Search code examples
amazon-web-servicesterraformterraform-provider-awsamazon-waf

How to create a WAF ACL with more than 1 managed statement

I'm trying to create a WAF ACL using two AWS Managed rules. These should be evaluated in natural order from priority 1 and then 2.

I've got:

resource "aws_wafv2_web_acl" "acl" {
  name        = "us-blog-production-waf-acl"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "managed-common-rules"
    priority = 0
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "us-blog-production-managed-common-rules"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "ip-reputation-rules"
    priority = 1
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "us-blog-production-ip-reputation-rules"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "acccount-takeover-rules"
    priority = 2
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesATPRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "us-blog-production-account-takeover-rules"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "us-blog-production-waf"
    sampled_requests_enabled   = false
  }
}

I tried having two rule blocks inside the aws_wafv2_web_acl resource block but wouldn't work either.

The error I'm getting is:

│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "77a6b751-49b1-46d0-af20-39a25e578e79"
│   },
│   Field: "MANAGED_RULE_SET_STATEMENT",
│   Message_: "Error reason: A required field is missing from the parameter., field: MANAGED_RULE_SET_STATEMENT, parameter: ManagedRuleSetConfig",
│   Parameter: "ManagedRuleSetConfig",
│   Reason: "A required field is missing from the parameter."
│ }

How should I set it up?

Solution

  • As per my comment, the documentation says you can have multiple rules in the resource, but you have to have one of action or override_action [1]:

    One of action or override_action is required when specifying a rule

    This is what is missing in your code.

    EDIT: The second issue that is happening is probably because there is additional pricing for the ATP managed rule set [2].

    [1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#rules

    [2] https://aws.amazon.com/waf/pricing/#Intelligent_threat_mitigation_from_AWS_WAF