Greetings,
When I attempt to add an AWS Managed Stateful Rule Group to an AWS Network Firewall Policy, I receive the error below:
Example Resource:
resource "aws_networkfirewall_firewall_policy" "nfw-policy" {
name = "nfw-policy"
firewall_policy {
stateless_default_actions = ["aws:forward_to_sfe"]
stateless_fragment_default_actions = ["aws:forward_to_sfe"]
stateful_engine_options {
rule_order = "DEFAULT_ACTION_ORDER"
}
stateful_rule_group_reference {
resource_arn = "arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/MalwareDomainsActionOrder"
}
}
}
Resultant Error:
│ Error: "firewall_policy.0.stateful_rule_group_reference.0.resource_arn" (arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/MalwareDomainsActionOrder) is an invalid ARN: invalid account ID value (expecting to match regular expression: ^(aws|\d{12})$)
│
│ with aws_networkfirewall_firewall_policy.nfw-policy,
│ on nfw.tf line 53, in resource "aws_networkfirewall_firewall_policy" "nfw-policy":
│ 53: stateful_rule_group_reference {
│
This only happens with the AWS Managed Stateful Rule Groups. Terraform can provision the policy resource just fine when I reference my own custom stateful rule groups. It appears Terraform’s regex rule doesn’t like the ARN of the managed rule groups because “aws-managed” is in place of a normal Account ID. Is there a workaround or fix?
Thanks in advance for any help.