Add support for regex_match_statement to AWS WAF v2 ACL rules

[wilkmaia]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

RegexMatchStatement is a valid kind of statement, as described in AWS' API documentation (see https://docs.aws.amazon.com/waf/latest/APIReference/API_RegexMatchStatement.html).

This statement can be used in both CreateRuleGroup and CreateWebACL API calls. For reference:

• CreateRuleGroup
• CreateWebACL

Without support for regex_match_statement usage of regular expressions with WAF v2 is extremely limited due to AWS limiting the number of Regex Pattern Sets we can have per region at a default of 10. This enhancement would greatly improve usage of WAF v2 with Terraform.

Closes #21492.

Output from acceptance testing:

[wilkmaia@workstation terraform-provider-aws]$ make testacc TESTS=TestAccWAFV2RuleGroup_regexMatchStatement PKG=wafv2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/wafv2/... -v -count 1 -parallel 20 -run='TestAccWAFV2RuleGroup_regexMatchStatement' -timeout 180m
=== RUN   TestAccWAFV2RuleGroup_regexMatchStatement
=== PAUSE TestAccWAFV2RuleGroup_regexMatchStatement
=== CONT  TestAccWAFV2RuleGroup_regexMatchStatement
--- PASS: TestAccWAFV2RuleGroup_regexMatchStatement (102.78s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/wafv2      102.867s
[wilkmaia@workstation terraform-provider-aws]$ make testacc TESTS=TestAccWAFV2WebACL_RateBased_maxNested PKG=wafv2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/wafv2/... -v -count 1 -parallel 20 -run='TestAccWAFV2WebACL_RateBased_maxNested' -timeout 180m
=== RUN   TestAccWAFV2WebACL_RateBased_maxNested
=== PAUSE TestAccWAFV2WebACL_RateBased_maxNested
=== CONT  TestAccWAFV2WebACL_RateBased_maxNested
--- PASS: TestAccWAFV2WebACL_RateBased_maxNested (848.17s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/wafv2      848.245s
[wilkmaia@workstation terraform-provider-aws]$ make testacc TESTS=TestAccWAFV2WebACL_Operators_maxNested PKG=wafv2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/wafv2/... -v -count 1 -parallel 20 -run='TestAccWAFV2WebACL_Operators_maxNested' -timeout 180m
=== RUN   TestAccWAFV2WebACL_Operators_maxNested
=== PAUSE TestAccWAFV2WebACL_Operators_maxNested
=== CONT  TestAccWAFV2WebACL_Operators_maxNested
--- PASS: TestAccWAFV2WebACL_Operators_maxNested (876.78s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/wafv2      876.865s

I've only run the tests that were either added or updated individually to avoid unnecessary usage on the AWS account I was using.

[github-actions]

Welcome @wilkmaia 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[diasjorge]

Any chance we can get this feature merged please?

[breathingdust]

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

[mateusz-was]

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

Hi @breathingdust,
Is there anything we can do for this change to be included in one of the next releases? It seems ready and was planned, but not merged in the last roadmap.
From WAF user standpoint - this is a very useful feature. Here's why:

1. There are very low and strict quotas on amount of regex pattern sets in WAF.
2. Using current path patterns and text transformation in WAF is much heavier on the WCU (WAF capacity units) and there is very limited scope you can use them (string start/end, contains).
3. This feature enables WAF admins to have much more breathing room and flexibility in their configuration.

If that counts, this would make our services more protected and our lives a lot easier :)

[diasjorge]

Dear maintainers, any chance to get this merged any time soon?

[gdavison]

Thanks for the PR, @wilkmaia. I've made some updates 🚀

--- PASS: TestAccWAFV2RegexPatternSet_disappears (117.52s)
--- PASS: TestAccWAFV2RegexPatternSet_minimal (134.77s)
--- PASS: TestAccWAFV2IPSetDataSource_basic (155.80s)
--- PASS: TestAccWAFV2RuleGroupDataSource_basic (183.80s)
--- PASS: TestAccWAFV2RuleGroup_basic (192.41s)
--- PASS: TestAccWAFV2RegexPatternSet_changeNameForceNew (256.81s)
--- PASS: TestAccWAFV2RegexPatternSet_basic (277.05s)
--- PASS: TestAccWAFV2RuleGroup_updateRule (342.92s)
--- PASS: TestAccWAFV2WebACL_IPSetReference_basic (344.85s)
--- PASS: TestAccWAFV2RegexPatternSet_tags (401.88s)
--- PASS: TestAccWAFV2RuleGroup_ruleAction (474.95s)
--- PASS: TestAccWAFV2RuleGroup_updateRuleProperties (488.97s)
--- PASS: TestAccWAFV2WebACL_minimal (316.39s)
--- PASS: TestAccWAFV2WebACL_RuleLabels (621.64s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_jsonBody (624.06s)
--- PASS: TestAccWAFV2WebACL_RateBased_forwardedIP (624.67s)
--- PASS: TestAccWAFV2WebACL_GeoMatch_basic (627.02s)
--- PASS: TestAccWAFV2WebACL_LabelMatchStatement (629.96s)
--- PASS: TestAccWAFV2WebACL_GeoMatch_forwardedIP (633.66s)
--- PASS: TestAccWAFV2WebACL_disappears (289.79s)
--- PASS: TestAccWAFV2WebACL_RateBased_basic (1066.68s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_basic (1078.44s)
--- PASS: TestAccWAFV2WebACL_RuleGroupReference_basic (1133.85s)
--- PASS: TestAccWAFV2RuleGroup_regexPatternSetReferenceStatement (649.08s)
--- PASS: TestAccWAFV2WebACL_Custom_response (1359.75s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_specifyVersion (1117.60s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_changeLogDestinationsForceNew (1248.37s)
--- PASS: TestAccWAFV2WebACL_Operators_maxNested (866.25s)
--- PASS: TestAccWAFV2WebACL_basic (838.55s)
--- PASS: TestAccWAFV2WebACL_RateBased_maxNested (889.62s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_Disappears_webACL (907.60s)
--- PASS: TestAccWAFV2RuleGroup_GeoMatchStatement_forwardedIP (965.29s)
--- PASS: TestAccWAFV2WebACL_Update_nameForceNew (1259.50s)
--- PASS: TestAccWAFV2WebACL_Custom_requestHandling (1615.55s)
--- PASS: TestAccWAFV2RuleGroup_disappears (370.63s)
--- PASS: TestAccWAFV2RuleGroup_changeMetricNameForceNew (616.55s)
--- PASS: TestAccWAFV2RuleGroup_regexMatchStatement (416.81s)
--- PASS: TestAccWAFV2WebACL_IPSetReference_forwardedIP (1939.12s)
--- PASS: TestAccWAFV2RuleGroup_geoMatchStatement (698.72s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_emptyRedactedFields (716.81s)
--- PASS: TestAccWAFV2RuleGroup_changeNameForceNew (622.50s)
--- PASS: TestAccWAFV2RuleGroup_RuleLabels (669.16s)
--- PASS: TestAccWAFV2WebACL_Update_rule (1410.45s)
--- PASS: TestAccWAFV2RuleGroup_changeCapacityForceNew (599.39s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_basic (1698.86s)
--- PASS: TestAccWAFV2WebACLDataSource_basic (540.90s)
--- PASS: TestAccWAFV2RuleGroup_byteMatchStatement (647.21s)
--- PASS: TestAccWAFV2WebACL_tags (1723.71s)
--- PASS: TestAccWAFV2IPSet_large (226.50s)
--- PASS: TestAccWAFV2IPSet_disappears (166.47s)
--- PASS: TestAccWAFV2RuleGroup_minimal (199.11s)
--- PASS: TestAccWAFV2IPSet_ipv6 (189.22s)
--- PASS: TestAccWAFV2IPSet_minimal (182.11s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_updateEmptyRedactedFields (962.45s)
--- PASS: TestAccWAFV2WebACL_Update_ruleProperties (1635.15s)
--- PASS: TestAccWAFV2IPSet_basic (86.76s)
--- PASS: TestAccWAFV2RuleGroup_ipSetReferenceStatement (52.17s)
--- PASS: TestAccWAFV2RuleGroup_sizeConstraintStatement (86.08s)
--- PASS: TestAccWAFV2IPSet_tags (103.21s)
--- PASS: TestAccWAFV2WebACLAssociation_basic (115.41s)
--- PASS: TestAccWAFV2RuleGroup_logicalRuleStatements (182.11s)
--- PASS: TestAccWAFV2RuleGroup_tags (124.33s)
--- PASS: TestAccWAFV2RuleGroup_sqliMatchStatement (90.00s)
--- PASS: TestAccWAFV2RuleGroup_RuleAction_customResponse (126.65s)
--- PASS: TestAccWAFV2RuleGroup_RuleAction_customRequestHandling (88.47s)
--- PASS: TestAccWAFV2RuleGroup_LabelMatchStatement (86.69s)
--- PASS: TestAccWAFV2RegexPatternSetDataSource_basic (41.67s)
--- PASS: TestAccWAFV2RuleGroup_xssMatchStatement (87.02s)
--- PASS: TestAccWAFV2IPSet_changeNameForceNew (55.87s)
--- PASS: TestAccWAFV2RuleGroup_IPSetReferenceStatement_ipsetForwardedIP (109.41s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_updateMethodRedactedField (719.17s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_loggingFilter (1966.16s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_updateQueryStringRedactedField (795.98s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_disappears (595.41s)
--- PASS: TestAccWAFV2RuleGroup_ByteMatchStatement_fieldToMatch (1118.36s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_basic (657.47s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_updateMultipleRedactedFields (794.42s)
--- PASS: TestAccWAFV2WebACLAssociation_disappears (399.54s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_updateURIPathRedactedField (730.71s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_updateSingleHeaderRedactedField (868.43s)
--- PASS: TestAccWAFV2WebACLLoggingConfiguration_changeResourceARNForceNew (1089.93s)

[github-actions]

This functionality has been released in v4.34.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.