Rule_action_override for managed_rule_group_statement

GeorgeTerry · December 26, 2022, 9:19pm

Hello,

I am working on an update for an AWS WAFv2. Regarding the managed_rule_group_statement now we have a new option named rule_action_override to replace the deprecated option excluded_rule.
WAF Module

dynamic "managed_rule_group_statement" {
          for_each = lookup(rule.value, "managed_rule_group_statement", null) == null ? [] : [lookup(rule.value, "managed_rule_group_statement")]
          content {
            name        = lookup(managed_rule_group_statement.value, "name")
            vendor_name = lookup(managed_rule_group_statement.value, "vendor_name", "AWS")

            /*
            dynamic "excluded_rule" {
              for_each = lookup(managed_rule_group_statement.value, "excluded_rule", null) == null ? [] : [lookup(managed_rule_group_statement.value, "excluded_rule")]
              content {
                name = excluded_rule.value
              }
            }*/

            dynamic "rule_action_override" {
              for_each =  lookup(managed_rule_group_statement.value, "rule_action_override", null) == null ? []:[lookup(managed_rule_group_statement.value, "rule_action_override")]
              content {
                name = lookup(rule_action_override.value,"name")
                dynamic "action_to_use" {
                  for_each = [lookup(rule_action_override.value,"action_to_use")]
                  content {
                    dynamic "count" {
                      for_each = lookup(action_to_use.value,"count", null) == null ? []:[lookup(action_to_use.value,"count")]
                      content {}
                    }
                  }
                }
              }
            }
          }
        }

Example

{
      name            = "AWSManagedRulesCommonRuleSet"
      priority        = 2
      override_action = "none"

      managed_rule_group_statement = {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
        rule_action_override = [
          {
            name = "SizeRestrictions_BODY"
            action_to_use = {
                count = {}
              }
          },
          {
            name = "CrossSiteScripting_BODY"
            action_to_use = {
                count = {}
              }
          }
        ]
        #excluded_rule = ["CrossSiteScripting_BODY", "SizeRestrictions_BODY"]
      }

Error

 Error: Insufficient action_to_use blocks
│
│   on ..\..\Infrastructure.TFModule.AWS_WAF\main.tf line 571, in resource "aws_wafv2_web_acl" "main_waf":
│  571:               content {
│
│ At least 1 "action_to_use" blocks are required.
╵
╷
│ Error: Invalid function argument
│
│   on ..\..\Infrastructure.TFModule.AWS_WAF\main.tf line 572, in resource "aws_wafv2_web_acl" "main_waf":
│  572:                 name = lookup(rule_action_override.value,"name")
│     ├────────────────
│     │ rule_action_override.value is tuple with 2 elements
│
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
╵
╷
│ Error: Invalid function argument
│
│   on ..\..\Infrastructure.TFModule.AWS_WAF\main.tf line 574, in resource "aws_wafv2_web_acl" "main_waf":
│  574:                   for_each = [lookup(rule_action_override.value,"action_to_use")]
│     ├────────────────
│     │ rule_action_override.value is tuple with 2 elements
│
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.

Somebody knows why I have this error, I am not sure what is happening.
Thank you for your support.

galvarado · May 17, 2023, 7:27pm

You are using an incorrect sintaxis. You should define a block for each rule like:

managed_rule_group_statement = {
   name        = "AWSManagedRulesCommonRuleSet"
   vendor_name = "AWS"
   rule_action_override {
     name = "SizeRestrictions_BODY"
     action_to_use {
         count {}
     }
   }
  
   rule_action_override {
     name = "CrossSiteScripting_BODY"
     action_to_use {
         count {}
     }
   }
}