WAF WebACL resources missing support for using Rule Groups

[erikpaasonen]

Terraform Version

Terraform v0.11.5
+ provider.aws v1.13.0

Affected Resource(s)

• aws_waf_rule_group
• aws_waf_web_acl
• aws_wafregional_rule_group
• aws_wafregional_web_acl

Terraform Configuration Files

This is copied and pasted straight from the examples for aws_waf_rule_group and aws_waf_web_acl, just adapted to use the rule group.

resource "aws_waf_rule" "example" {
  name        = "example"
  metric_name = "example"
}

resource "aws_waf_rule_group" "example" {
  name        = "example"
  metric_name = "example"

  activated_rule {
    action {
      type = "COUNT"
    }

    priority = 50
    rule_id  = "${aws_waf_rule.example.id}"
  }
}

resource "aws_waf_web_acl" "waf_acl" {
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rules {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_waf_rule_group.example.id}"
    type     = "GROUP"
  }
}

Debug Output

https://gist.github.com/erikpaasonen/83174454128c6ae05e6d0058d0b72a3a

Expected Behavior

Terraform should create the WAF WebACL using the new rule group resource.

Actual Behavior

Terraform aborts almost immediately because it is expecting a type of only REGULAR or RATE_BASED. It considers GROUP as invalid input.

Important Factoids

Our team currently has the insertion of a managed rule group working using the AWS CLI. The AWS CLI supports the GROUP type. Here's the syntax for a known-good updates list entry for use with the AWS CLI:

{
    "Action": "INSERT",
    "ActivatedRule": {
        "Priority": 1,
        "RuleId": "my-known-good-rule-group-uuid",
        "OverrideAction": {
            "Type": "COUNT"
        },
        "Type": "GROUP"
    }
}

As mentioned in Issue #3172 , the aws_waf_web_acl and aws_wafregional_web_acl resources are missing support for OverrideAction. Once resolved, this issue is expected to resolve Issue #3172 at least for the hard-coded UUID use case.

I'm filing this particular issue as a bug now that v1.13.0 is live. But I believe this was simply an integration oversight when the new aws_waf_rule_group and aws_wafregional_rule_group resource types were recently introduced.

References

PR #3898
Issue #424
Issue #3172
https://docs.aws.amazon.com/cli/latest/reference/waf/update-web-acl.html#options

[catsby]

Thanks for reporting! It looks like the validation needs to be updated here:

https://github.com/terraform-providers/terraform-provider-aws/blob/6afb81fba282818c76c9006e4979d7663cf9b420/aws/resource_aws_waf_web_acl.go#L68-L76

[bflad]

The aws_wafregional_web_acl resource support for rule type has been merged into master via #4978 and will release with version 1.25.0 of the AWS provider, likely middle of this week. Please note you must configure this new attribute for RATE_BASED rules.

[warwick-mitchell]

It looks like the commit doesn't support Rule Groups which this issue is referring to. We need this to support the use of AWS Managed Ruleset Groups form the marketplace.

[bflad]

Oh whoops you are correct, this is a separate issue, it was just linked in the PR.

[mtaumike]

Will this be a part of v1.26.0 then?

I guess my actual big question is thus: When can we expect this feature to be implemented in this provider plugin?

Hello @erikpaasonen!

[bflad]

It's not currently on my personal hit list and there are not currently any open WAF pull requests for the fix: https://github.com/terraform-providers/terraform-provider-aws/pulls?q=is%3Aopen+is%3Apr+label%3Aservice%2Fwaf

If someone is willing to submit a fix, the maintainers will be happy to take a look.

[bflad]

This should be fixed with #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 👍

# Implementation is similar for aws_wafregional_web_acl resource
resource "aws_waf_web_acl" "example" {
 # ... other configuration ...
  rules {
    # ... other configuration ...
    override_action {
       type = "NONE"
    }
    type = "GROUP"
    rule_id = "${aws_waf_rule_group.example.id}"
  }
}

[bflad]

This has been released in version 1.27.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[davyt10]

Does anyone have a working example of using adding managed rules, using the above resource config I am getting an error. I am on the latest provider.
resource "aws_wafregional_web_acl" "example" {
name = "test"
metric_name = "test"
default_action {
type = "BLOCK"
}
rules {
# ... other configuration ...
override_action {
type = "NONE"
}
type = "GROUP"
rule_id = "7ad2da1e-c2ce-49e7-9cc4-189171298654"
}
}

1 error(s) occurred:

• module.mobile_api_waf.aws_wafregional_web_acl.example: : invalid or unknown key: rules

[warwick-mitchell]

Should be rule, not rules. Global is rules and regional is rule.
resource "aws_wafregional_web_acl" "waf_acl" {
name = "%s"
metric_name = "%s"
default_action {
type = "ALLOW"
}
rule {
override_action {
type = "NONE"
}
priority = 1
type = "GROUP"
rule_id = "${aws_wafregional_rule_group.wafrulegroup.id}" # todo
}
}

[davyt10]

I had tried that previously, its the same issue.

[warwick-mitchell]

priority is also a required argument looking at the documentation. And make sure you are requiring at least AWS provider 1.27.

[davyt10]

No luck! This is for a managed F5 rule that I wanted to add to the webacl, is it something related to this I am wondering?

[warwick-mitchell]

No I've done it successfully with the F5 managed rule. Make sure the rule_id is the correct one for the region you're targeting.

Here's the exact config I've used

resource "aws_wafregional_web_acl" "protected_web_acl" {
name = "protected_web_acl"
metric_name = "ProtectedWebACL"
default_action {
type = "ALLOW"
}

rule {
override_action {
type = "NONE"
}
priority = 10
rule_id = "${var.waf_ruleset_group}"
type = "GROUP"
}
}

[davyt10]

OK that works, thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!