Terraform-provider-aws: WAF WebACL resources missing support for using Rule Groups

Created on 4 Apr 2018 · 16Comments · Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.11.5
+ provider.aws v1.13.0

Affected Resource(s)

aws_waf_rule_group
aws_waf_web_acl
aws_wafregional_rule_group
aws_wafregional_web_acl

Terraform Configuration Files

This is copied and pasted straight from the examples for aws_waf_rule_group and aws_waf_web_acl, just adapted to use the rule group.

resource "aws_waf_rule" "example" {
  name        = "example"
  metric_name = "example"
}

resource "aws_waf_rule_group" "example" {
  name        = "example"
  metric_name = "example"

  activated_rule {
    action {
      type = "COUNT"
    }

    priority = 50
    rule_id  = "${aws_waf_rule.example.id}"
  }
}

resource "aws_waf_web_acl" "waf_acl" {
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rules {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_waf_rule_group.example.id}"
    type     = "GROUP"
  }
}

Debug Output

https://gist.github.com/erikpaasonen/83174454128c6ae05e6d0058d0b72a3a

Expected Behavior

Terraform should create the WAF WebACL using the new rule group resource.

Actual Behavior

Terraform aborts almost immediately because it is expecting a type of only REGULAR or RATE_BASED. It considers GROUP as invalid input.

Important Factoids

Our team currently has the insertion of a managed rule group working using the AWS CLI. The AWS CLI supports the GROUP type. Here's the syntax for a known-good updates list entry for use with the AWS CLI:

{
    "Action": "INSERT",
    "ActivatedRule": {
        "Priority": 1,
        "RuleId": "my-known-good-rule-group-uuid",
        "OverrideAction": {
            "Type": "COUNT"
        },
        "Type": "GROUP"
    }
}

As mentioned in Issue #3172 , the aws_waf_web_acl and aws_wafregional_web_acl resources are missing support for OverrideAction. Once resolved, this issue is expected to resolve Issue #3172 at least for the hard-coded UUID use case.

I'm filing this particular issue as a bug now that v1.13.0 is live. But I believe this was simply an integration oversight when the new aws_waf_rule_group and aws_wafregional_rule_group resource types were recently introduced.

References

PR #3898
Issue #424
Issue #3172
https://docs.aws.amazon.com/cli/latest/reference/waf/update-web-acl.html#options

bug good first issue servicwaf

Source

erikpaasonen

Most helpful comment

This should be fixed with #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 👍

# Implementation is similar for aws_wafregional_web_acl resource
resource "aws_waf_web_acl" "example" {
 # ... other configuration ...
  rules {
    # ... other configuration ...
    override_action {
       type = "NONE"
    }
    type = "GROUP"
    rule_id = "${aws_waf_rule_group.example.id}"
  }
}

bflad on 9 Jul 2018

🎉2 👍1

All 16 comments

Thanks for reporting! It looks like the validation needs to be updated here:

https://github.com/terraform-providers/terraform-provider-aws/blob/6afb81fba282818c76c9006e4979d7663cf9b420/aws/resource_aws_waf_web_acl.go#L68-L76

catsby on 5 Apr 2018

The aws_wafregional_web_acl resource support for rule type has been merged into master via #4978 and will release with version 1.25.0 of the AWS provider, likely middle of this week. Please note you _must_ configure this new attribute for RATE_BASED rules.

bflad on 25 Jun 2018

It looks like the commit doesn't support Rule Groups which this issue is referring to. We need this to support the use of AWS Managed Ruleset Groups form the marketplace.

warwick-mitchell on 26 Jun 2018

Oh whoops you are correct, this is a separate issue, it was just linked in the PR.

bflad on 26 Jun 2018

Will this be a part of v1.26.0 then?

I guess my actual big question is thus: When can we expect this feature to be implemented in this provider plugin?

Hello @erikpaasonen!

mtaumike on 29 Jun 2018

🎉1

It's not currently on my personal hit list and there are not currently any open WAF pull requests for the fix: https://github.com/terraform-providers/terraform-provider-aws/pulls?q=is%3Aopen+is%3Apr+label%3Aservice%2Fwaf

If someone is willing to submit a fix, the maintainers will be happy to take a look.

bflad on 29 Jun 2018

This should be fixed with #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 👍

# Implementation is similar for aws_wafregional_web_acl resource
resource "aws_waf_web_acl" "example" {
 # ... other configuration ...
  rules {
    # ... other configuration ...
    override_action {
       type = "NONE"
    }
    type = "GROUP"
    rule_id = "${aws_waf_rule_group.example.id}"
  }
}

bflad on 9 Jul 2018

🎉2 👍1

This has been released in version 1.27.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad on 11 Jul 2018

Does anyone have a working example of using adding managed rules, using the above resource config I am getting an error. I am on the latest provider.
resource "aws_wafregional_web_acl" "example" {
name = "test"
metric_name = "test"
default_action {
type = "BLOCK"
}
rules {
# ... other configuration ...
override_action {
type = "NONE"
}
type = "GROUP"
rule_id = "7ad2da1e-c2ce-49e7-9cc4-189171298654"
}
}

1 error(s) occurred:

module.mobile_api_waf.aws_wafregional_web_acl.example: : invalid or unknown key: rules

davyt10 on 21 Aug 2018

Should be rule, not rules. Global is rules and regional is rule.
resource "aws_wafregional_web_acl" "waf_acl" {
name = "%s"
metric_name = "%s"
default_action {
type = "ALLOW"
}
rule {
override_action {
type = "NONE"
}
priority = 1
type = "GROUP"
rule_id = "${aws_wafregional_rule_group.wafrulegroup.id}" # todo
}
}

warwick-mitchell on 21 Aug 2018

I had tried that previously, its the same issue.

davyt10 on 21 Aug 2018

priority is also a required argument looking at the documentation. And make sure you are requiring at least AWS provider 1.27.

warwick-mitchell on 21 Aug 2018

No luck! This is for a managed F5 rule that I wanted to add to the webacl, is it something related to this I am wondering?

davyt10 on 21 Aug 2018

No I've done it successfully with the F5 managed rule. Make sure the rule_id is the correct one for the region you're targeting.

Here's the exact config I've used

resource "aws_wafregional_web_acl" "protected_web_acl" {
name = "protected_web_acl"
metric_name = "ProtectedWebACL"
default_action {
type = "ALLOW"
}

rule {
override_action {
type = "NONE"
}
priority = 10
rule_id = "${var.waf_ruleset_group}"
type = "GROUP"
}
}

warwick-mitchell on 21 Aug 2018

OK that works, thanks!

davyt10 on 22 Aug 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 3 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

aws_elasticsearch_domain: vpc_options - subnet_ids asks for list but can only be a single value.

ccslamstack · 3Comments

Feature request: S3 Cross-Region Replication with KMS

modax · 3Comments

On plan, redrive_policy is always marked as modified

hashibot · 3Comments

aws_cloudfront_distribution - "Only one viewer certificate change may be in progress at a time"

hashibot · 3Comments

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments