From 9230c6986eea7f041796cb21640c7fd28bc24c4d Mon Sep 17 00:00:00 2001
From: Markus Bergholz <git@osuv.de>
Date: Tue, 15 Mar 2022 08:49:08 +0100
Subject: [PATCH] wafv2_web_acl: prevent exception when element is not a dict
 (#962)

wafv2_web_acl: prevent exception when element is not a dict

SUMMARY
the geo_match_statement statement paremeter country_codes is a list and will fail the current implementation
  File "/tmp/ansible_community.aws.wafv2_web_acl_payload_8xvwtxvw/ansible_community.aws.wafv2_web_acl_payload.zip/ansible_collections/community/aws/plugins/module_utils/wafv2.py", line 52, in wafv2_snake_dict_to_camel_dict
AttributeError: 'str' object has no attribute 'keys'

rules:
    - name: block-germany
      priority: 0
      action:
        block: {}
      visibility_config:
        sampled_requests_enabled: yes
        cloud_watch_metrics_enabled: yes
        metric_name: block-germany
      statement:
        geo_match_statement:
          country_codes:
             - DE
ISSUE TYPE


Bugfix Pull Request

COMPONENT NAME
plugins/module_utils/wafv2.py
ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis <None>
---
 .../fragments/962-fix-waf-list-conditions.yml |  2 +
 plugins/module_utils/wafv2.py                 |  3 ++
 .../targets/wafv2/tasks/test_webacl.yml       | 45 +++++++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 changelogs/fragments/962-fix-waf-list-conditions.yml

diff --git a/changelogs/fragments/962-fix-waf-list-conditions.yml b/changelogs/fragments/962-fix-waf-list-conditions.yml
new file mode 100644
index 00000000000..056ba343ca0
--- /dev/null
+++ b/changelogs/fragments/962-fix-waf-list-conditions.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - wafv2_web_acl - fix exception when a rule contains lists values (https://github.com/ansible-collections/community.aws/pull/962).
diff --git a/plugins/module_utils/wafv2.py b/plugins/module_utils/wafv2.py
index 7b1b63d6fcf..6777265fb93 100644
--- a/plugins/module_utils/wafv2.py
+++ b/plugins/module_utils/wafv2.py
@@ -46,6 +46,9 @@ def wafv2_list_rule_groups(wafv2, scope, fail_json_aws, nextmarker=None):
 
 
 def wafv2_snake_dict_to_camel_dict(a):
+    if not isinstance(a, dict):
+        return a
+
     retval = {}
     for item in a.keys():
         if isinstance(a.get(item), dict):
diff --git a/tests/integration/targets/wafv2/tasks/test_webacl.yml b/tests/integration/targets/wafv2/tasks/test_webacl.yml
index 2d09eb3ebc9..f3bdfb09999 100644
--- a/tests/integration/targets/wafv2/tasks/test_webacl.yml
+++ b/tests/integration/targets/wafv2/tasks/test_webacl.yml
@@ -183,3 +183,48 @@
   assert:
     that:
       - out is not changed
+
+- name: test geo match statement
+  wafv2_web_acl:
+    name: "{{ web_acl_name }}"
+    state: present
+    description: hallo eins drei
+    scope: REGIONAL
+    default_action: Allow
+    sampled_requests: no
+    cloudwatch_metrics: yes
+    metric_name: blub
+    purge_rules: yes
+    rules:
+      - name: block-germany
+        priority: 1
+        action:
+          block: {}
+        visibility_config:
+          sampled_requests_enabled: yes
+          cloud_watch_metrics_enabled: yes
+          metric_name: block-germany
+        statement:
+          geo_match_statement:
+            country_codes:
+                - DE
+    tags:
+      A: B
+      C: D
+  register: out
+
+- name: verify change
+  assert:
+    that:
+      - out is changed
+
+- name: re-read webacl
+  wafv2_web_acl_info:
+    name: "{{ web_acl_name }}"
+    scope: REGIONAL
+  register: out
+
+- name: verify geo match statement
+  assert:
+    that:
+      - out.rules[0].statement.geo_match_statement.country_codes[0] == 'DE'