Add waf rule to inspect for header values

Author: olamide

aws/waf/main.tf

@@ -13,6 +13,70 @@ resource "aws_wafv2_web_acl" "main" {
     metric_name                = "${var.name}-cloudfront-web-acl"
   }
 
+  dynamic "header_rule" {
+    for_each = var.header_match_rules
+    content {
+      name     = "${header_rule.value["name"]}-header-match-rule"
+      priority = header_rule.value["priority"]
+
+      dynamic "action" {
+        for_each = header_rule.value["count_override"] == true ? [1] : []
+        content {
+          count {}
+        }
+      }
+      dynamic "action" {
+        for_each = header_rule.value["count_override"] == false ? [1] : []
+        content {
+          block {}
+        }
+      }
+      statement {
+        byte_match_statement {
+          field_to_match {
+            single_header = lower(header_rule.value["header_name"])
+          }
+
+          positional_constraint = "CONTAINS"
+
+          search_string = header_rule.value["header_value"]
+
+          text_transformation {
+            priority = 1
+            type     = "LOWERCASE"
+          }
+
+          dynamic "scope_down_statement" {
+            for_each = length(concat(rule.value["country_list"], rule.value["exempt_country_list"])) > 0 ? [1] : []
+            content {
+              dynamic "geo_match_statement" {
+                for_each = length(rule.value["country_list"]) > 0 ? [1] : []
+                content {
+                  country_codes = rule.value["country_list"]
+                }
+              }
+              dynamic "not_statement" {
+                for_each = length(rule.value["exempt_country_list"]) > 0 ? [1] : []
+                content {
+                  statement {
+                    geo_match_statement {
+                      country_codes = rule.value["exempt_country_list"]
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        sampled_requests_enabled   = true
+        metric_name                = "${rule.value["name"]}-header-match-rule"
+      }
+    }
+  }
+
   dynamic "rule" {
     for_each = var.rate_limit_rules
     content {

aws/waf/variables.tf

@@ -43,6 +43,21 @@ variable "rate_limit_rules" {
   }))
 }
 
+variable "header_match_rules" {
+  description = "Rule statement to inspect and match the header for an incoming request."
+  type = map(object({
+    name                = string                     # Name of the header match rule group
+    priority            = number                     # Relative processing order for header match rule relative to other rules processed by AWS WAF.
+    header_name         = string                     # This is the name of the header to inspect for all incoming requests.
+    header_value        = string                     # This is the value to look out for a matching header name for all incoming requests
+    count_override      = optional(bool, true)       # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
+    country_list        = optional(list(string), []) # List of countries to apply the header match to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+    exempt_country_list = optional(list(string), []) # List of countries to exempt from the header match rule. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+  }))
+
+  default = null
+}
+
 variable "allowed_ip_list" {
   description = "List of allowed IP addresses, these IP addresses will be exempted from any configured rules"
   type        = list(string)