AWS Network Firewall Policy - STRICT_ORDER on a rules_source of rules_source_list (Domain List)

I have been trying to create a STATEFUL firewall policy that incorporates my ALLOW Domain List and some stateful rules. I would like to do this with STRICT_ORDER to follow AWS recommend practices.

When I try to combine a STRICT_ORDER rule and a Domain List TFE errors out on me complaining about Priority. However I do have priorities for all my rules.

Error: creating NetworkFirewall Firewall Policy (strict-order-network-firewall-policy): InvalidRequestException: ResourceArn has invalid rule order, parameter: [arn:aws:network-firewall:us-east-1::stateful-rulegroup/managed-domain-list-wildcards], context: StatefulRuleGroupReferences[0].ResourceArn

with aws_networkfirewall_firewall_policy.strict-order-network-firewall-policy

TF Document on rule groups with a big NOTE:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group

The above had a note that STRICT_ORDER is not allowed with Terraform Proivder for AWS Network Firewall Rule Groups of rules_source type rules_source_list.

I believe this is why it fails and I have to revert to using default ACTION ordering. The AWS Console however I can ClickOps a STATEFUL policy together that includes a STRICT_ORDER, policy numbered list that includes both a Domain List priority 1 and a STATEFUL rule with priority 2.

Is this a Terraform limitation or am I missing something?

Code example that errors on invalid priority:

resource “aws_networkfirewall_firewall_policy” “strict-order-network-firewall-policy” {
name = “strict-order-network-firewall-policy”
firewall_policy {
stateless_default_actions = [“aws:forward_to_sfe”]
stateless_fragment_default_actions = [“aws:forward_to_sfe”]
stateful_engine_options {
rule_order = “STRICT_ORDER”
}
stateful_default_actions = [“aws:drop_established”, “aws:alert_established”]
stateful_rule_group_reference {
priority = 1
resource_arn = “arn:aws:network-firewall:{var.region}:{var.aws_account_id}:stateful-rulegroup/allow-dns-stateful”
}
stateful_rule_group_reference {
priority = 2
resource_arn = “arn:aws:network-firewall:{var.region}:{var.aws_account_id}:stateful-rulegroup/managed-domain-list-wildcards”
}
}
}

I spoke with a AWS Network Firewall solutions architect. There is not feature parity with using IaC vs the Console. He suggested abandoning my design and do EVERYTHING using Suricata rules including domain lists. He said this is how most Enterprises who do IaC are implementing AWS Network Firewall.

Looks like for now its expected to get errors if you try to mix and match Strict Order, Stateful Rules, and Domain lists in a policy. He also shared some best practices like only using “Drop Established” so you get full header info and use Stateful never Stateless Rules.

https://aws.github.io/aws-security-services-best-practices/guides/network-firewall/