[New Data Source]: WAFv2 Managed Rule Version

[sombrerosheep]

Description

I would like terraform data sources for versions of Managed WafV2 Rule Groups. Internally, we managed a WAF terraform module which applies several of the Managed rule groups; This will help us identify when these versions change by getting caught in a terraform plan.

The only want to obtain the versions for a managed rule group is via the CLI. AWS provides documentation for setting up notifications (based on a SNS topic). Using either of these to track version changes is a bit cumbersome and requires additional technology outside of terraform. When omitting a version, a "current default" is assumed but the version diff is not see in a terraform plan. This means a terraform plan does not give the full picture of "what changed" which has resulted in some outages in my organization. With a data source we could return an error on plan instead of waiting for an apply for an error, or worse an outage from an unseen change.

I would like to be able to use a data resource for these in two possible scenarios:

• Getting current default version for a rule group. This way the data resource is refreshed at play/apply and a proper diff exists to inform us when a version has changed.
• Specifying a version for the data source to ensure it is still valid. This could provide a better error back to plans if a specified version does not exist.

These API's exist in the aws-sdk-go-v2 so adding these data sources would be straight forward.

Requested Resource(s) and/or Data Source(s)

• aws_wafv2_managed_rule_group_current_default_version
• aws_wafv2_managed_rule_group_version

Potential Terraform Configuration

data aws_wafv2_managed_rule_group_current_default_version "latest_version" {
    vendor_name    = "AWS"
    group_name     = "AWSManagedRulesCommonRuleSet"
    scope          = "REGIONAL"
}

data aws_wafv2_managed_rule_group_version "my_pinned_version" {
    vendor_name    = "AWS"
    group_name     = "AWSManagedRulesCommonRuleSet"
    scope          = "REGIONAL"
    version        = "Version_1.7"
}

References

• AWS CLI - list-available-managed-rule-group-versions
• AWS Getting notified of new versions and updates to a managed rule group

Would you like to implement a fix?

Yes

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.