[Solved] Unsupported aws_wafv2_web_acl configuration or did I get the syntax wrong?

jamiejackson · October 1, 2021, 6:36pm

Terraform v1.0.8
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.61.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.5.0
+ provider registry.terraform.io/hashicorp/local v2.0.0
+ provider registry.terraform.io/hashicorp/null v3.0.0
+ provider registry.terraform.io/hashicorp/random v3.0.0
+ provider registry.terraform.io/hashicorp/template v2.2.0

I’m trying to recreate the following rule (that I created in the AWS web console) in terraform.

Here’s the actual rule as JSON:

{
  "Name": "login-rate-limit-xff",
  "Priority": 6,
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "login-rate-limit-xff"
  },
  "Statement": {
    "RateBasedStatement": {
      "Limit": "100",
      "AggregateKeyType": "FORWARDED_IP",
      "ScopeDownStatement": {
        "ByteMatchStatement": {
          "FieldToMatch": {
            "JsonBody": {
              "MatchScope": "ALL",
              "InvalidFallbackBehavior": "EVALUATE_AS_STRING",
              "MatchPattern": {
                "IncludedPaths": [
                  "/dologin"
                ]
              }
            }
          },
          "PositionalConstraint": "CONTAINS",
          "SearchString": "login",
          "TextTransformations": [
            {
              "Type": "NONE",
              "Priority": 0
            }
          ]
        }
      },
      "ForwardedIPConfig": {
        "HeaderName": "X-Forwarded-For",
        "FallbackBehavior": "NO_MATCH"
      }
    }
  },
  "RuleLabels": [
    {
      "Name": "login-rate-limit-xff"
    }
  ]
}

Here’s my failing guess at the terraform:

  rule {
    name     = "login-rate-limit-xff"
    priority = 6

    action {
      count {}
    }

    statement {

      rate_based_statement {
        aggregate_key_type = "FORWARDED_IP"
        limit              = local.login_rate_limit

        forwarded_ip_config {
          fallback_behavior = "NO_MATCH"
          header_name       = "X-Forwarded-For"
        }

        scope_down_statement {

          byte_match_statement {
            positional_constraint = "CONTAINS"
            search_string         = local.login_search_string

            field_to_match {
              json_body {
                match_scope = "ALL"
                invalid_fallback_behavior = "EVALUATE_AS_STRING"
                match_pattern {
                  included_paths =  [
                    "/dologin"
                  ]
                }
              }
            }

            text_transformation {
              priority = 0
              type     = "LOWERCASE"
            }
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "login-rate-limit-xff"
      sampled_requests_enabled   = true
    }
  }

And here’s the error:

│ Error: Unsupported block type
│
│   on waf.jj_temp.tf line 48, in resource "aws_wafv2_web_acl" "jj":
│   48:               json_body {
│
│ Blocks of type "json_body" are not expected here.

Please let me know if I’ve got the syntax wrong or if this is not yet supported.

Thanks,
Jamie

jamiejackson · October 1, 2021, 6:59pm

Never mind. Already reported: Support for JsonBody in fields to match on WAF ByteMatch rule · Issue #18515 · hashicorp/terraform-provider-aws · GitHub