feat: Add 'AWSManagedRulesAntiDDoSRuleSet'

uyggnodoow · uyggnodoow · commit 74b5fd1a3820 · 2025-09-21T18:45:02.000+09:00
- Add example codes
diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@ A Terraform module that creates Web Application Firewall (WAFV2).
     - AWSManagedRulesACFPRuleSet
     - AWSManagedRulesATPRuleSet
     - AWSManagedRulesBotControlRuleSet
+    - AWSManagedRulesAntiDDoSRuleSet
   - NotStatement
   - OrStatement
   - RateBasedStatement
diff --git a/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/README.md b/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/README.md
@@ -0,0 +1,9 @@
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
diff --git a/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/main.tf b/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/main.tf
@@ -0,0 +1,67 @@
+provider "aws" {
+  region = "ap-northeast-2"
+}
+
+module "wafv2" {
+  source = "../../..//"
+
+  enabled_web_acl_association = true
+  resource_arn                = []
+
+  enabled_logging_configuration = false
+
+  name           = "WebACL01"
+  scope          = "REGIONAL"
+  default_action = "block"
+  rule = [
+    {
+      name            = "Rule01"
+      priority        = 10
+      override_action = "count"
+      managed_rule_group_statement = {
+        name        = "AWSManagedRulesAntiDDoSRuleSet"
+        vendor_name = "AWS"
+        # Deprecated - excluded_rule = ["NoUserAgent_HEADER", "UserAgent_BadBots_HEADER"]
+
+        managed_rule_group_configs = [
+          {
+            aws_managed_rules_anti_ddos_rule_set = {
+              sensitivity_to_block = "LOW"
+              client_side_action_config = {
+                challenge = {
+                  exempt_uri_regular_expression = [
+                    {
+                      regex_string = "\\/api\\/|\\.(acc|avi|css|gif|ico|jpe?g|js|json|mp[34]|ogg|otf|pdf|png|tiff?|ttf|webm|webp|woff2?|xml)$"
+                    },
+                    {
+                      regex_string = "\\/test\\/|\\.(acc|avi|css|gif|ico|jpe?g|js|json|mp[34]|ogg|otf|pdf|png|tiff?|ttf|webm|webp|woff2?|xml)$"
+                    }
+                  ]
+                  usage_of_action = "DISABLED"
+                  sensitivity     = "LOW"
+
+                }
+              }
+            }
+          }
+        ]
+      }
+      visibility_config = {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "AWS-AWSManagedRulesACFPRuleSet"
+        sampled_requests_enabled   = true
+      }
+    }
+  ]
+
+  challenge_config = 500
+  captcha_config   = 500
+
+  token_domains = ["test.com", "test1.com"]
+
+  visibility_config = {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "cloudwatch_metric_name"
+    sampled_requests_enabled   = false
+  }
+}
diff --git a/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/outputs.tf b/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/outputs.tf
diff --git a/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/variables.tf b/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/variables.tf
diff --git a/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/versions.tf b/examples/ManagedRuleGroupStatement/AWSManagedRulesAntiDDoSRuleSet/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.14.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -219,6 +219,35 @@ resource "aws_wafv2_web_acl" "this" {
                     inspection_level        = upper(lookup(aws_managed_rules_bot_control_rule_set.value, "inspection_level", "COMMON"))
                   }
                 }
+
+                dynamic "aws_managed_rules_anti_ddos_rule_set" {
+                  for_each = lookup(managed_rule_group_configs.value, "aws_managed_rules_anti_ddos_rule_set", null) == null ? [] : [lookup(managed_rule_group_configs.value, "aws_managed_rules_anti_ddos_rule_set")]
+                  content {
+                    sensitivity_to_block = upper(lookup(aws_managed_rules_anti_ddos_rule_set.value, "sensitivity_to_block", "LOW"))
+
+                    dynamic "client_side_action_config" {
+                      for_each = lookup(aws_managed_rules_anti_ddos_rule_set.value, "client_side_action_config") == null ? [] : [lookup(aws_managed_rules_anti_ddos_rule_set.value, "client_side_action_config")]
+                      content {
+                        dynamic "challenge" {
+                          for_each = lookup(client_side_action_config.value, "challenge", null) == null ? [] : [lookup(client_side_action_config.value, "challenge")]
+                          content {
+                            sensitivity     = upper(lookup(challenge.value, "sensitivity", "HIGH"))
+                            usage_of_action = upper(lookup(challenge.value, "usage_of_action"))
+
+                            dynamic "exempt_uri_regular_expression" {
+                              for_each = lookup(challenge.value, "exempt_uri_regular_expression", null) == null ? [] : lookup(challenge.value, "exempt_uri_regular_expression")
+                              iterator = exempt_uri_regular_expression
+
+                              content {
+                                regex_string = lookup(exempt_uri_regular_expression.value, "regex_string")
+                              }
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
               }
             }
 
