
Copy link
Contributor

I have submitted a pull request here #26506, to add support for the oversize handling for the existing body option.

@bschaatsbergen
Copy link
Member

bschaatsbergen commented Aug 27, 2022
edited

Please note that as per the docs here, Oversize Handling applies to the following places in the WAFv2 Web ACL; Body, JsonBody, Headers and Cookies.

ewbankkit added a commit that referenced this issue Oct 3, 2022
@ewbankkit
Merge pull request #26506 from scottwestover/GH-25832/waf-v2-oversize…
4f580c1 
…-content-handling

f/added oversize handling to waf v2 body and headers
@markdboyd markdboyd mentioned this issue Oct 7, 2022
Open
4 tasks
@MrHash
Copy link
Author

MrHash commented Dec 16, 2022

Resolved by #26506

@MrHash MrHash closed this as completed Dec 16, 2022
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. good first issue Call to action for new contributors looking for a place to start. Smaller or straightforward issues. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MrHash @kyokoshome @scottwestover @justinretzolk @bschaatsbergen