FMS now supports a new setting optimizeUnassociatedWebACL to instruct FMS to only deploy WebACLs in the managed accounts whenever there is a resource in scope.
Affected Resource(s) and/or Data Source(s)
fms_policy
Potential Terraform Configuration
resource "aws_fms_policy" "example" {
name = "FMS-Policy-Example"
exclude_resource_tags = false
remediation_enabled = false
resource_type = "AWS::ElasticLoadBalancingV2::LoadBalancer"
security_service_policy_data {
type = "WAF"
managed_service_data = jsonencode({
type = "WAF",
ruleGroups = [{
id = aws_wafregional_rule_group.example.id
overrideAction = {
type = "COUNT"
}
}]
defaultAction = {
type = "BLOCK"
}
overrideCustomerWebACLAssociation = false,
optimizeUnassociatedWebACL = true,
})
}
tags = {
Name = "example-fms-policy"
}
}
resource "aws_wafregional_rule_group" "example" {
metric_name = "WAFRuleGroupExample"
name = "WAF-Rule-Group-Example"
}
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Is there any update regarding this one? we would really like to have the possibility of not deploying waf rules where not needed to reduce our expense.
Description
FMS now supports a new setting
optimizeUnassociatedWebACL
to instruct FMS to only deploy WebACLs in the managed accounts whenever there is a resource in scope.Affected Resource(s) and/or Data Source(s)
fms_policy
Potential Terraform Configuration
References
https://aws.amazon.com/about-aws/whats-new/2023/08/aws-firewall-manager-optimize-waf-web-acl-creation-accounts/ https://docs.aws.amazon.com/waf/latest/developerguide/waf-policies.html https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_SecurityServicePolicyData.html
Would you like to implement a fix?
None