AWS Network Firewall - Invalid ARN error when adding AWS Managed Rule Group To Policy


When I attempt to add an AWS Managed Stateful Rule Group to an AWS Network Firewall Policy, I receive the error below:

Example Resource:

resource "aws_networkfirewall_firewall_policy" "nfw-policy" {
  name = "nfw-policy"
  firewall_policy {
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
    stateful_engine_options {
      rule_order = "DEFAULT_ACTION_ORDER"
    stateful_rule_group_reference {
      resource_arn = "arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/MalwareDomainsActionOrder"

Resultant Error:

│ Error: "firewall_policy.0.stateful_rule_group_reference.0.resource_arn" (arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/MalwareDomainsActionOrder) is an invalid ARN: invalid account ID value (expecting to match regular expression: ^(aws|\d{12})$)
│   with aws_networkfirewall_firewall_policy.nfw-policy,
│   on line 53, in resource "aws_networkfirewall_firewall_policy" "nfw-policy":
│   53:     stateful_rule_group_reference {

This only happens with the AWS Managed Stateful Rule Groups. Terraform can provision the policy resource just fine when I reference my own custom stateful rule groups. It appears Terraform’s regex rule doesn’t like the ARN of the managed rule groups because “aws-managed” is in place of a normal Account ID. Is there a workaround or fix?

Thanks in advance for any help.

Same problem here. Do you have any update on this issue or any workaround?

Thanks in advance.

Hi. I used your code and it works fine:

  • try to update our provider to version = “~> 4.0”
  • check your region.

My region is London and provider version ~> 4.0
All worked as expected.