As mentioned above, is there a way to get the ARNs of the AWS managed rule groups? I don’t want to hardcode the ARNs in the code, rather use a data resource or something to fetch the ARN values like this:
aws network-firewall list-rule-groups \
--scope MANAGED \
--managed-type AWS_MANAGED_THREAT_SIGNATURES \
--query 'RuleGroups[?Name==`ThreatSignaturesBotnetActionOrder`].Arn'
Is anything availabe atm?or any workaround?
-S
Edit: I’m not sure about the awscc provider I originally referenced. But it looks like networkfirewall_resource_policy may require referencing it via the ARN vs. by the name, so it may not help for your use case.
There’s also awscc_networkfirewall_rule_group, which seems like it might do what you need, but I’m not familiar with that provider, and seems like it may be intended for a different use.
Edit: It seems like there’s not a data source for aws_networkfirewall_rule_group (in the AWS provider)
Yeah, same here; don’t know much about awscc provider or if it can be mixed with aws provider. I was surprised to see there there was no data provider (but was really hoping that someone will tell me I’m not looking in the correct place), hence asked here to see how/what other people are doing.
Data sources for Network Firewall · Issue #18026 · hashicorp/terraform-provider-aws · GitHub mentions supporting it, but I don’t see it in the provider docs, and trying to use it resulted in an error.
I don’t think it was ever released. The release note of v4.26.0 only mentions about aws_network_firewall data resource.
Could anyone from the team confirm please?
has a better description of what AWSCC is for; given that, I think using the awscc provider should be fine for this use case.
The following does work, though of course it isn’t super useful vs. just hard-coding the ARN, unless you need one of its other attributes:
data "awscc_networkfirewall_rule_group" "threat_signatures_botnet_action_order" {
id = "arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetActionOrder"
}
output "test" {
value = data.awscc_networkfirewall_rule_group.threat_signatures_botnet_action_order.rule_group_arn
}
awscc_networkfirewall_rule_groups doesn’t seem to contain the managed rule groups either; id gives you the region, but from what I can see, that also doesn’t seem to help you much.
I confirmed that it requires id vs, say, rule_group_name (which seems to be read only, as the docs suggest).
This is what I get back, on an account without any defined custom rule groups:
{
id = "us-west-2"
ids = []
}
There are a few posts out there of people trying to do similar stuff; maybe file an issue against one / both providers asking for them to expose the managed rule groups in a new or existing data source, or to allow using the rule name, type, and region vs. ARN to access the existing one.
Did a new feature request here:
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.