feat: Changed the managed_service_data field to make it easier to import

uyggnodoow · uyggnodoow · commit 397d420bcbc5 · 2025-02-10T12:56:53.000+09:00
+ Update example code
diff --git a/examples/wafv2/main.tf b/examples/wafv2/main.tf
@@ -1,7 +1,3 @@
-provider "aws" {
-  region = "ap-northeast-2"
-}
-
 module "fms01" {
   source = "../..//"
 
@@ -12,148 +8,127 @@ module "fms01" {
     "account" : ["111111111111", "222222222222"]
   }
   managed_service_data = {
-    preProcessRuleGroups = [
+    "preProcessRuleGroups" : [
       {
-        "ruleGroupArn" : null,
+        "ruleGroupType" : "RuleGroup",
         "overrideAction" : {
           "type" : "NONE"
         },
-        "managedRuleGroupIdentifier" : {
-          "versionEnabled" : null,
-          "version" : null,
-          "vendorName" : "AWS",
-          "managedRuleGroupName" : "AWSManagedRulesKnownBadInputsRuleSet"
-        },
-        "ruleGroupType" : "ManagedRuleGroup",
+        "sampledRequestsEnabled" : true,
         "excludeRules" : [],
-        "sampledRequestsEnabled" : true
+        "ruleGroupArn" : "",
+        "ruleGroupName" : "BLOCK_IP_ADDRESS"
       }
     ]
-    default_action                          = "allow"
-    sampledRequestsEnabledForDefaultActions = true
+    "defaultAction" : { "type" : "ALLOW" },
+    "type" : "WAFV2",
+    "overrideCustomerWebACLAssociation" : false,
+    "sampledRequestsEnabledForDefaultActions" : true,
+    "optimizeUnassociatedWebACL" : false,
+    # 'DEFAULT' or 'RETROFIT_EXISTING'
+    "webACLSource" : "DEFAULT"
   }
 }
 
-module "fms02" {
-  source = "../..//"
-
-  name               = "fms02"
-  type               = "WAFV2"
-  resource_type_list = ["AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ApiGateway::Stage"]
-  include_map = {
-    "account" : ["111111111111"]
-  }
-  managed_service_data = {
-    preProcessRuleGroups = [
-      {
-        "ruleGroupArn": null,
-        "overrideAction": {
-          "type": "NONE"
-        },
-        "managedRuleGroupIdentifier": {
-          "versionEnabled": true,
-          "version": null,
-          "vendorName": "AWS",
-          "managedRuleGroupName": "AWSManagedRulesATPRuleSet",
-          "managedRuleGroupConfigs": [
-            {
-              "awsmanagedRulesATPRuleSet": {
-                "loginPath": "/web/login",
-                "requestInspection": {
-                  "payloadType": "JSON",
-                  "usernameField": {
-                    "identifier": "/form/username"
-                  },
-                  "passwordField": {
-                    "identifier": "/form/password"
-                  }
-                }
-              }
-            }
-          ]
-        },
-        "ruleGroupType": "ManagedRuleGroup",
-        "excludeRules": [],
-        "sampledRequestsEnabled": true,
-        "ruleActionOverrides": [
-          {
-            "name": "AttributeCompromisedCredentials",
-            "actionToUse": {
-              "challenge": {}
-            }
-          },
-          {
-            "name": "AttributeLongSession",
-            "actionToUse": {
-              "challenge": {}
-            }
-          },
-          {
-            "name": "AttributePasswordTraversal",
-            "actionToUse": {
-              "challenge": {}
-            }
-          },
-          {
-            "name": "AttributeUsernameTraversal",
-            "actionToUse": {
-              "challenge": {}
-            }
-          },
-          {
-            "name": "SignalMissingCredential",
-            "actionToUse": {
-              "challenge": {}
-            }
-          },
-          {
-            "name": "TokenRejected",
-            "actionToUse": {
-              "challenge": {}
-            }
-          },
-          {
-            "name": "UnsupportedCognitoIDP",
-            "actionToUse": {
-              "challenge": {}
-            }
-          },
-          {
-            "name": "VolumetricIpHigh",
-            "actionToUse": {
-              "challenge": {}
-            }
-          },
-          {
-            "name": "VolumetricSession",
-            "actionToUse": {
-              "challenge": {}
-            }
-          }
-        ]
-      }
-    ]
-    default_action                          = "block"
-    customResponse                          = {
-        "enableCustomResponse": true,
-        "customResponseBodyKey": "fms",
-        "responseCode": 403,
-        "responseHeaders": [
-          {
-            "headerName": "x-custom-response",
-            "headerValue": "fms"
-          }
-        ],
-        "customResponseBodies": {
-          "fms": {
-            "responseBodyType": "APPLICATION_JSON",
-            "responseBody": "{\"error\": \"accessDenied\"}"
-          }
-        }
-    }
-    sampledRequestsEnabledForDefaultActions = true
-    captchaConfig                           = 500
-    challengeConfig                         = 500
-    tokenDomains                            = ["test.com"]
-  }
-}
+#module "fms02" {
+#  source = "../..//"
+#
+#  name               = "fms02"
+#  type               = "WAFV2"
+#  resource_type_list = ["AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ApiGateway::Stage"]
+#  include_map = {
+#    "account" : ["111111111111"]
+#  }
+#  managed_service_data = {
+#    "preProcessRuleGroups" : [
+#      {
+#        "ruleGroupType" : "ManagedRuleGroup",
+#        "overrideAction" : { "type" : "NONE" },
+#        "sampledRequestsEnabled" : true,
+#        "ruleActionOverrides" : [
+#          {
+#            "name" : "AttributeCompromisedCredentials",
+#            "actionToUse" : { "challenge" : {} }
+#          },
+#          {
+#            "name" : "AttributeLongSession",
+#            "actionToUse" : { "challenge" : {} }
+#          },
+#          {
+#            "name" : "AttributePasswordTraversal",
+#            "actionToUse" : { "challenge" : {} }
+#          },
+#          {
+#            "name" : "AttributeUsernameTraversal",
+#            "actionToUse" : { "challenge" : {} }
+#          },
+#          {
+#            "name" : "SignalMissingCredential",
+#            "actionToUse" : { "challenge" : {} }
+#          },
+#          {
+#            "name" : "TokenRejected",
+#            "actionToUse" : { "challenge" : {} }
+#          },
+#          {
+#            "name" : "UnsupportedCognitoIDP",
+#            "actionToUse" : { "challenge" : {} }
+#          },
+#          {
+#            "name" : "VolumetricIpHigh",
+#            "actionToUse" : { "challenge" : {} }
+#          },
+#          {
+#            "name" : "VolumetricSession",
+#            "actionToUse" : { "challenge" : {} }
+#          }
+#        ],
+#        "managedRuleGroupIdentifier" : {
+#          "managedRuleGroupName" : "AWSManagedRulesATPRuleSet",
+#          "vendorName" : "AWS",
+#          "versionEnabled" : true,
+#          "version" : null,
+#          "managedRuleGroupConfigs" : [
+#            {
+#              "awsmanagedRulesATPRuleSet" : {
+#                "loginPath" : "/web/login",
+#                "requestInspection" : {
+#                  "payloadType" : "JSON",
+#                  "usernameField" : { "identifier" : "/form/username" },
+#                  "passwordField" : { "identifier" : "/form/password" }
+#                }
+#              }
+#            }
+#          ]
+#        }
+#      }
+#    ],
+#    "postProcessRuleGroups" : [],
+#    "defaultAction" : { "type" : "BLOCK" },
+#    "customRequestHandling" : null,
+#    "associationConfig" : null,
+#    "tokenDomains" : ["test.com"],
+#    "customResponse" : {
+#      "enableCustomResponse" : true,
+#      "customResponseBodyKey" : "fms",
+#      "responseCode" : 403,
+#      "responseHeaders" : [
+#        {
+#          "headerName" : "x-custom-response",
+#          "headerValue" : "fms"
+#        }
+#      ],
+#      "customResponseBodies" : {
+#        "fms" : {
+#          "responseBodyType" : "APPLICATION_JSON",
+#          "responseBody" : "{\\'error\\': \\'accessDenied\\'}"
+#        }
+#      }
+#    },
+#    "type" : "WAFV2",
+#    "overrideCustomerWebACLAssociation" : false,
+#    "sampledRequestsEnabledForDefaultActions" : true,
+#    "optimizeUnassociatedWebACL" : false,
+#    "webACLSource" : "DEFAULT"
+#  }
+#}
diff --git a/main.tf b/main.tf
@@ -41,7 +41,7 @@ locals {
 
   managed_service_data = var.type == "WAFV2" ? merge(local.default,
     {
-      type                  = var.type
+      type                  = lookup(var.managed_service_data, "type")
       preProcessRuleGroups  = lookup(var.managed_service_data, "preProcessRuleGroups", [])
       postProcessRuleGroups = lookup(var.managed_service_data, "postProcessRuleGroups", [])
       defaultAction = {
@@ -52,33 +52,25 @@ locals {
       overrideCustomerWebACLAssociation       = lookup(var.managed_service_data, "overrideCustomerWebACLAssociation", false)
       loggingConfiguration                    = lookup(var.managed_service_data, "loggingConfiguration", null)
       sampledRequestsEnabledForDefaultActions = lookup(var.managed_service_data, "sampledRequestsEnabledForDefaultActions", false)
-      captchaConfig = {
-        immunityTimeProperty = {
-          immunityTime = lookup(var.managed_service_data, "captchaConfig", 300)
-        }
-      }
-      challengeConfig = {
-        immunityTimeProperty = {
-          immunityTime = lookup(var.managed_service_data, "challengeConfig", 300)
-        }
-      }
-      tokenDomains               = lookup(var.managed_service_data, "tokenDomains", null)
-      optimizeUnassociatedWebACL = lookup(var.managed_service_data, "optimizeUnassociatedWebACL", false)
-      webACLSource               = lookup(var.managed_service_data, "webACLSource", "DEFAULT")
+      captchaConfig                           = lookup(var.managed_service_data, "captchaConfig", null)
+      challengeConfig                         = lookup(var.managed_service_data, "challengeConfig", null)
+      tokenDomains                            = lookup(var.managed_service_data, "tokenDomains", null)
+      optimizeUnassociatedWebACL              = lookup(var.managed_service_data, "optimizeUnassociatedWebACL", false)
+      webACLSource                            = lookup(var.managed_service_data, "webACLSource", "DEFAULT")
     }
     ) : var.type == "SHIELD_ADVANCED" ? merge(local.default,
     {
-      type                           = var.type
+      type = lookup(var.managed_service_data, "type")
       automaticResponseConfiguration = {
         automaticResponseStatus = lookup(var.managed_service_data, "automaticResponseStatus", "DISABLED")
         automaticResponseAction = lookup(var.managed_service_data, "automaticResponseAction", null)
       }
-      optimizeUnassociatedWebACL     = lookup(var.managed_service_data, "optimizeUnassociatedWebACL", false)
-      overrideCustomerWebaclClassic  = lookup(var.managed_service_data, "overrideCustomerWebaclClassic", false)
+      optimizeUnassociatedWebACL    = lookup(var.managed_service_data, "optimizeUnassociatedWebACL", false)
+      overrideCustomerWebaclClassic = lookup(var.managed_service_data, "overrideCustomerWebaclClassic", false)
     }
     ) : var.type == "SECURITY_GROUPS_COMMON" ? merge(local.default,
     {
-      type                                      = var.type
+      type                                      = lookup(var.managed_service_data, "type")
       securityGroups                            = lookup(var.managed_service_data, "securityGroups", [])
       securityGroupAction                       = lookup(var.managed_service_data, "securityGroupAction", null)
       revertManualSecurityGroupChanges          = lookup(var.managed_service_data, "revertManualSecurityGroupChanges", false)
@@ -90,7 +82,7 @@ locals {
     }
     ) : var.type == "SECURITY_GROUPS_CONTENT_AUDIT" ? merge(local.default,
     {
-      type              = var.type
+      type              = lookup(var.managed_service_data, "type")
       preManagedOptions = lookup(var.managed_service_data, "preManagedOptions", null)
       securityGroups    = lookup(var.managed_service_data, "securityGroups")
       securityGroupAction = {
@@ -99,15 +91,15 @@ locals {
     }
     ) : var.type == "SECURITY_GROUPS_USAGE_AUDIT" ? merge(local.default,
     {
-      type                            = var.type
+      type                            = lookup(var.managed_service_data, "type")
       deleteUnusedSecurityGroups      = lookup(var.managed_service_data, "deleteUnusedSecurityGroups", false)
       coalesceRedundantSecurityGroups = lookup(var.managed_service_data, "coalesceRedundantSecurityGroups", false)
       # 'optionalDelayForUnusedInMinutes' field only applies if deleteUnusedSecurityGroups is set to true.
       optionalDelayForUnusedInMinutes = lookup(var.managed_service_data, "optionalDelayForUnusedInMinutes", 0)
     }
     ) : var.type == "NETWORK_FIREWALL" ? merge(local.default,
     {
-      type = var.type
+      type = lookup(var.managed_service_data, "type")
       # Centralized deployment model
       awsNetworkFirewallConfig = lookup(var.managed_service_data, "awsNetworkFirewallConfig", null)
       firewallDeploymentModel  = lookup(var.managed_service_data, "firewallDeploymentModel", null)
@@ -122,7 +114,7 @@ locals {
     }
     ) : var.type == "DNS_FIREWALL" ? merge(local.default,
     {
-      type                  = var.type
+      type                  = lookup(var.managed_service_data, "type")
       preProcessRuleGroups  = lookup(var.managed_service_data, "preProcessRuleGroups", [])
       postProcessRuleGroups = lookup(var.managed_service_data, "postProcessRuleGroups", [])
     }
