[Enhancement]: add managed_rule_group_configs and visibility_config feature to wafv2_web_acl_rule_group_association

.changelog/44426.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_wafv2_web_acl_rule_group_association: Added support for `managed_rule_group_configs` within `managed_rule_group` and root-level `visibility_config` block for CloudWatch metrics configuration
+```

internal/service/wafv2/flex.go

@@ -4,15 +4,22 @@
 package wafv2
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"reflect"
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awstypes "github.com/aws/aws-sdk-go-v2/service/wafv2/types"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/flex"
+	fwflex "github.com/hashicorp/terraform-provider-aws/internal/framework/flex"
+	fwtypes "github.com/hashicorp/terraform-provider-aws/internal/framework/types"
 	tfjson "github.com/hashicorp/terraform-provider-aws/internal/json"
 	itypes "github.com/hashicorp/terraform-provider-aws/internal/types"
 	"github.com/hashicorp/terraform-provider-aws/names"
@@ -3635,3 +3642,151 @@ func flattenFieldToProtect(apiObject *awstypes.FieldToProtect) any {
 
 	return []any{tfMap}
 }
+
+func expandACFPManagedRuleConfig(
+	ctx context.Context,
+	tfACFPRuleConfigModel awsManagedRulesACFPRuleSetModel,
+) (awstypes.AWSManagedRulesACFPRuleSet, diag.Diagnostics) {
+	var diags diag.Diagnostics
+	var acfpRuleSetConfig awstypes.AWSManagedRulesACFPRuleSet
+
+	if tfACFPRuleConfigModel.RequestInspection.IsNull() && tfACFPRuleConfigModel.RequestInspection.IsUnknown() {
+		// auto flex works, no need to manually expand
+		diags.Append(fwflex.Expand(ctx, tfACFPRuleConfigModel, &acfpRuleSetConfig)...)
+		return acfpRuleSetConfig, diags
+	}
+
+	acfpRuleSetConfig = awstypes.AWSManagedRulesACFPRuleSet{
+		CreationPath:         tfACFPRuleConfigModel.CreationPath.ValueStringPointer(),
+		RegistrationPagePath: tfACFPRuleConfigModel.RegistrationPagePath.ValueStringPointer(),
+		EnableRegexInPath:    tfACFPRuleConfigModel.EnableRegexInPath.ValueBool(),
+	}
+
+	var tfReqInspection requestInspectionACFPModel
+	diags.Append(tfACFPRuleConfigModel.RequestInspection.Elements()[0].(fwtypes.ObjectValueOf[requestInspectionACFPModel]).As(ctx, &tfReqInspection, basetypes.ObjectAsOptions{})...)
+	if diags.HasError() {
+		return acfpRuleSetConfig, diags
+	}
+
+	addressFields := make([]awstypes.AddressField, 0)
+
+	for _, af := range tfReqInspection.AddressFields.Elements() {
+		var tfAddressField addressFieldModel
+		diags.Append(af.(fwtypes.ObjectValueOf[addressFieldModel]).As(ctx, &tfAddressField, basetypes.ObjectAsOptions{})...)
+		if diags.HasError() {
+			return acfpRuleSetConfig, diags
+		}
+		for _, id := range tfAddressField.Identifiers.Elements() {
+			addressFields = append(addressFields, awstypes.AddressField{
+				Identifier: id.(types.String).ValueStringPointer(),
+			})
+		}
+	}
+
+	phoneNumberFields := make([]awstypes.PhoneNumberField, 0)
+	for _, pf := range tfReqInspection.PhoneNumberFields.Elements() {
+		var tfPhoneNumberField phoneNumberFieldModel
+		diags.Append(pf.(fwtypes.ObjectValueOf[phoneNumberFieldModel]).As(ctx, &tfPhoneNumberField, basetypes.ObjectAsOptions{})...)
+		if diags.HasError() {
+			return acfpRuleSetConfig, diags
+		}
+		for _, id := range tfPhoneNumberField.Identifiers.Elements() {
+			phoneNumberFields = append(phoneNumberFields, awstypes.PhoneNumberField{
+				Identifier: id.(types.String).ValueStringPointer(),
+			})
+		}
+	}
+
+	acfpRuleSetConfig.RequestInspection = &awstypes.RequestInspectionACFP{
+		AddressFields:     addressFields,
+		PhoneNumberFields: phoneNumberFields,
+		PayloadType:       awstypes.PayloadType(tfReqInspection.PayloadType.ValueString()),
+	}
+
+	diags.Append(fwflex.Expand(ctx, tfReqInspection.EmailField, &acfpRuleSetConfig.RequestInspection.EmailField)...)
+	if diags.HasError() {
+		return acfpRuleSetConfig, diags
+	}
+
+	diags.Append(fwflex.Expand(ctx, tfReqInspection.UsernameField, &acfpRuleSetConfig.RequestInspection.UsernameField)...)
+	if diags.HasError() {
+		return acfpRuleSetConfig, diags
+	}
+
+	diags.Append(fwflex.Expand(ctx, tfReqInspection.PasswordField, &acfpRuleSetConfig.RequestInspection.PasswordField)...)
+	if diags.HasError() {
+		return acfpRuleSetConfig, diags
+	}
+
+	return acfpRuleSetConfig, diags
+}
+
+func flattenACFPRuleConfig(
+	ctx context.Context,
+	acfp *awstypes.AWSManagedRulesACFPRuleSet,
+	managedRuleGroupConfigs []awstypes.ManagedRuleGroupConfig,
+) (fwtypes.ListNestedObjectValueOf[managedRuleGroupConfigModel], diag.Diagnostics) {
+	var diags diag.Diagnostics
+
+	if acfp.RequestInspection == nil {
+		// autoflex is possible
+		var tfManagedRuleGroupConfigModel managedRuleGroupConfigModel
+		diags.Append(fwflex.Flatten(ctx, managedRuleGroupConfigs, &tfManagedRuleGroupConfigModel)...)
+		return fwtypes.NewListNestedObjectValueOfSliceMust(ctx, []*managedRuleGroupConfigModel{&tfManagedRuleGroupConfigModel}), diags
+	}
+
+	requestInspection := acfp.RequestInspection
+	var emailField emailFieldModel
+	var usernameField usernameFieldModel
+	var passwordField passwordFieldModel
+
+	fwflex.Flatten(ctx, requestInspection.EmailField, &emailField)
+	fwflex.Flatten(ctx, requestInspection.UsernameField, &usernameField)
+	fwflex.Flatten(ctx, requestInspection.PasswordField, &passwordField)
+
+	var addrList []attr.Value
+	for _, af := range requestInspection.AddressFields {
+		addrList = append(addrList, types.StringValue(aws.ToString(af.Identifier)))
+	}
+	ids := fwtypes.NewListValueOfMust[types.String](ctx, addrList)
+	afModel := &addressFieldModel{
+		Identifiers: ids,
+	}
+
+	var phoneList []attr.Value
+	for _, pf := range requestInspection.PhoneNumberFields {
+		phoneList = append(phoneList, types.StringValue(aws.ToString(pf.Identifier)))
+	}
+	pfModel := &phoneNumberFieldModel{
+		Identifiers: fwtypes.NewListValueOfMust[types.String](ctx, phoneList),
+	}
+
+	tfRequestInspection := &requestInspectionACFPModel{
+		PayloadType:       types.StringValue(string(requestInspection.PayloadType)),
+		EmailField:        fwtypes.NewListNestedObjectValueOfSliceMust(ctx, []*emailFieldModel{&emailField}),
+		UsernameField:     fwtypes.NewListNestedObjectValueOfSliceMust(ctx, []*usernameFieldModel{&usernameField}),
+		PasswordField:     fwtypes.NewListNestedObjectValueOfSliceMust(ctx, []*passwordFieldModel{&passwordField}),
+		AddressFields:     fwtypes.NewListNestedObjectValueOfSliceMust(ctx, []*addressFieldModel{afModel}),
+		PhoneNumberFields: fwtypes.NewListNestedObjectValueOfSliceMust(ctx, []*phoneNumberFieldModel{pfModel}),
+	}
+
+	tfACFPModel := &awsManagedRulesACFPRuleSetModel{
+		CreationPath:         types.StringValue(aws.ToString(acfp.CreationPath)),
+		RegistrationPagePath: types.StringValue(aws.ToString(acfp.RegistrationPagePath)),
+		EnableRegexInPath:    types.BoolValue(acfp.EnableRegexInPath),
+		ResponseInspection:   fwtypes.NewListNestedObjectValueOfNull[responseInspectionModel](ctx),
+		RequestInspection:    fwtypes.NewListNestedObjectValueOfSliceMust(ctx, []*requestInspectionACFPModel{tfRequestInspection}),
+	}
+
+	patchedRuleGroupConfig := make([]*managedRuleGroupConfigModel, 0, 1)
+
+	tfManagedRuleGroupConfigModel := &managedRuleGroupConfigModel{
+		AWSManagedRulesACFPRuleSet:       fwtypes.NewListNestedObjectValueOfSliceMust(ctx, []*awsManagedRulesACFPRuleSetModel{tfACFPModel}),
+		AWSManagedRulesATPRuleSet:        fwtypes.NewListNestedObjectValueOfNull[awsManagedRulesATPRuleSetModel](ctx),
+		AWSManagedRulesBotControlRuleSet: fwtypes.NewListNestedObjectValueOfNull[awsManagedRulesBotControlRuleSetModel](ctx),
+		AWSManagedRulesAntiDDoSRuleSet:   fwtypes.NewListNestedObjectValueOfNull[awsManagedRulesAntiDDoSRuleSetModel](ctx),
+	}
+	patchedRuleGroupConfig = append(patchedRuleGroupConfig, tfManagedRuleGroupConfigModel)
+
+	return fwtypes.NewListNestedObjectValueOfSliceMust(ctx, patchedRuleGroupConfig), diags
+}