AWS WAFv2 doesn't support Scope-down statement for managed_rule_group_statements

[brandonpalmer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.7 / 0.15.1

Affected Resource(s)

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl For Managed Rules, the Scope-Down is not supported in Terraform. It IS supported in the AWS CLI / AWS SDK

This does work for other rule types (like rate_based_statement statement rules)

Terraform Configuration Files

resource "aws_wafv2_web_acl" "default_alb_rules" {
  name        = "default_alb_waf"
  description = "Default ALB WAF Rules"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

 rule {
    name     = "AWS-AWSManagedRulesAmazonIpReputationList"
    priority = 1

    override_action {
      count {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"

        scope_down_statement {
          geo_match_statement {
            country_codes = ["US", "NL"]
          }
        }
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesBotControlRuleSet"
      sampled_requests_enabled   = true
    }
  }
  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "default_alb_waf"
    sampled_requests_enabled   = false
  }
}

Debug Output

https://gist.github.com/brandonpalmer/6ac46bc9c028fdca6faee038e67aaf56

Panic Output

Expected Behavior

Scope-down should have been applied to rule.

Throws error

1. terraform apply

Important Factoids

References

• 0000

[rajholla]

There is open PR to address this: https://github.com/hashicorp/terraform-provider-aws/pull/19407

[github-actions[bot]]

This functionality has been released in v3.50.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.