terraform-provider-aws: WAF WebACL resources missing support for using Rule Groups

Terraform Version

Terraform v0.11.5
+ provider.aws v1.13.0

Affected Resource(s)

aws_waf_rule_group
aws_waf_web_acl
aws_wafregional_rule_group
aws_wafregional_web_acl

Terraform Configuration Files

This is copied and pasted straight from the examples for aws_waf_rule_group and aws_waf_web_acl, just adapted to use the rule group.

resource "aws_waf_rule" "example" {
  name        = "example"
  metric_name = "example"
}

resource "aws_waf_rule_group" "example" {
  name        = "example"
  metric_name = "example"

  activated_rule {
    action {
      type = "COUNT"
    }

    priority = 50
    rule_id  = "${aws_waf_rule.example.id}"
  }
}

resource "aws_waf_web_acl" "waf_acl" {
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rules {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_waf_rule_group.example.id}"
    type     = "GROUP"
  }
}

Debug Output

https://gist.github.com/erikpaasonen/83174454128c6ae05e6d0058d0b72a3a

Expected Behavior

Terraform should create the WAF WebACL using the new rule group resource.

Actual Behavior

Terraform aborts almost immediately because it is expecting a type of only REGULAR or RATE_BASED. It considers GROUP as invalid input.

Important Factoids

Our team currently has the insertion of a managed rule group working using the AWS CLI. The AWS CLI supports the GROUP type. Here’s the syntax for a known-good updates list entry for use with the AWS CLI:

{
    "Action": "INSERT",
    "ActivatedRule": {
        "Priority": 1,
        "RuleId": "my-known-good-rule-group-uuid",
        "OverrideAction": {
            "Type": "COUNT"
        },
        "Type": "GROUP"
    }
}

As mentioned in Issue #3172 , the aws_waf_web_acl and aws_wafregional_web_acl resources are missing support for OverrideAction. Once resolved, this issue is expected to resolve Issue #3172 at least for the hard-coded UUID use case.

I’m filing this particular issue as a bug now that v1.13.0 is live. But I believe this was simply an integration oversight when the new aws_waf_rule_group and aws_wafregional_rule_group resource types were recently introduced.

References

PR #3898 Issue #424 Issue #3172 https://docs.aws.amazon.com/cli/latest/reference/waf/update-web-acl.html#options

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 16 (6 by maintainers)

Commits related to this issue

resources/wafregional_web_acl: add rule type support This commit adds rule type support so that Rate Limit rules could be use along with REGULAR rules. Closes #4079 #4174 #4052 — committed to omeid/terraform-provider-aws by omeid 6 years ago

Most upvoted comments

This should be fixed with #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 👍

# Implementation is similar for aws_wafregional_web_acl resource
resource "aws_waf_web_acl" "example" {
 # ... other configuration ...
  rules {
    # ... other configuration ...
    override_action {
       type = "NONE"
    }
    type = "GROUP"
    rule_id = "${aws_waf_rule_group.example.id}"
  }
}

bflad on Jul 9, 2018

Will this be a part of v1.26.0 then?

I guess my actual big question is thus: When can we expect this feature to be implemented in this provider plugin?

Hello @erikpaasonen!

mtaumike on Jun 29, 2018