Conditional block or allow variable for wafv2 resource when using override_action or default_action

marcincuber · June 19, 2020, 12:44pm

I have following terraform resource:

resource "aws_wafv2_web_acl" "main" {
  name  = var.name_prefix
  scope = "REGIONAL"

  default_action {
    block {}
  }
}

Question: how can I make default_action block so that it can be passed as a variable? Is there some solution using dynamic block that I am not aware of?

I have tried:

  dynamic "default_action" {
    for_each = var.default_action
    content {
      default_action.value
    }
  }

but this is simply failing with an error: An argument or block definition is required here. To set an argument, use the equals sign “=” to introduce the argument value.

Same problem applies to rule block which can contain:

   override_action {
      count {}
  }

Please advise

sachinbachhav · July 6, 2020, 4:23pm

Try below approach -

default_action {

 dynamic "allow" {
   for_each = var.default_action == "allow" ? [""] : []
   content {
   }
 }

 dynamic "block" {
   for_each = var.default_action == "block" ? [""] : []
   content {
   }
 }

}
It worked for me

dsantanu · May 31, 2023, 11:39am

In stead of doing [""]; I used ["a"] and ["b"] for allow and block respectively, which essentially does the same job but just looks a bit nicer to me

Topic		Replies	Views
Default_action block conditional or a variable for wafv2 resource Terraform	1	1646	July 3, 2020
WAFv2 web_acl "action" from variable? AWS	1	775	August 12, 2020
AWS WAF Module with Child Module rule_action_override AWS waf	1	113	July 11, 2024
Conditionals with for_each Terraform	2	7879	February 5, 2020
Dynamic argument with if conditional Terraform hcp-terraform	5	4461	December 1, 2020

Conditional block or allow variable for wafv2 resource when using override_action or default_action

Related topics