Terraform-provider-aws: Feature request: support for WAF managed rulesets from marketplace

Would like to see this enhancement for the new aws_wafregional_web_acl resource type as well. In our testing it can use the same marketplace UUID.

Hint from lesson learned having scripted this: the OverrideAction must be specified when working with managed rule groups. Also managed rule groups worked best for us when set to priority = 1. So proposed syntax might look like:

resource "aws_waf_web_acl" "foo" {
  name = "foo"
  metric_name = "foo"
  default_action {
    type = "BLOCK"
  }
  rules {
    type = "GROUP"
    priority = 1
    rule_id = "my-uuid-for-marketplace-ruleset"
    OverrideAction = {
      type = "None"
    }
  }
}

resource "aws_wafregional_web_acl" "foo" {
  name = "foo"
  metric_name = "foo"
  default_action {
    type = "BLOCK"
  }
  rules {
    type = "GROUP"
    priority = 1
    rule_id = "my-uuid-for-marketplace-ruleset"
    OverrideAction = {
      type = "None"
    }
  }
}

There's nothing specific to AWS Marketplace rule groups in terms of the AWS CLI syntax. Now that there's a Terraform resource to create a rule group, adding support for rule groups in WebACLs (ref Issue #4052) will fix this issue too.

Would love to see a data source to lookup Rule UUIDs based on a given MetricName. This would give the ability to dynamically determine the UUID for a particular rule group given the Marketplace name.

GROUP rule type handling within the aws_waf_web_acl and aws_wafregional_web_acl resources has been implemented in #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 🚀

# Implementation is similar for aws_wafregional_web_acl resource
resource "aws_waf_web_acl" "example" {
 # ... other configuration ...
  rules {
    # ... other configuration ...
    override_action {
       type = "NONE"
    }
    type = "GROUP"
    rule_id = "${aws_waf_rule_group.example.id}"
  }
}

If you are interested in some form of data source for AWS Marketplace rules, I would add your 👍 to #2654 and follow along there.

This has been released in version 1.27.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

Anyone have a working example of the above code, I am getting an error.I am on 1.32 provider version.

Does anyone have a working example of using adding managed rules, using the above resource config I am getting an error.

resource "aws_wafregional_web_acl" "foo" {
name = "foo"
metric_name = "foo"
default_action {
type = "BLOCK"
}
rules {
OverrideAction = {
type = "None"
}
type = "GROUP"
priority = 1
rule_id = "7ad2da1e-c2ce-49e7-9cc4-189171298654"

}
}

1 error(s) occurred:

module.mobile_api_waf.aws_wafregional_web_acl.example: : invalid or unknown key: rules

having data objects to query WAF ACL id's created in other terraform projects would be of great help
both

data "aws_waf_web_acl"
&
data "aws_wafregional_web_acl"

Hey.

AWS released their own managed rules - https://aws.amazon.com/blogs/aws/announcing-aws-managed-rules-for-aws-waf/

Any plan to include them?

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!