[cloud][aws] New module: aws_waf_rule module (#33124)

Add a new module for managing AWS WAF rules Preceded by aws_waf_condition and to be succeeded by aws_waf_web_acl
2026-05-06 21:32:49 +00:00 · 2018-02-03 08:54:27 +10:00
parent 69cd705634
commit 4e30eff651
2 changed files with 440 additions and 0 deletions
--- a/test/integration/targets/aws_waf_web_acl/tasks/main.yml
+++ b/test/integration/targets/aws_waf_web_acl/tasks/main.yml
@@ -7,6 +7,11 @@
        security_token: "{{ security_token }}"
    no_log: yes

+
+  ##################################################
+  # aws_waf_condition tests
+  ##################################################
+
  - name: create WAF IP condition
    aws_waf_condition:
      name: "{{ resource_prefix }}_ip_condition"
@@ -228,10 +233,129 @@
            recreate_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id !=
            create_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id

+  ##################################################
+  # aws_waf_rule tests
+  ##################################################
+
+  - name: create WAF rule
+    aws_waf_rule:
+      name: "{{ resource_prefix }}_rule"
+      conditions:
+        - name: "{{ resource_prefix }}_regex_condition"
+          type: regex
+          negated: no
+        - name: "{{ resource_prefix }}_geo_condition"
+          type: geo
+          negated: no
+        - name: "{{ resource_prefix }}_byte_condition"
+          type: byte
+          negated: no
+      purge_conditions: yes
+      <<: *aws_connection_info
+    register: create_aws_waf_rule
+
+  - name: check WAF rule
+    assert:
+      that:
+        - create_aws_waf_rule.changed
+        - create_aws_waf_rule.rule.predicates|length == 3
+
+  - name: recreate WAF rule
+    aws_waf_rule:
+      name: "{{ resource_prefix }}_rule"
+      conditions:
+        - name: "{{ resource_prefix }}_regex_condition"
+          type: regex
+          negated: no
+        - name: "{{ resource_prefix }}_geo_condition"
+          type: geo
+          negated: no
+        - name: "{{ resource_prefix }}_byte_condition"
+          type: byte
+          negated: no
+      <<: *aws_connection_info
+    register: create_aws_waf_rule
+
+  - name: check WAF rule did not change
+    assert:
+      that:
+        - not create_aws_waf_rule.changed
+        - create_aws_waf_rule.rule.predicates|length == 3
+
+  - name: add further WAF rules relying on purge_conditions defaulting to false
+    aws_waf_rule:
+      name: "{{ resource_prefix }}_rule"
+      conditions:
+        - name: "{{ resource_prefix }}_ip_condition"
+          type: ip
+          negated: yes
+        - name: "{{ resource_prefix }}_sql_condition"
+          type: sql
+          negated: no
+        - name: "{{ resource_prefix }}_xss_condition"
+          type: xss
+          negated: no
+      <<: *aws_connection_info
+    register: add_conditions_to_aws_waf_rule
+
+  - name: check WAF rule added rules
+    assert:
+      that:
+        - add_conditions_to_aws_waf_rule.changed
+        - add_conditions_to_aws_waf_rule.rule.predicates|length == 6
+
+  - name: remove some rules through purging conditions
+    aws_waf_rule:
+      name: "{{ resource_prefix }}_rule"
+      conditions:
+        - name: "{{ resource_prefix }}_ip_condition"
+          type: ip
+          negated: yes
+        - name: "{{ resource_prefix }}_xss_condition"
+          type: xss
+          negated: no
+        - name: "{{ resource_prefix }}_byte_condition"
+          type: byte
+          negated: no
+        - name: "{{ resource_prefix }}_size_condition"
+          type: size
+          negated: no
+      purge_conditions: yes
+      <<: *aws_connection_info
+    register: add_and_remove_waf_rule_conditions
+
+  - name: check WAF rules were updated as expected
+    assert:
+      that:
+        - add_and_remove_waf_rule_conditions.changed
+        - add_and_remove_waf_rule_conditions.rule.predicates|length == 4
+
+  - name: attempt to remove an in use condition
+    aws_waf_condition:
+      name: "{{ resource_prefix }}_size_condition"
+      type: size
+      state: absent
+      <<: *aws_connection_info
+    ignore_errors: yes
+    register: remove_in_use_condition
+
+  - name: check failure was sensible
+    assert:
+      that:
+        - remove_in_use_condition.failed
+        - "'Condition {{ resource_prefix }}_size_condition is in use' in remove_in_use_condition.msg"
+
  always:
  - debug:
      msg: "****** TEARDOWN STARTS HERE ******"

+  - name: remove WAF rule
+    aws_waf_rule:
+      name: "{{ resource_prefix }}_rule"
+      state: absent
+      <<: *aws_connection_info
+    ignore_errors: yes
+
  - name: remove XSS condition
    aws_waf_condition:
      name: "{{ resource_prefix }}_xss_condition"