AWS Managed Rules for AWS WAF

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS WAF announces AWS Managed Rules (AMRs), a set of AWS WAF rules curated and maintained by the AWS Threat Research Team.

New or Affected Resource(s)

• aws_XXXXX

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

Announcement.
Blog post.

New API version, wafv2; See aws/aws-sdk-go#2976.

Requires AWS SDK v1.25.42:

• Update module aws/aws-sdk-go to v1.25.42 #10955

[bflad]

Submitted the wafv2 service client and tagging implementation to kick things off here: #11172

I believe WAFv2 APIs are wholly independent of previous WAF "Classic" resources, so this issue may need to turn into multiple feature requests to support other WAFv2 resources as well like Web ACL for parity with the previous ones.

[bflad]

Split out other related WAFv2 feature requests:

• aws_wafv2_ip_set resource / data source
• aws_wafv2_regex_pattern_set resource / data source
• aws_wafv2_rule_group resource / data source
• aws_wafv2_web_acl resource / data source
• aws_wafv2_web_acl_association resource

In WAFv2 it appears that referencing managed rules is based on name and vendor name arguments that live inside the much more complicated (compared to WAF Classic) rule structure, which you can see in #11175 and #11176.

As for this feature request issue, I'm not sure if we should keep those open to track overall WAFv2 implementation, close it in preference of the split out issues, or if there's much benefit to having something akin to the below since the name/vendor lookup is the same (and not like the references need to be ARNs or some other identifier):

data "aws_wafv2_managed_rule_group" "example" {
  name = ""
  scope = ""
  vendor_name = ""
}

[wgorski]

I'm very happy to see that this is being implemented. Is this planned for any specific version?

[pvanbuijtene]

@wgorski I don't think so, next step is getting the PRs to be reviewed.

[maryelizbeth]

Hi Y’all!

Due to the significant community interest in support for this service, we will be focusing on enabling existing contributions to be merged. Where a community sourced pull request is missing, the Hashicorp team will add support.

We appreciate all the contributions and feedback thus far!

Look out for WAFv2 support to be within the next few releases!

[itsSaad]

We have started using the aws_wafv2_webacl resource now that its released with 2.67.0. Nice Work Community.
It seems that we are missing the PutLoggingConfiguration functionality on a wafv2 webacl. Is this something we plan to deliver soon or any plans for it?

[breathingdust]

Hi @itsSaad! 👋

Support for logging configuration has just been released in v2.68.0 of the provider via the aws_wafv2_web_acl_logging_configuration resource. 🎉

[breathingdust]

As the last item for this meta issue has been release I will close this meta-issue. Huge thanks to @pvanbuijtene for the contributions!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!