hashicorp · ewbankkit · Apr 20, 2023 · Feb 23, 2023 · Feb 23, 2023 · Apr 11, 2023
@@ -0,0 +1,4 @@
+```release-note:enhancement
+resource/aws_wafv2_rule_group: Add `captcha_config` argument
+resource/aws_wafv2_web_acl: Add `captcha_config` argument
+```
@@ -35,6 +35,7 @@ func expandRule(m map[string]interface{}) *wafv2.Rule {
 		Action:           expandRuleAction(m["action"].([]interface{})),
 		Statement:        expandRuleGroupRootStatement(m["statement"].([]interface{})),
 		VisibilityConfig: expandVisibilityConfig(m["visibility_config"].([]interface{})),
+		CaptchaConfig:    expandCaptchaConfig(m["captcha_config"].([]interface{})),
 	}
 
 	if v, ok := m["rule_label"].(*schema.Set); ok && v.Len() > 0 {
@@ -44,6 +45,32 @@ func expandRule(m map[string]interface{}) *wafv2.Rule {
 	return rule
 }
 
+func expandCaptchaConfig(l []interface{}) *wafv2.CaptchaConfig {
+	configuration := &wafv2.CaptchaConfig{}
+
+	if len(l) == 0 || l[0] == nil {
+		return configuration
+	}
+
+	m := l[0].(map[string]interface{})
+	if v, ok := m["immunity_time_property"]; ok {
+		inner := v.([]interface{})
+		if len(inner) == 0 || inner[0] == nil {
+			return configuration
+		}
+
+		m = inner[0].(map[string]interface{})
+
+		if v, ok := m["immunity_time"]; ok {
+			configuration.ImmunityTimeProperty = &wafv2.ImmunityTimeProperty{
+				ImmunityTime: aws.Int64(int64(v.(int))),
+			}
+		}
+	}
+
+	return configuration
+}
+
 func expandRuleLabels(l []interface{}) []*wafv2.Label {
 	if len(l) == 0 || l[0] == nil {
 		return nil
@@ -838,6 +865,7 @@ func expandWebACLRule(m map[string]interface{}) *wafv2.Rule {
 		OverrideAction:   expandOverrideAction(m["override_action"].([]interface{})),
 		Statement:        expandWebACLRootStatement(m["statement"].([]interface{})),
 		VisibilityConfig: expandVisibilityConfig(m["visibility_config"].([]interface{})),
+		CaptchaConfig:    expandCaptchaConfig(m["captcha_config"].([]interface{})),
 	}
 
 	if v, ok := m["rule_label"].(*schema.Set); ok && v.Len() > 0 {
@@ -1116,6 +1144,7 @@ func flattenRules(r []*wafv2.Rule) interface{} {
 		m["rule_label"] = flattenRuleLabels(rule.RuleLabels)
 		m["statement"] = flattenRuleGroupRootStatement(rule.Statement)
 		m["visibility_config"] = flattenVisibilityConfig(rule.VisibilityConfig)
+		m["captcha_config"] = flattenCaptchaConfig(rule.CaptchaConfig)
 		out[i] = m
 	}
 
@@ -1193,6 +1222,23 @@ func flattenCaptcha(a *wafv2.CaptchaAction) []interface{} {
 	return []interface{}{m}
 }
 
+func flattenCaptchaConfig(config *wafv2.CaptchaConfig) interface{} {
+	if config == nil {
+		return []interface{}{}
+	}
+	if config.ImmunityTimeProperty == nil {
+		return []interface{}{}
+	}
+
+	m := map[string]interface{}{
+		"immunity_time_property": []interface{}{map[string]interface{}{
+			"immunity_time": aws.Int64Value(config.ImmunityTimeProperty.ImmunityTime),
+		}},
+	}
+
+	return []interface{}{m}
+}
+
 func flattenChallenge(a *wafv2.ChallengeAction) []interface{} {
 	if a == nil {
 		return []interface{}{}
@@ -1856,6 +1902,7 @@ func flattenWebACLRules(r []*wafv2.Rule) interface{} {
 		m["rule_label"] = flattenRuleLabels(rule.RuleLabels)
 		m["statement"] = flattenWebACLRootStatement(rule.Statement)
 		m["visibility_config"] = flattenVisibilityConfig(rule.VisibilityConfig)
+		m["captcha_config"] = flattenCaptchaConfig(rule.CaptchaConfig)
 		out[i] = m
 	}
 

@@ -110,6 +110,7 @@ func ResourceRuleGroup() *schema.Resource {
 						"rule_label":        ruleLabelsSchema(),
 						"statement":         ruleGroupRootStatementSchema(ruleGroupRootStatementSchemaLevel),
 						"visibility_config": visibilityConfigSchema(),
+						"captcha_config":    outerCaptchaConfigSchema(),
 					},
 				},
 			},
@@ -122,6 +123,7 @@ func ResourceRuleGroup() *schema.Resource {
 			"tags":              tftags.TagsSchema(),
 			"tags_all":          tftags.TagsSchemaComputed(),
 			"visibility_config": visibilityConfigSchema(),
+			"captcha_config":    outerCaptchaConfigSchema(),
 		},
 
 		CustomizeDiff: verify.SetTagsDiff,

@@ -549,6 +549,31 @@ func captchaConfigSchema() *schema.Schema {
 	}
 }
 
+func outerCaptchaConfigSchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeList,
+		Optional: true,
+		MaxItems: 1,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"immunity_time_property": {
+					Type:     schema.TypeList,
+					Optional: true,
+					MaxItems: 1,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"immunity_time": {
+								Type:     schema.TypeInt,
+								Optional: true,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func challengeConfigSchema() *schema.Schema {
 	return &schema.Schema{
 		Type:     schema.TypeList,

@@ -131,6 +131,7 @@ func ResourceWebACL() *schema.Resource {
 						"rule_label":        ruleLabelsSchema(),
 						"statement":         webACLRootStatementSchema(webACLRootStatementSchemaLevel),
 						"visibility_config": visibilityConfigSchema(),
+						"captcha_config":    outerCaptchaConfigSchema(),
 					},
 				},
 			},
@@ -143,6 +144,7 @@ func ResourceWebACL() *schema.Resource {
 			"tags":              tftags.TagsSchema(),
 			"tags_all":          tftags.TagsSchemaComputed(),
 			"visibility_config": visibilityConfigSchema(),
+			"captcha_config":    outerCaptchaConfigSchema(),
 		},
 
 		CustomizeDiff: verify.SetTagsDiff,
@@ -161,6 +163,7 @@ func resourceWebACLCreate(ctx context.Context, d *schema.ResourceData, meta inte
 		Rules:            expandWebACLRules(d.Get("rule").(*schema.Set).List()),
 		Scope:            aws.String(d.Get("scope").(string)),
 		VisibilityConfig: expandVisibilityConfig(d.Get("visibility_config").([]interface{})),
+		CaptchaConfig:    expandCaptchaConfig(d.Get("captcha_config").([]interface{})),
 	}
 
 	if v, ok := d.GetOk("custom_response_body"); ok && v.(*schema.Set).Len() > 0 {
@@ -227,6 +230,9 @@ func resourceWebACLRead(ctx context.Context, d *schema.ResourceData, meta interf
 	if err := d.Set("visibility_config", flattenVisibilityConfig(webACL.VisibilityConfig)); err != nil {
 		return diag.Errorf("setting visibility_config: %s", err)
 	}
+	if err := d.Set("captcha_config", flattenCaptchaConfig(webACL.CaptchaConfig)); err != nil {
+		return diag.Errorf("setting captcha_config: %s", err)
+	}
 
 	tags, err := ListTagsWithContext(ctx, conn, arn)
 
@@ -260,6 +266,7 @@ func resourceWebACLUpdate(ctx context.Context, d *schema.ResourceData, meta inte
 			Rules:            expandWebACLRules(d.Get("rule").(*schema.Set).List()),
 			Scope:            aws.String(d.Get("scope").(string)),
 			VisibilityConfig: expandVisibilityConfig(d.Get("visibility_config").([]interface{})),
+			CaptchaConfig:    expandCaptchaConfig(d.Get("captcha_config").([]interface{})),
 		}
 
 		if v, ok := d.GetOk("custom_response_body"); ok && v.(*schema.Set).Len() > 0 {

@@ -1543,11 +1543,15 @@ func TestAccWAFV2WebACL_Custom_requestHandling(t *testing.T) {
 						"action.0.captcha.0.custom_request_handling.0.insert_header.1.value": "test-value-2",
 						"action.0.count.#": "0",
 						"priority":         "1",
+						"captcha_config.#": "1",
+						"captcha_config.0.immunity_time_property.0.immunity_time": "240",
 					}),
 					resource.TestCheckResourceAttr(resourceName, "visibility_config.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
 					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
 					resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
+					resource.TestCheckResourceAttr(resourceName, "captcha_config.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "captcha_config.0.immunity_time_property.0.immunity_time", "120"),
 				),
 			},
 			{
@@ -2401,6 +2405,12 @@ resource "aws_wafv2_web_acl" "test" {
       cloudwatch_metrics_enabled = false
       metric_name                = "friendly-rule-metric-name"
       sampled_requests_enabled   = false
+    }
+
+	captcha_config {
+      immunity_time_property {
+        immunity_time = 240
+      }
     }
   }
 
@@ -2409,6 +2419,12 @@ resource "aws_wafv2_web_acl" "test" {
     metric_name                = "friendly-metric-name"
     sampled_requests_enabled   = false
   }
+
+  captcha_config {
+    immunity_time_property {
+      immunity_time = 120
+    }
+  }
 }
 `, name, firstHeader, secondHeader)
 }

@@ -206,6 +206,12 @@ resource "aws_wafv2_rule_group" "example" {
       metric_name                = "rule-2"
       sampled_requests_enabled   = false
     }
+
+    captcha_config {
+      immunity_time_property {
+        immunity_time = 240
+      }
+    }
   }
 
   rule {
@@ -293,6 +299,12 @@ resource "aws_wafv2_rule_group" "example" {
     sampled_requests_enabled   = false
   }
 
+  captcha_config {
+    immunity_time_property {
+      immunity_time = 120
+    }
+  }
+
   tags = {
     Name = "example-and-statement"
     Code = "123456"
@@ -654,6 +666,19 @@ The `visibility_config` block supports the following arguments:
 * `metric_name` - (Required, Forces new resource) A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`.
 * `sampled_requests_enabled` - (Required) A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.
 
+### Captcha Configuration
+
+The `captcha_config` block supports the following arguments:
+
+* `immunity_time_property` - (Optional) Defines custom immunity time. See [Immunity Time Property](#immunity-time-property) below for details.
+
+### Immunity Time Property
+
+The `immunity_time_property` block supports the following arguments:
+
+* `immunity_time` - (Optional) The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.
+
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported: