[Enhancement]: Modify WAF rules in a managed rules.

[alifiroozi80]

Hello Folks I've already implemented WAF in my infrastructure with the console. Now, I want to do it with Terraform.

Here is an example rule:

resource "aws_wafv2_web_acl" "herohunt_waf_acl" {
[...]
  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 0

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = false
    }
  }
[...]
}

---

That managed rule contains a bunch of rules itself. And each one of them has a default action.

The console allows me to change either of those rules action.

For instance, I don't want to change the default action for any of them except CrossSiteScripting_URIPATH in this rule. I want to change its action (only that one) to Allow.

It's possible in the console, but I can't do such a thing in Terraform.

Now, I have to exclude that rule from managed rules and then create a custom rule to allow what the excluded rule would have blocked, which is ridiculous.

I am writing to ask for your support with this as well.

Many thanks in advance.

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[acwwat]

@alifiroozi80 If I understand your requirements correctly, the managed_rule_group block supports a rule_action_override block argument is what you need. The Manage Rule example in the aws_wafv2_web_acl resource doc provides an example to override the SizeRestrictions_QUERYSTRING action to count. So your desired configuration might look something like what's below. Please test it out and close the issue if it works.

resource "aws_wafv2_web_acl" "herohunt_waf_acl" {
[...]
  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 0

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
        rule_action_override {
            name = "CrossSiteScripting_URIPATH"
            action_to_use {
                allow {}
            }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = false
    }
  }
[...]
}