[Enhancement]: Add support for FMS optimizeUnassociatedWebACL setting

[jeeslo]

Description

FMS now supports a new setting optimizeUnassociatedWebACL to instruct FMS to only deploy WebACLs in the managed accounts whenever there is a resource in scope.

Affected Resource(s) and/or Data Source(s)

fms_policy

Potential Terraform Configuration

resource "aws_fms_policy" "example" {
  name                  = "FMS-Policy-Example"
  exclude_resource_tags = false
  remediation_enabled   = false
  resource_type         = "AWS::ElasticLoadBalancingV2::LoadBalancer"

  security_service_policy_data {
    type = "WAF"

    managed_service_data = jsonencode({
      type = "WAF",
      ruleGroups = [{
        id = aws_wafregional_rule_group.example.id
        overrideAction = {
          type = "COUNT"
        }
      }]
      defaultAction = {
        type = "BLOCK"
      }
      overrideCustomerWebACLAssociation = false,
      optimizeUnassociatedWebACL = true,
    })
  }

  tags = {
    Name = "example-fms-policy"
  }
}

resource "aws_wafregional_rule_group" "example" {
  metric_name = "WAFRuleGroupExample"
  name        = "WAF-Rule-Group-Example"
}

References

https://aws.amazon.com/about-aws/whats-new/2023/08/aws-firewall-manager-optimize-waf-web-acl-creation-accounts/ https://docs.aws.amazon.com/waf/latest/developerguide/waf-policies.html https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_SecurityServicePolicyData.html

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[gomezga1]

Is there any update regarding this one? we would really like to have the possibility of not deploying waf rules where not needed to reduce our expense.