Rule_action_override for managed_rule_group_statement

Terraform Providers AWS
1

Hello,

I am working on an update for an AWS WAFv2. Regarding the managed_rule_group_statement now we have a new option named rule_action_override to replace the deprecated option excluded_rule.
WAF Module

dynamic "managed_rule_group_statement" {
          for_each = lookup(rule.value, "managed_rule_group_statement", null) == null ? [] : [lookup(rule.value, "managed_rule_group_statement")]
          content {
            name        = lookup(managed_rule_group_statement.value, "name")
            vendor_name = lookup(managed_rule_group_statement.value, "vendor_name", "AWS")

            /*
            dynamic "excluded_rule" {
              for_each = lookup(managed_rule_group_statement.value, "excluded_rule", null) == null ? [] : [lookup(managed_rule_group_statement.value, "excluded_rule")]
              content {
                name = excluded_rule.value
              }
            }*/

            dynamic "rule_action_override" {
              for_each =  lookup(managed_rule_group_statement.value, "rule_action_override", null) == null ? []:[lookup(managed_rule_group_statement.value, "rule_action_override")]
              content {
                name = lookup(rule_action_override.value,"name")
                dynamic "action_to_use" {
                  for_each = [lookup(rule_action_override.value,"action_to_use")]
                  content {
                    dynamic "count" {
                      for_each = lookup(action_to_use.value,"count", null) == null ? []:[lookup(action_to_use.value,"count")]
                      content {}
                    }
                  }
                }
              }
            }
          }
        }

Example

{
      name            = "AWSManagedRulesCommonRuleSet"
      priority        = 2
      override_action = "none"

      managed_rule_group_statement = {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
        rule_action_override = [
          {
            name = "SizeRestrictions_BODY"
            action_to_use = {
                count = {}
              }
          },
          {
            name = "CrossSiteScripting_BODY"
            action_to_use = {
                count = {}
              }
          }
        ]
        #excluded_rule = ["CrossSiteScripting_BODY", "SizeRestrictions_BODY"]
      }

Error

 Error: Insufficient action_to_use blocks
│
│   on ..\..\Infrastructure.TFModule.AWS_WAF\main.tf line 571, in resource "aws_wafv2_web_acl" "main_waf":
│  571:               content {
│
│ At least 1 "action_to_use" blocks are required.
╵
╷
│ Error: Invalid function argument
│
│   on ..\..\Infrastructure.TFModule.AWS_WAF\main.tf line 572, in resource "aws_wafv2_web_acl" "main_waf":
│  572:                 name = lookup(rule_action_override.value,"name")
│     ├────────────────
│     │ rule_action_override.value is tuple with 2 elements
│
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
╵
╷
│ Error: Invalid function argument
│
│   on ..\..\Infrastructure.TFModule.AWS_WAF\main.tf line 574, in resource "aws_wafv2_web_acl" "main_waf":
│  574:                   for_each = [lookup(rule_action_override.value,"action_to_use")]
│     ├────────────────
│     │ rule_action_override.value is tuple with 2 elements
│
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.

Somebody knows why I have this error, I am not sure what is happening.
Thank you for your support.

2

You are using an incorrect sintaxis. You should define a block for each rule like:

managed_rule_group_statement = {
   name        = "AWSManagedRulesCommonRuleSet"
   vendor_name = "AWS"
   rule_action_override {
     name = "SizeRestrictions_BODY"
     action_to_use {
         count {}
     }
   }
  
   rule_action_override {
     name = "CrossSiteScripting_BODY"
     action_to_use {
         count {}
     }
   }
}
3

Hi,
Please I need your help, when I create this rule

rule {
    name     = "AdminProtection"
    priority = 1
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"
        rule_action_override {
          action_to_use {
              captcha {}
            }
          }
        scope_down_statement {
          byte_match_statement {
            field_to_match {
              uri_path {}
            }
            positional_constraint = "STARTS_WITH"
            search_string         = "/forum-auto/"
            text_transformation {
              priority = 0
              type     = "NONE"
            }
          }
        }
      }
    }

I have this error

│ Error: Unsupported block type
│ 
│   on _wafv2_forumaev.tf line 58, in resource "aws_wafv2_web_acl" "wafv2_forumaev":
│   58:         rule_action_override {
│ 
│ Blocks of type "rule_action_override" are not expected here.

I follow differents forums and examples in Terraform website so I don’t understand why

4

hey, you seem to have the wrong syntax. Here’s a working example:

    rule {
      name     = "AWS-AWSManagedRulesBotControlRuleSet"
      priority = 8

      override_action {
        none {}
      }

      statement {
        managed_rule_group_statement {
          name        = "AWSManagedRulesBotControlRuleSet"
          vendor_name = "AWS"

          managed_rule_group_configs {
            aws_managed_rules_bot_control_rule_set {
              inspection_level = "COMMON"
            }
          }


          rule_action_override {
            name = "CategoryHttpLibrary"

            action_to_use {
              allow {
              }
            }
          }
        }
      }

or if you need dynamic:

variable "waf_allowed_bot_actions_override" {
   type    = list(any)
   default = ["CategoryHttpLibrary", "CategoryEmailClient"]
 }

rule {
      name     = "AWS-AWSManagedRulesBotControlRuleSet"
      priority = 8

      override_action {
        none {}
      }

      statement {
        managed_rule_group_statement {
          name        = "AWSManagedRulesBotControlRuleSet"
          vendor_name = "AWS"

          managed_rule_group_configs {
            aws_managed_rules_bot_control_rule_set {
              inspection_level = "COMMON"
            }
          }

         dynamic "rule_action_override" {
          for_each = var.waf_allowed_bot_actions_override
           content {
             name = rule_action_override.value
             action_to_use {
             allow {}
              }
            }
          }
        }
      }
5

Hi Guys,

I have the same issue can anyone share own thoughts about it ?

image
image718×764 23.6 KB

EERROR ----
e[31m│e[0m e[0me[1me[31mError: e[0me[0me[1mUnsupported block typee[0m
e[31m│e[0m e[0m
e[31m│e[0m e[0me[0m on …/modules/waf_v2/alb_waf.tf line 60, in resource “aws_wafv2_web_acl” “wafv2-webacl-alb”:
e[31m│e[0m e[0m 60: dynamic e[4mrule_action_overridee[0m {e[0m
e[31m│e[0m e[0m
e[31m│e[0m e[0mBlocks of type “rule_action_override” are not expected here.
e[31m╵e[0me[0m