Merge pull request #600 from alpineriveredge/add-wafv2-web-acl

Add wafv2_web_acl resource

Author: k1LoW

.rubocop.yml

@@ -21,6 +21,7 @@ Lint/DuplicateMethods:
     - 'lib/awspec/type/eks_nodegroup.rb'
     - 'lib/awspec/type/resource_base.rb'
     - 'lib/awspec/type/wafv2_ip_set.rb'
+    - 'lib/awspec/type/wafv2_web_acl.rb'
 
 Lint/ErbNewArguments:
   Enabled: false

doc/_resource_types/wafv2_ip_set.md

@@ -3,15 +3,19 @@
 You can set `scope` to CLOUDFRONT or REGIONAL ( default: `REGIONAL` ).
 
 ```ruby
-describe wafv2_ip_set('my-ip-set'), scope: 'REGIONAL' do
+describe wafv2_ip_set('my-wafv2-ip-set'), scope: 'REGIONAL' do
+  it { should exist }
+end
+
+describe wafv2_ip_set('my-wafv2-ip-set'), scope: 'CLOUDFRONT', region: 'us-east-1' do
   it { should exist }
 end
 ```
 
 ### have_ip_address
 
 ```ruby
-describe wafv2_ip_set('my-ip-set'), scope: 'REGIONAL' do
+describe wafv2_ip_set('my-wafv2-ip-set'), scope: 'REGIONAL' do
   it { should have_ip_address('10.0.0.0/32') }
 end
 ```

doc/_resource_types/wafv2_web_acl.md

@@ -0,0 +1,25 @@
+### exist
+
+You can set `scope` to CLOUDFRONT or REGIONAL ( default: `REGIONAL` ).
+
+```ruby
+describe wafv2_web_acl('my-wafv2-web-acl'), scope: 'REGIONAL' do
+  it { should exist }
+  its(:default_action) { should eq 'ALLOW' }
+end
+
+describe wafv2_web_acl('my-wafv2-web-acl'), scope: 'CLOUDFRONT', region: 'us-east-1' do
+  it { should exist }
+  its(:default_action) { should eq 'ALLOW' }
+end
+```
+
+### have_rule
+
+```ruby
+describe wafv2_web_acl('my-wafv2-web-acl'), scope: 'REGIONAL' do
+  it { should have_rule('AWS-AWSManagedRulesCommonRuleSet') }
+  it { should have_rule('AWS-AWSManagedRulesKnownBadInputsRuleSet').order(1) }
+  it { should have_rule('AWS-AWSManagedRulesLinuxRuleSet').order(2).override_action('NONE') }
+end
+```

doc/resource_types.md

@@ -90,6 +90,7 @@
 | [waf_web_acl](#waf_web_acl)
 | [wafregional_web_acl](#wafregional_web_acl)
 | [wafv2_ip_set](#wafv2_ip_set)
+| [wafv2_web_acl](#wafv2_web_acl)
 | [account](#account)
 
 ## <a name="acm">acm</a>
@@ -4310,7 +4311,11 @@ Wafv2IpSet resource type.
 You can set `scope` to CLOUDFRONT or REGIONAL ( default: `REGIONAL` ).
 
 ```ruby
-describe wafv2_ip_set('my-ip-set'), scope: 'REGIONAL' do
+describe wafv2_ip_set('my-wafv2-ip-set'), scope: 'REGIONAL' do
+  it { should exist }
+end
+
+describe wafv2_ip_set('my-wafv2-ip-set'), scope: 'CLOUDFRONT', region: 'us-east-1' do
   it { should exist }
 end
 ```
@@ -4319,12 +4324,44 @@ end
 ### have_ip_address
 
 ```ruby
-describe wafv2_ip_set('my-ip-set'), scope: 'REGIONAL' do
+describe wafv2_ip_set('my-wafv2-ip-set'), scope: 'REGIONAL' do
   it { should have_ip_address('10.0.0.0/32') }
 end
 ```
 
 ### its(:name), its(:id), its(:arn), its(:description), its(:ip_address_version), its(:addresses)
+## <a name="wafv2_web_acl">wafv2_web_acl</a>
+
+Wafv2WebAcl resource type.
+
+### exist
+
+You can set `scope` to CLOUDFRONT or REGIONAL ( default: `REGIONAL` ).
+
+```ruby
+describe wafv2_web_acl('my-wafv2-web-acl'), scope: 'REGIONAL' do
+  it { should exist }
+  its(:default_action) { should eq 'ALLOW' }
+end
+
+describe wafv2_web_acl('my-wafv2-web-acl'), scope: 'CLOUDFRONT', region: 'us-east-1' do
+  it { should exist }
+  its(:default_action) { should eq 'ALLOW' }
+end
+```
+
+
+### have_rule
+
+```ruby
+describe wafv2_web_acl('my-wafv2-web-acl'), scope: 'REGIONAL' do
+  it { should have_rule('AWS-AWSManagedRulesCommonRuleSet') }
+  it { should have_rule('AWS-AWSManagedRulesKnownBadInputsRuleSet').order(1) }
+  it { should have_rule('AWS-AWSManagedRulesLinuxRuleSet').order(2).override_action('NONE') }
+end
+```
+
+### its(:name), its(:id), its(:arn), its(:description), its(:data_protection_config), its(:capacity), its(:pre_process_firewall_manager_rule_groups), its(:post_process_firewall_manager_rule_groups), its(:managed_by_firewall_manager), its(:label_namespace), its(:custom_response_bodies), its(:captcha_config), its(:challenge_config), its(:token_domains), its(:association_config), its(:retrofitted_by_firewall_manager)
 # Account and Attributes
 
 ## <a name="account">account</a>

lib/awspec/generator.rb

@@ -46,6 +46,7 @@
 require 'awspec/generator/spec/managed_prefix_list'
 require 'awspec/generator/spec/codepipeline'
 require 'awspec/generator/spec/wafv2_ip_set'
+require 'awspec/generator/spec/wafv2_web_acl'
 
 # Doc
 require 'awspec/generator/doc/type'

lib/awspec/generator/doc/type/wafv2_ip_set.rb

@@ -7,7 +7,7 @@ class Wafv2IpSet < Base
         def initialize
           super
           @type_name = 'Wafv2IpSet'
-          @type = Awspec::Type::Wafv2IpSet.new('my-ip-set')
+          @type = Awspec::Type::Wafv2IpSet.new('my-wafv2-ip-set')
           @ret = @type.resource_via_client
           @matchers = []
           @ignore_matchers = []

lib/awspec/generator/doc/type/wafv2_web_acl.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Awspec::Generator
+  module Doc
+    module Type
+      class Wafv2WebAcl < Base
+        def initialize
+          super
+          @type_name = 'Wafv2WebAcl'
+          @type = Awspec::Type::Wafv2WebAcl.new('my-wafv2-web-acl')
+          @ret = @type.resource_via_client
+          @matchers = []
+          @ignore_matchers = []
+          @describes = []
+        end
+      end
+    end
+  end
+end

lib/awspec/generator/spec/wafv2_web_acl.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Awspec::Generator
+  module Spec
+    class Wafv2WebAcl
+      include Awspec::Helper::Finder
+      def generate_by_scope(scope)
+        web_acls = select_all_web_acls(scope)
+        raise 'Not Found WAFV2 Web ACL' if web_acls.empty?
+
+        specs = web_acls.map do |acl|
+          web_acl = get_web_acl(scope, acl.name, acl.id)
+          ERB.new(wafv2_web_acl_spec_template, nil, '-').result(binding).gsub(/^\n/, '')
+        end
+        specs.join("\n")
+      end
+
+      def wafv2_web_acl_spec_template
+        <<-'EOF'
+describe wafv2_web_acl('<%= web_acl.name %>'), scope: '<%= scope %>' do
+  it { should exist }
+  its(:name) { should eq '<%= web_acl.name %>' }
+  its(:id) { should eq '<%= web_acl.id %>' }
+  its(:arn) { should eq '<%= web_acl.arn %>' }
+  its(:default_action) { should eq '<%= web_acl.default_action.allow ? 'ALLOW' : 'BLOCK' %>' }
+  its(:description) { should eq '<%= web_acl.description %>' }
+  its(:capacity) { should eq <%= web_acl.capacity %> }
+  its(:managed_by_firewall_manager) { should eq <%= web_acl.managed_by_firewall_manager %> }
+  its(:label_namespace) { should eq '<%= web_acl.label_namespace %>' }
+  its(:retrofitted_by_firewall_manager) { should eq <%= web_acl.retrofitted_by_firewall_manager %> }
+<% web_acl.rules.each do |rule| %>
+  it { should have_rule('<%= rule.name %>').order(<%= rule.priority %>) }
+<% end %>
+end
+EOF
+      end
+    end
+  end
+end

lib/awspec/helper/finder/wafv2.rb

@@ -22,6 +22,26 @@ def get_ip_set(scope, name, id)
         res = wafv2_client.get_ip_set({ name: name, scope: scope, id: id })
         res.ip_set
       end
+
+      def find_web_acl(scope, name)
+        web_acls = select_all_web_acls(scope)
+        web_acl = web_acls.find do |acl|
+          acl.name == name
+        end
+        return false unless web_acl
+
+        get_web_acl(scope, name, web_acl.id)
+      end
+
+      def select_all_web_acls(scope)
+        res = wafv2_client.list_web_acls({ scope: scope })
+        res.web_acls
+      end
+
+      def get_web_acl(scope, name, id)
+        res = wafv2_client.get_web_acl({ name: name, scope: scope, id: id })
+        res.web_acl
+      end
     end
   end
 end

lib/awspec/helper/type.rb

@@ -24,7 +24,7 @@ module Type
         internet_gateway acm cloudwatch_logs dynamodb_table eip sqs ssm_parameter cloudformation_stack
         codebuild sns_topic redshift redshift_cluster_parameter_group codedeploy codedeploy_deployment_group
         secretsmanager msk transit_gateway cognito_identity_pool cognito_user_pool vpc_endpoints
-        transfer_server managed_prefix_list codepipeline wafv2_ip_set
+        transfer_server managed_prefix_list codepipeline wafv2_ip_set wafv2_web_acl
       ]
 
       ACCOUNT_ATTRIBUTES = %w[