hashicorp · ewbankkit · Jul 20, 2023 · May 30, 2023 · Jul 4, 2023 · Jul 4, 2023
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_wafv2_web_acl: Add `association_config` argument
+```
@@ -74,6 +74,51 @@ func expandCaptchaConfig(l []interface{}) *wafv2.CaptchaConfig {
 	return configuration
 }
 
+func expandAssociationConfig(l []interface{}) *wafv2.AssociationConfig {
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+
+	configuration := &wafv2.AssociationConfig{}
+
+	m := l[0].(map[string]interface{})
+	if v, ok := m["request_body"]; ok {
+		inner := v.([]interface{})
+		if len(inner) == 0 || inner[0] == nil {
+			return configuration
+		}
+
+		m = inner[0].(map[string]interface{})
+		if len(m) > 0 {
+			configuration.RequestBody = make(map[string]*wafv2.RequestBodyAssociatedResourceTypeConfig)
+		}
+
+		if v, ok := m["cloudfront"]; ok {
+			inner = v.([]interface{})
+			configuration.RequestBody[wafv2.AssociatedResourceTypeCloudfront] = expandRequestBodyConfigItem(inner)
+		}
+	}
+
+	return configuration
+}
+
+func expandRequestBodyConfigItem(l []interface{}) *wafv2.RequestBodyAssociatedResourceTypeConfig {
+	configuration := &wafv2.RequestBodyAssociatedResourceTypeConfig{}
+
+	if len(l) == 0 || l[0] == nil {
+		return configuration
+	}
+
+	m := l[0].(map[string]interface{})
+	if v, ok := m["default_size_inspection_limit"]; ok {
+		if v != "" {
+			configuration.DefaultSizeInspectionLimit = aws.String(v.(string))
+		}
+	}
+
+	return configuration
+}
+
 func expandRuleLabels(l []interface{}) []*wafv2.Label {
 	if len(l) == 0 || l[0] == nil {
 		return nil
@@ -1426,6 +1471,29 @@ func flattenCaptchaConfig(config *wafv2.CaptchaConfig) interface{} {
 	return []interface{}{m}
 }
 
+func flattenAssociationConfig(config *wafv2.AssociationConfig) interface{} {
+	associationConfig := []interface{}{}
+	if config == nil {
+		return associationConfig
+	}
+	if config.RequestBody == nil {
+		return associationConfig
+	}
+
+	cloudfrontRequestBodyConfig := config.RequestBody[wafv2.AssociatedResourceTypeCloudfront]
+	if cloudfrontRequestBodyConfig != nil {
+		associationConfig = append(associationConfig, map[string]interface{}{
+			"request_body": []map[string]interface{}{{
+				"cloudfront": []map[string]interface{}{{
+					"default_size_inspection_limit": aws.StringValue(cloudfrontRequestBodyConfig.DefaultSizeInspectionLimit),
+				}},
+			}},
+		})
+	}
+
+	return associationConfig
+}
+
 func flattenChallenge(a *wafv2.ChallengeAction) []interface{} {
 	if a == nil {
 		return []interface{}{}

@@ -516,6 +516,43 @@ func visibilityConfigSchema() *schema.Schema {
 	}
 }
 
+func associationConfigSchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeList,
+		Optional: true,
+		MaxItems: 1,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"request_body": requestBodySchema(),
+			},
+		},
+	}
+}
+
+func requestBodySchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeList,
+		Optional: true,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"cloudfront": {
+					Type:     schema.TypeList,
+					Optional: true,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"default_size_inspection_limit": {
+								Type:         schema.TypeString,
+								Required:     true,
+								ValidateFunc: validation.StringInSlice(wafv2.SizeInspectionLimit_Values(), false),
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func allowConfigSchema() *schema.Schema {
 	return &schema.Schema{
 		Type:     schema.TypeList,

@@ -63,6 +63,7 @@ func ResourceWebACL() *schema.Resource {
 					Type:     schema.TypeString,
 					Computed: true,
 				},
+				"association_config": associationConfigSchema(),
 				"capacity": {
 					Type:     schema.TypeInt,
 					Computed: true,
@@ -176,13 +177,14 @@ func resourceWebACLCreate(ctx context.Context, d *schema.ResourceData, meta inte
 
 	name := d.Get("name").(string)
 	input := &wafv2.CreateWebACLInput{
-		CaptchaConfig:    expandCaptchaConfig(d.Get("captcha_config").([]interface{})),
-		DefaultAction:    expandDefaultAction(d.Get("default_action").([]interface{})),
-		Name:             aws.String(name),
-		Rules:            expandWebACLRules(d.Get("rule").(*schema.Set).List()),
-		Scope:            aws.String(d.Get("scope").(string)),
-		Tags:             getTagsIn(ctx),
-		VisibilityConfig: expandVisibilityConfig(d.Get("visibility_config").([]interface{})),
+		AssociationConfig: expandAssociationConfig(d.Get("association_config").([]interface{})),
+		CaptchaConfig:     expandCaptchaConfig(d.Get("captcha_config").([]interface{})),
+		DefaultAction:     expandDefaultAction(d.Get("default_action").([]interface{})),
+		Name:              aws.String(name),
+		Rules:             expandWebACLRules(d.Get("rule").(*schema.Set).List()),
+		Scope:             aws.String(d.Get("scope").(string)),
+		Tags:              getTagsIn(ctx),
+		VisibilityConfig:  expandVisibilityConfig(d.Get("visibility_config").([]interface{})),
 	}
 
 	if v, ok := d.GetOk("custom_response_body"); ok && v.(*schema.Set).Len() > 0 {
@@ -231,6 +233,9 @@ func resourceWebACLRead(ctx context.Context, d *schema.ResourceData, meta interf
 	arn := aws.StringValue(webACL.ARN)
 	d.Set("arn", arn)
 	d.Set("capacity", webACL.Capacity)
+	if err := d.Set("association_config", flattenAssociationConfig(webACL.AssociationConfig)); err != nil {
+		return diag.Errorf("setting association_config: %s", err)
+	}
 	if err := d.Set("captcha_config", flattenCaptchaConfig(webACL.CaptchaConfig)); err != nil {
 		return diag.Errorf("setting captcha_config: %s", err)
 	}
@@ -260,14 +265,15 @@ func resourceWebACLUpdate(ctx context.Context, d *schema.ResourceData, meta inte
 
 	if d.HasChangesExcept("tags", "tags_all") {
 		input := &wafv2.UpdateWebACLInput{
-			CaptchaConfig:    expandCaptchaConfig(d.Get("captcha_config").([]interface{})),
-			DefaultAction:    expandDefaultAction(d.Get("default_action").([]interface{})),
-			Id:               aws.String(d.Id()),
-			LockToken:        aws.String(d.Get("lock_token").(string)),
-			Name:             aws.String(d.Get("name").(string)),
-			Rules:            expandWebACLRules(d.Get("rule").(*schema.Set).List()),
-			Scope:            aws.String(d.Get("scope").(string)),
-			VisibilityConfig: expandVisibilityConfig(d.Get("visibility_config").([]interface{})),
+			AssociationConfig: expandAssociationConfig(d.Get("association_config").([]interface{})),
+			CaptchaConfig:     expandCaptchaConfig(d.Get("captcha_config").([]interface{})),
+			DefaultAction:     expandDefaultAction(d.Get("default_action").([]interface{})),
+			Id:                aws.String(d.Id()),
+			LockToken:         aws.String(d.Get("lock_token").(string)),
+			Name:              aws.String(d.Get("name").(string)),
+			Rules:             expandWebACLRules(d.Get("rule").(*schema.Set).List()),
+			Scope:             aws.String(d.Get("scope").(string)),
+			VisibilityConfig:  expandVisibilityConfig(d.Get("visibility_config").([]interface{})),
 		}
 
 		if v, ok := d.GetOk("custom_response_body"); ok && v.(*schema.Set).Len() > 0 {