Feature Request: WAFv2 Rule Group Resource

[bflad]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In November 2019, AWS released a new version of the WAF API, WAFv2, which offers improved functionality over the previous WAF API ("WAF Classic") such as Managed Rules and WAF Capacity Units. This new API requires separate Terraform resource implementations from the previous resource implementations.

New or Affected Resource(s)

• aws_wafv2_rule_group

Potential Terraform Configuration

resource "aws_wafv2_rule_group" "example" {
  capacity          = 1
  description        = ""
  name               = ""
  scope              = ""
  tags               = {}

  rule {
    action {
      # The below shows the current API structure, which means there may be intention to include
      # additional settings with each action type in the future
      # Purposefully empty configuration blocks are awkward in Terraform configurations and the Plugin SDK though, so we may want to shy away from the pure API schema mapping here if they cause any trouble
      allow {}
      block {}
      count {}
    }

    name = ""
    
    override_action {
      count {}
      none {}
    }

    priority = 1

    # these are not fully shown and appear to be recursive in some cases    
    statement {
      and_statement {
        statement {}
        statement {}
      }

      byte_match_statement {
        field_to_match {
          all_query_arguments {}
          body {}
          method {}
          query_string {}
          single_header {
            name = ""
          }
          single_query_argument {
            name = ""
          }
          uri_path {}
        }

        positional_constraint = ""
        search_string = ""

        text_transformation {
          priority = 1
          type = ""
        }
      }

      geo_match_statement {
        country_codes = []
      }

      ip_set_reference_statement {
        arn = ""
      }

      managed_rule_group_statement {
        excluded_rule {
          name = ""
        }

        name = ""
        vendor_name = ""
      }

      not_statement {
        statement {}
      }

      or_statement {
        statement {}
        statement {}
      }

      rate_based_statement {
        aggregate_key_type = ""
        limit = 100

        scope_down_statement {}
      }

      regex_pattern_set_reference_statement {
        arn = ""

        field_to_match {} # see above
        text_transformation {} # see above
      }

      rule_group_reference_statement {
        arn = ""

        excluded_rule {
          name = ""
        }
      }

      size_constraint_statement {
        comparison_operator = ""

        field_to_match {} # see above

        size = 1

        text_transformation {} # see above
      }

      sqli_match_statement {
        field_to_match {} # see above

        text_transformation {} # see above
      }

      xss_match_statement {
        field_to_match {} # see above

        text_transformation {} # see above
      }
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name = ""
    sampled_requests_enabled = true
  }
}

References

• Requires: service/wafv2: Initial service client and tagging implementation #11172
• API Reference: https://docs.aws.amazon.com/waf/latest/APIReference/API_Operations_AWS_WAFV2.html
• SDK Reference: https://docs.aws.amazon.com/sdk-for-go/api/service/wafv2/

[ricohomewood]

@bflad any update on this new resource as to when they may be available? Thanks

[sb-travelperk]

@bflad any update on this new resource as to when they may be available? Thanks
👍

I can't deal with the ugly wafv1 dashboard anymore... it breaks my soul! Especially when there's the new, modern, pretty wafv2 dashboard available in the console :)

[emmm-dee]

I waited a very long time and set up bounties just to get the ALB multi-line rules added to Terraform. Maybe opening another bounty for this would give someone motivation.

[rajkumarkandasami]

I'm interested to work on this issue @bflad
@anGie44

[anGie44]

This feature has been merged and will release with v2.66.0 of the Terraform AWS Provider, expected in this week's release.

[p4k1tz]

Will this week's release include support for AWS managed rule-sets perhaps?

[anGie44]

hi @thagh05t 👋 the merge of this resource doesn't include it but #12688 (WebACL, currently in review) will provide support for Managed Rule Group Statements. Nevertheless, please feel free to create an issue for adding support for managed_rule_group statements within the wafv2 RuleGroup resource so we can keep track of this enhancement request (edit: pending upstream changes)!

[pvanbuijtene]

AFAIK managed rules can only be added on a Web ACL, the docs are not 100% correct 😬

[ghost]

This has been released in version 2.66.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!