I want to create an AWS WAFv2 web acl of Cloudfront scope. I am using AWS managed rules. For Some rules in the managed rule group I have a scop-down statement. The json that I get from AWS is as follows:
{
"Name": "AWS-AWSManagedRulesAdminProtectionRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesAdminProtectionRuleSet",
"ScopeDownStatement": {
"ByteMatchStatement": {
"SearchString": "abc",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "CONTAINS_WORD"
}
}
}
},
"OverrideAction": {
"Count": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesAdminProtectionRuleSet"
}
}
The AWS documentation here says that scope-down statements are allowed in the Managed rule group statement. However when I read the Terraform docs here we don’t have any option for scope-down statements. When I try to create a rule like the following, it passes terraform validation, however when I apply it I get an AWS error that says that I have added two statements, where one is required. This is very confusing. Is there a way I can achieve this, if yes how? Any help will be highly appreciated.
rule {
name = "AWS-AWSManagedRulesAdminProtectionRuleSet"
priority = 0
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAdminProtectionRuleSet"
vendor_name = "AWS"
} {
byte_match_statement {
field_to_match {
uri_path {}
}
search_string = "abc"
text_transformation {
priority = 0
type = "NONE"
}
positional_constraint = "CONTAINS_WORD"
}
}
visibility_config {
sampled_requests_enabled = true
metric_name = "AWS-AWSManagedRulesAdminProtectionRuleSet"
cloudwatch_metrics_enabled = true
}
}
thanks