如何解决使用 terraform 创建时出现错误 AWS WAFv2 Web ACL 托管规则
我想创建一个 Cloudfront 范围的 AWS WAFv2 Web acl。我正在使用 AWS 托管规则。对于托管规则组中的某些规则,我有一个范围向下的语句。我从AWS得到的json如下:
{
"Name": "AWS-AWSManagedRulesAdminProtectionRuleSet","Priority": 0,"Statement": {
"ManagedRuleGroupStatement": {
"vendorName": "AWS","Name": "AWSManagedRulesAdminProtectionRuleSet","ScopeDownStatement": {
"ByteMatchStatement": {
"SearchString": "abc","FieldToMatch": {
"UriPath": {}
},"TextTransformations": [
{
"Priority": 0,"Type": "NONE"
}
],"PositionalConstraint": "CONTAINS_WORD"
}
}
}
},"OverrideAction": {
"Count": {}
},"VisibilityConfig": {
"SampledRequestsEnabled": true,"CloudWatchMetricsEnabled": true,"MetricName": "AWS-AWSManagedRulesAdminProtectionRuleSet"
}
}
AWS 文档 here 说在托管规则组语句中允许范围缩小语句。但是,当我阅读 terraform 文档 here 时,我们没有任何适用于范围缩小语句的选项。当我尝试创建如下规则时,它通过了 terraform 验证,但是当我应用它时,我收到一个 AWS 错误,说我添加了两个语句,其中一个是必需的。这是非常令人困惑的。有没有办法实现这一点,如果是,如何实现?任何帮助将不胜感激。
rule {
name = "AWS-AWSManagedRulesAdminProtectionRuleSet"
priority = 0
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAdminProtectionRuleSet"
vendor_name = "AWS"
} {
byte_match_statement {
field_to_match {
uri_path {}
}
search_string = "abc"
text_transformation {
priority = 0
type = "NONE"
}
positional_constraint = "CONTAINS_WORD"
}
}
visibility_config {
sampled_requests_enabled = true
metric_name = "AWS-AWSManagedRulesAdminProtectionRuleSet"
cloudwatch_metrics_enabled = true
}
}
解决方法
我设法通过将 aws 提供程序版本升级到 3.52.0 来实现此功能。我添加了以下内容:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.52.0"
}
}
}
规则现在如下所示:
rule {
name = "AWS-AWSManagedRulesAdminProtectionRuleSet"
priority = 0
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAdminProtectionRuleSet"
vendor_name = "AWS"
scope_down_statement {
byte_match_statement {
field_to_match {
uri_path {}
}
search_string = "abc"
text_transformation {
priority = 0
type = "NONE"
}
positional_constraint = "CONTAINS_WORD"
}
}
}
}
visibility_config {
sampled_requests_enabled = true
metric_name = "AWS-AWSManagedRulesAdminProtectionRuleSet"
cloudwatch_metrics_enabled = true
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
