stackoom
  简体   繁体   中英

How to create a WAF ACL with more than 1 managed statement

 原文  2022-06-27 16:55:38       amazon-web-services/ terraform/ terraform-provider-aws/ amazon-waf

Question

I'm trying to create a WAF ACL using two AWS Managed rules. These should be evaluated in natural order from priority 1 and then 2.

I've got:

resource "aws_wafv2_web_acl" "acl" {
  name        = "us-blog-production-waf-acl"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "managed-common-rules"
    priority = 0
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "us-blog-production-managed-common-rules"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "ip-reputation-rules"
    priority = 1
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "us-blog-production-ip-reputation-rules"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "acccount-takeover-rules"
    priority = 2
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesATPRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "us-blog-production-account-takeover-rules"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "us-blog-production-waf"
    sampled_requests_enabled   = false
  }
}

I tried having two rule blocks inside the aws_wafv2_web_acl resource block but wouldn't work either.

The error I'm getting is:

│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "77a6b751-49b1-46d0-af20-39a25e578e79"
│   },
│   Field: "MANAGED_RULE_SET_STATEMENT",
│   Message_: "Error reason: A required field is missing from the parameter., field: MANAGED_RULE_SET_STATEMENT, parameter: ManagedRuleSetConfig",
│   Parameter: "ManagedRuleSetConfig",
│   Reason: "A required field is missing from the parameter."
│ }

How should I set it up?

1 answers

solution1
 1 ACCPTED  2022-06-27 18:35:33

As per my comment, the documentation says you can have multiple rules in the resource, but you have to have one of action or override_action [1]:

One of action or override_action is required when specifying a rule

This is what is missing in your code.

EDIT: The second issue that is happening is probably because there is additional pricing for the ATP managed rule set [2].

[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#rules

[2] https://aws.amazon.com/waf/pricing/#Intelligent_threat_mitigation_from_AWS_WAF

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to import an existing AWS WAF ACL into terraform? AWS ACL/WAF - How to Change Rule Priority? How to associate new “aws_wafregional_rule” with existing WAF ACL AWS WAF Create an ACL and rule to allow access to only one country to access the API gateway Terraform WAF Web ACL Resource is useless? AWS WAF: How to make custom response code with managed rules for block actions How do recent updates on AWS WAF Managed Core Rule Set work how can i create and update WAF IPset using cloudformation No resources found when setting up AWS WAF ACL How to create an Elasticache with more than one node in Redis?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM