Feature-Add_enable_machine_learning_bot_control (#91)

README.md

@@ -198,7 +198,7 @@ Available targets:
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_log_destination_configs"></a> [log\_destination\_configs](#input\_log\_destination\_configs) | The Amazon Kinesis Data Firehose, CloudWatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL | `list(string)` | `[]` | no |
 | <a name="input_logging_filter"></a> [logging\_filter](#input\_logging\_filter) | A configuration block that specifies which web requests are kept in the logs and which are dropped.<br>You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. | <pre>object({<br>    default_behavior = string<br>    filter = list(object({<br>      behavior    = string<br>      requirement = string<br>      condition = list(object({<br>        action_condition = optional(object({<br>          action = string<br>        }), null)<br>        label_name_condition = optional(object({<br>          label_name = string<br>        }), null)<br>      }))<br>    }))<br>  })</pre> | `null` | no |
-| <a name="input_managed_rule_group_statement_rules"></a> [managed\_rule\_group\_statement\_rules](#input\_managed\_rule\_group\_statement\_rules) | A rule statement used to run the rules that are defined in a managed rule group.<br><br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>override\_action:<br>  The override action to apply to the rules in a rule group.<br>  Possible values: `count`, `none`<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  name:<br>    The name of the managed rule group.<br>  vendor\_name:<br>    The name of the managed rule group vendor.<br>  version:<br>    The version of the managed rule group.<br>    You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.<br>  rule\_action\_override:<br>    Action settings to use in the place of the rule actions that are configured inside the rule group.<br>    You specify one override for each rule whose action you want to change.<br>  managed\_rule\_group\_configs:<br>    Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config.<br>    Refer to https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html for more details.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name            = string<br>    priority        = number<br>    override_action = optional(string)<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement = object({<br>      name        = string<br>      vendor_name = string<br>      version     = optional(string)<br>      rule_action_override = optional(map(object({<br>        action = string<br>        custom_request_handling = optional(object({<br>          insert_header = object({<br>            name  = string<br>            value = string<br>          })<br>        }), null)<br>        custom_response = optional(object({<br>          response_code = string<br>          response_header = optional(object({<br>            name  = string<br>            value = string<br>          }), null)<br>        }), null)<br>      })), null)<br>      managed_rule_group_configs = optional(list(object({<br>        aws_managed_rules_bot_control_rule_set = optional(object({<br>          inspection_level = string<br>        }), null)<br>        aws_managed_rules_atp_rule_set = optional(object({<br>          enable_regex_in_path = optional(bool)<br>          login_path           = string<br>          request_inspection = optional(object({<br>            payload_type = string<br>            password_field = object({<br>              identifier = string<br>            })<br>            username_field = object({<br>              identifier = string<br>            })<br>          }), null)<br>          response_inspection = optional(object({<br>            body_contains = optional(object({<br>              success_strings = list(string)<br>              failure_strings = list(string)<br>            }), null)<br>            header = optional(object({<br>              name           = string<br>              success_values = list(string)<br>              failure_values = list(string)<br>            }), null)<br>            json = optional(object({<br><br>              identifier      = string<br>              success_strings = list(string)<br>              failure_strings = list(string)<br>            }), null)<br>            status_code = optional(object({<br>              success_codes = list(string)<br>              failure_codes = list(string)<br>            }), null)<br>          }), null)<br>        }), null)<br>      })), null)<br>    })<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
+| <a name="input_managed_rule_group_statement_rules"></a> [managed\_rule\_group\_statement\_rules](#input\_managed\_rule\_group\_statement\_rules) | A rule statement used to run the rules that are defined in a managed rule group.<br><br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>override\_action:<br>  The override action to apply to the rules in a rule group.<br>  Possible values: `count`, `none`<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  name:<br>    The name of the managed rule group.<br>  vendor\_name:<br>    The name of the managed rule group vendor.<br>  version:<br>    The version of the managed rule group.<br>    You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.<br>  rule\_action\_override:<br>    Action settings to use in the place of the rule actions that are configured inside the rule group.<br>    You specify one override for each rule whose action you want to change.<br>  managed\_rule\_group\_configs:<br>    Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config.<br>    Refer to https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html for more details.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name            = string<br>    priority        = number<br>    override_action = optional(string)<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement = object({<br>      name        = string<br>      vendor_name = string<br>      version     = optional(string)<br>      rule_action_override = optional(map(object({<br>        action = string<br>        custom_request_handling = optional(object({<br>          insert_header = object({<br>            name  = string<br>            value = string<br>          })<br>        }), null)<br>        custom_response = optional(object({<br>          response_code = string<br>          response_header = optional(object({<br>            name  = string<br>            value = string<br>          }), null)<br>        }), null)<br>      })), null)<br>      managed_rule_group_configs = optional(list(object({<br>        aws_managed_rules_bot_control_rule_set = optional(object({<br>          inspection_level        = string<br>          enable_machine_learning = optional(bool, true)<br>        }), null)<br>        aws_managed_rules_atp_rule_set = optional(object({<br>          enable_regex_in_path = optional(bool)<br>          login_path           = string<br>          request_inspection = optional(object({<br>            payload_type = string<br>            password_field = object({<br>              identifier = string<br>            })<br>            username_field = object({<br>              identifier = string<br>            })<br>          }), null)<br>          response_inspection = optional(object({<br>            body_contains = optional(object({<br>              success_strings = list(string)<br>              failure_strings = list(string)<br>            }), null)<br>            header = optional(object({<br>              name           = string<br>              success_values = list(string)<br>              failure_values = list(string)<br>            }), null)<br>            json = optional(object({<br><br>              identifier      = string<br>              success_strings = list(string)<br>              failure_strings = list(string)<br>            }), null)<br>            status_code = optional(object({<br>              success_codes = list(string)<br>              failure_codes = list(string)<br>            }), null)<br>          }), null)<br>        }), null)<br>      })), null)<br>    })<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_rate_based_statement_rules"></a> [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,<br>and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  aggregate\_key\_type:<br>     Setting that indicates how to aggregate the request counts.<br>     Possible values include: `FORWARDED_IP` or `IP`<br>  limit:<br>    The limit on requests per 5-minute period for a single originating IP address.<br>  evaluation\_window\_sec:<br>    The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.<br>    Valid values are 60, 120, 300, and 600. Defaults to 300 (5 minutes).<br>  forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br>  byte\_match\_statement:<br>    field\_to\_match:<br>      Part of a web request that you want AWS WAF to inspect.<br>    positional\_constraint:<br>      Area within the portion of a web request that you want AWS WAF to search for search\_string. <br>      Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`.<br>    search\_string:<br>      String value that you want AWS WAF to search for.<br>      AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`.<br>      The maximum length of the value is 50 bytes.<br>    text\_transformation:<br>      Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>      See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement = object({<br>      limit                 = number<br>      aggregate_key_type    = string<br>      evaluation_window_sec = optional(number)<br>      forwarded_ip_config = optional(object({<br>        fallback_behavior = string<br>        header_name       = string<br>      }), null)<br>      scope_down_statement = optional(object({<br>        byte_match_statement = object({<br>          positional_constraint = string<br>          search_string         = string<br>          field_to_match = object({<br>            all_query_arguments   = optional(bool)<br>            body                  = optional(bool)<br>            method                = optional(bool)<br>            query_string          = optional(bool)<br>            single_header         = optional(object({ name = string }))<br>            single_query_argument = optional(object({ name = string }))<br>            uri_path              = optional(bool)<br>          })<br>          text_transformation = list(object({<br>            priority = number<br>            type     = string<br>          }))<br>        })<br>      }), null)<br>    })<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |

rules.tf

@@ -608,7 +608,8 @@ resource "aws_wafv2_web_acl" "default" {
                 dynamic "aws_managed_rules_bot_control_rule_set" {
                   for_each = lookup(managed_rule_group_configs.value, "aws_managed_rules_bot_control_rule_set", null) != null ? [1] : []
                   content {
-                    inspection_level = managed_rule_group_configs.value.aws_managed_rules_bot_control_rule_set.inspection_level
+                    inspection_level        = managed_rule_group_configs.value.aws_managed_rules_bot_control_rule_set.inspection_level
+                    enable_machine_learning = managed_rule_group_configs.value.aws_managed_rules_bot_control_rule_set.enable_machine_learning
                   }
                 }
 

variables.tf

@@ -391,7 +391,8 @@ variable "managed_rule_group_statement_rules" {
       })), null)
       managed_rule_group_configs = optional(list(object({
         aws_managed_rules_bot_control_rule_set = optional(object({
-          inspection_level = string
+          inspection_level        = string
+          enable_machine_learning = optional(bool, true)
         }), null)
         aws_managed_rules_atp_rule_set = optional(object({
           enable_regex_in_path = optional(bool)