The Terraform AWS provider does use the UpdateWebACL API, but only for updating WAF ACLs that it manages and not quite in the way we need for dynamically managing shared Web ACLs within organizations using AWS Firewall Manager (FMS). This functionality is key as it allows different accounts to add their own rules to a shared Web ACL, promoting a flexible approach to security management.
First rule groups: These are defined by the Firewall Manager policy and are the first to be evaluated.
Account-managed rules: These are added and managed by account managers and come next in the evaluation order.
Last rule groups: Like the first, these are defined by the Firewall Manager policy and evaluated last.
Currently, the aws_fms_policy resource in Terraform handles the first and last rule groups. What we’re missing is the ability for Terraform to handle the middle group — the account-managed rules — using an enhanced version of the UpdateWebACL API.
Proposed Feature
I suggest we beef up the existing implementation of the UpdateWebACL API within the Terraform AWS provider. This enhancement would allow account managers to update rules within shared Web ACLs directly through Terraform, which would be especially useful for environments managed across multiple accounts through FMS.
Use Case
This feature is crucial for organizations that manage centralized security policies but need the flexibility to tailor rules to specific account needs. Allowing account managers to update rules directly through Terraform will help ensure that security setups are both adaptable and consistently applied.
Requested Resource(s) and/or Data Source(s)
aws_wafv2_updatesharedacl
Potential Terraform Configuration
Similar to what is currently supported by `aws_wafv2_rule_group`
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Description
Current Limitations
The Terraform AWS provider does use the
UpdateWebACL
API, but only for updating WAF ACLs that it manages and not quite in the way we need for dynamically managing shared Web ACLs within organizations using AWS Firewall Manager (FMS). This functionality is key as it allows different accounts to add their own rules to a shared Web ACL, promoting a flexible approach to security management.Why We Need Enhanced
UpdateWebACL
SupportAs outlined in the AWS documentation on WAF policies, web ACLs managed by FMS have three sets of rules:
Currently, the
aws_fms_policy
resource in Terraform handles the first and last rule groups. What we’re missing is the ability for Terraform to handle the middle group — the account-managed rules — using an enhanced version of theUpdateWebACL
API.Proposed Feature
I suggest we beef up the existing implementation of the
UpdateWebACL
API within the Terraform AWS provider. This enhancement would allow account managers to update rules within shared Web ACLs directly through Terraform, which would be especially useful for environments managed across multiple accounts through FMS.Use Case
This feature is crucial for organizations that manage centralized security policies but need the flexibility to tailor rules to specific account needs. Allowing account managers to update rules directly through Terraform will help ensure that security setups are both adaptable and consistently applied.
Requested Resource(s) and/or Data Source(s)
aws_wafv2_updatesharedacl
Potential Terraform Configuration
References
No response
Would you like to implement a fix?
No