Feature request: aws_waf* data sources

[hegyre]

Hi there,

Since WAF is global to all regions, and since my use case is to have one TF project per region, I'd love to have a data source for WAF so that we can re-use already exisiting configurations.

My use case would be especially for the ipset and regions ipset, but in fact it should be good to have it for all the waf resources.

Thx in advance.

[apparentlymart]

Hi @hegyre! Thanks for this feature request.

New data sources for the WAF concepts sound like a good idea!

The Terraform team at HashiCorp won't be able to work on this in the near future due to our focus being elsewhere, but we'd be happy to review a pull request if you or someone else has the time and motivation to implement it. Alternatively, if others would also like to see this implemented I'd encourage adding a :+1: upvote reaction to the original issue comment (not to this comment), which we use as one of the inputs to prioritize work for the Terraform team.

[erikpaasonen]

I'd like to specifically call out a data source to query the AWS Marketplace filtered by MetricName. The use case would be to consume a specific AWS Marketplace managed rule group in a Terraform WebACL.

Also, please include aws_waf_regional*. They are similar to aws_waf* but distinct on the AWS side.

Thanks!

[flmag]

Hi,

Did you already implement the feature to manage rules from marketplace ?

Thanks!

[okonon]

I am wondering if you guys had a chance to work on this?

[flmag]

Just subscribe with the web console to your desired marketplace package, then get the "rule id" through the url or properties.

And do something like that

resource "aws_wafregional_web_acl" "xxx-waf" { name = "xxxx-waf" metric_name = "XxXWaf" default_action { type = "ALLOW" } rule { override_action { type = "NONE" } type = "GROUP" priority = 1 rule_id = "28ab067b-36c8-417e-800b-30562b732288" } }

[ncsurfus]

I needed to use a WebACL from a different Terraform project... and there wasn't a good way to "discover" it by name... I also didn't want to hard code it by id per account. This ended up serving me pretty well. It does depend on the aws cli.

data "external" "web-acl-id" {
  program = ["aws", "waf", "list-web-acls", "--profile", "${var.aws-profile}", "--query", "WebACLs[?Name==`${var.acl}`] | @[0]"]
}

and I can use it like....

resource "aws_cloudfront_distribution" "cloudfront" {
  ....
  web_acl_id = "${data.external.web-acl-id.result["WebACLId"]}"

[okonon]

thanks @ncsurfus and @flmag that is exactly what i needed

[ryndaniels]

Hey @hegyre 👋 - thanks again for this feature request. We've added data sources for WAF and WAFRegional rules and web ACLs in v.2.20.0, and for IP sets in v2.21.0 of the AWS Terraform Provider, which should be released at the end of this week. We're going to go ahead and close this issue now that we have completed the IP sets support, but if there are additional data sources that you need in the future, please feel free to create new specific issues for each of them. 😃

[bflad]

This has been released in version 2.21.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests, documentation updates, or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!