Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: support for WAF managed rulesets from marketplace #3172

Closed
thomasvandoren opened this issue Jan 29, 2018 · 8 comments
Closed

Feature request: support for WAF managed rulesets from marketplace #3172

thomasvandoren opened this issue Jan 29, 2018 · 8 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/waf Issues and PRs that pertain to the waf service.
Milestone
v1.27.0

Comments

@thomasvandoren
Copy link

AWS now offers managed WAF rulesets from the marketplace.

Terraform Version

Terraform v0.11.1

Affected Resource(s)

aws_waf_web_acl

Terraform Configuration Files

resource "aws_waf_web_acl" "foo" {
  name = "foo"
  metric_name = "foo"
  default_action {
    type = "BLOCK"
  }
  rules {
    type = "GROUP"
    priority = 10
    rule_id = "my-uuid-for-marketplace-ruleset"
  }
}

Debug Output

n/a

Panic Output

n/a

Expected Behavior

Terraform adds rule to web acl for marketplace ruleset.

Actual Behavior

Terraform does not support this.

Steps to Reproduce

  1. terraform plan

Important Factoids

n/a

References
@bflad bflad added enhancement Requests to existing resources that expand the functionality or scope. service/waf Issues and PRs that pertain to the waf service. labels Jan 29, 2018
@erikpaasonen
Copy link
Contributor

Would like to see this enhancement for the new aws_wafregional_web_acl resource type as well. In our testing it can use the same marketplace UUID.

Hint from lesson learned having scripted this: the OverrideAction must be specified when working with managed rule groups. Also managed rule groups worked best for us when set to priority = 1. So proposed syntax might look like:

resource "aws_waf_web_acl" "foo" {
  name = "foo"
  metric_name = "foo"
  default_action {
    type = "BLOCK"
  }
  rules {
    type = "GROUP"
    priority = 1
    rule_id = "my-uuid-for-marketplace-ruleset"
    OverrideAction = {
      type = "None"
    }
  }
}

resource "aws_wafregional_web_acl" "foo" {
  name = "foo"
  metric_name = "foo"
  default_action {
    type = "BLOCK"
  }
  rules {
    type = "GROUP"
    priority = 1
    rule_id = "my-uuid-for-marketplace-ruleset"
    OverrideAction = {
      type = "None"
    }
  }
}

@erikpaasonen erikpaasonen mentioned this issue Apr 4, 2018
Closed
@erikpaasonen
Copy link
Contributor

There's nothing specific to AWS Marketplace rule groups in terms of the AWS CLI syntax. Now that there's a Terraform resource to create a rule group, adding support for rule groups in WebACLs (ref Issue #4052) will fix this issue too.

Would love to see a data source to lookup Rule UUIDs based on a given MetricName. This would give the ability to dynamically determine the UUID for a particular rule group given the Marketplace name.

@bflad bflad added this to the v1.27.0 milestone Jul 9, 2018
@bflad
Copy link
Contributor

bflad commented Jul 9, 2018
edited
Loading

GROUP rule type handling within the aws_waf_web_acl and aws_wafregional_web_acl resources has been implemented in #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 🚀

# Implementation is similar for aws_wafregional_web_acl resource
resource "aws_waf_web_acl" "example" {
 # ... other configuration ...
  rules {
    # ... other configuration ...
    override_action {
       type = "NONE"
    }
    type = "GROUP"
    rule_id = "${aws_waf_rule_group.example.id}"
  }
}

If you are interested in some form of data source for AWS Marketplace rules, I would add your 👍 to #2654 and follow along there.

@bflad bflad closed this as completed Jul 9, 2018
@bflad
Copy link
Contributor

bflad commented Jul 11, 2018

This has been released in version 1.27.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@davyt10
Copy link

davyt10 commented Aug 21, 2018
edited
Loading

Anyone have a working example of the above code, I am getting an error.I am on 1.32 provider version.

Does anyone have a working example of using adding managed rules, using the above resource config I am getting an error.

resource "aws_wafregional_web_acl" "foo" {
name = "foo"
metric_name = "foo"
default_action {
type = "BLOCK"
}
rules {
OverrideAction = {
type = "None"
}
type = "GROUP"
priority = 1
rule_id = "7ad2da1e-c2ce-49e7-9cc4-189171298654"

}
}

1 error(s) occurred:

module.mobile_api_waf.aws_wafregional_web_acl.example: : invalid or unknown key: rules

@craiglink
Copy link

having data objects to query WAF ACL id's created in other terraform projects would be of great help
both

data "aws_waf_web_acl"
&
data "aws_wafregional_web_acl"

@airmonitor
Copy link

Hey.

AWS released their own managed rules - https://aws.amazon.com/blogs/aws/announcing-aws-managed-rules-for-aws-waf/

Any plan to include them?

@ghost
Copy link

ghost commented Nov 26, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/waf Issues and PRs that pertain to the waf service.
Projects
None yet
Milestone
v1.27.0
Development

No branches or pull requests
6 participants
@bflad @craiglink @thomasvandoren @davyt10 @erikpaasonen @airmonitor