lemaxmdlk commented 3 months ago

Terraform Core Version

1.5.2

AWS Provider Version

5.41.0

Affected Resource(s)

resource "aws_fms_policy" "regional_policy" {
  count                 = var.create_regional_fms_waf_policy ? 1 : 0
  name                  = "OMF-${var.env}-${var.regional_policy_name}"
  exclude_resource_tags = var.regional_policy_exclude_resource_tags
  remediation_enabled   = var.regional_policy_remediation_enabled
  resource_type_list    = ["AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ApiGateway::Stage"]

  include_map {
    account = var.regional_policy_orgunit_list
  }

  resource_tags = length(var.regional_policy_resource_tags) == 0 ? null : var.regional_policy_resource_tags

  security_service_policy_data {
    type = "WAFV2"

    managed_service_data = jsonencode({
      type = "WAFV2",
      preProcessRuleGroups = [
        {
          ruleGroupArn = aws_wafv2_rule_group.GeoRuleGroup-regional[0].arn
          ruleGroupType = "RuleGroup"
          overrideAction = {
            type = "NONE"
          }
        },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesAmazonIpReputationList"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          }
        },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesAnonymousIpList"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          }
        },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesCommonRuleSet"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          },
          managed_rule_group_statement = {
            managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesCommonRuleSet"
          },
          overrideAction = {
            type = "NONE"
          },
          rule_action_override = [
            {
              name = "CrossSiteScripting_BODY"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "CrossSiteScripting_COOKIE"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "CrossSiteScripting_QUERYARGUMENTS"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "CrossSiteScripting_URIPATH"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "EC2MetaDataSSRF_BODY"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "EC2MetaDataSSRF_COOKIE"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "EC2MetaDataSSRF_QUERYARGUMENTS"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "EC2MetaDataSSRF_URIPATH"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericLFI_BODY"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericLFI_QUERYARGUMENTS"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericLFI_URIPATH"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericRFI_BODY"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericRFI_QUERYARGUMENTS"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericRFI_URIPATH"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "NoUserAgent_HEADER"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "RestrictedExtensions_QUERYARGUMENTS"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "RestrictedExtensions_URIPATH"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "SizeRestrictions_BODY"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "SizeRestrictions_Cookie_HEADER"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "SizeRestrictions_QUERYSTRING"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "SizeRestrictions_URIPATH"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "UserAgent_BadBots_HEADER"
              action_to_use = {
                block = {}
              }
            }
          ]
        }
          },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesKnownBadInputsRuleSet"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          }
        },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesLinuxRuleSet"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          }
        }
      ],
      postProcessRuleGroups = [
        for arn in data.terraform_remote_state.rulegroups-app1-regional.outputs.rule_group_arns_regional :
        {
          ruleGroupType = "RuleGroup"
          ruleGroupArn  = arn
          overrideAction = {
            type = "NONE"
          }
        }
      ],
      defaultAction = {
        type = var.regional_policy_default_action
      },
      overrideCustomerWebACLAssociation = var.regional_policy_overrideCustomerWebACLAssociation,
      loggingConfiguration = {
        logDestinationConfigs = [
          aws_s3_bucket.waf_logs_bucket.arn
        ]
        logDestinationPrefix = "${var.env}-OMF-waf-regional"
      },
      rateBasedStatement = {
        limit            = 1000
        aggregateKeyType = "IP"
        scopeDownStatement = {
          notStatement = {
            statement = {
              rateBasedStatement = {
                limit            = 1000
                aggregateKeyType = "URI"
              }
            }
          }
        }
      }
    })
  }
}

Expected Behavior

if you go to AWS console-> security policies -> core rule set. We should be able to see the action (count, block) that we are setting up explicitly within the code action_to_use = { count = {}}

Actual Behavior

if you go to AWS console-> security policies -> core rule set. None of them show the action_to_use = { count = {}} or block that I am explicitly set up in the code. All of them are listed empty. (-)AWS

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_fms_policy" "regional_policy" {
  count                 = var.create_regional_fms_waf_policy ? 1 : 0
  name                  = "OMF-${var.env}-${var.regional_policy_name}"
  exclude_resource_tags = var.regional_policy_exclude_resource_tags
  remediation_enabled   = var.regional_policy_remediation_enabled
  resource_type_list    = ["AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ApiGateway::Stage"]

  include_map {
    account = var.regional_policy_orgunit_list
  }

  resource_tags = length(var.regional_policy_resource_tags) == 0 ? null : var.regional_policy_resource_tags

  security_service_policy_data {
    type = "WAFV2"

    managed_service_data = jsonencode({
      type = "WAFV2",
      preProcessRuleGroups = [
        {
          ruleGroupArn = aws_wafv2_rule_group.GeoRuleGroup-regional[0].arn
          ruleGroupType = "RuleGroup"
          overrideAction = {
            type = "NONE"
          }
        },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesAmazonIpReputationList"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          }
        },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesAnonymousIpList"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          }
        },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesCommonRuleSet"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          },
          managed_rule_group_statement = {
            managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesCommonRuleSet"
          },
          overrideAction = {
            type = "NONE"
          },
          rule_action_override = [
            {
              name = "CrossSiteScripting_BODY"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "CrossSiteScripting_COOKIE"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "CrossSiteScripting_QUERYARGUMENTS"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "CrossSiteScripting_URIPATH"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "EC2MetaDataSSRF_BODY"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "EC2MetaDataSSRF_COOKIE"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "EC2MetaDataSSRF_QUERYARGUMENTS"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "EC2MetaDataSSRF_URIPATH"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericLFI_BODY"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericLFI_QUERYARGUMENTS"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericLFI_URIPATH"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericRFI_BODY"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericRFI_QUERYARGUMENTS"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "GenericRFI_URIPATH"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "NoUserAgent_HEADER"
              action_to_use = {
                block = {}
              }
            },
            {
              name = "RestrictedExtensions_QUERYARGUMENTS"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "RestrictedExtensions_URIPATH"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "SizeRestrictions_BODY"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "SizeRestrictions_Cookie_HEADER"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "SizeRestrictions_QUERYSTRING"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "SizeRestrictions_URIPATH"
              action_to_use = {
                count = {}
              }
            },
            {
              name = "UserAgent_BadBots_HEADER"
              action_to_use = {
                block = {}
              }
            }
          ]
        }
          },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesKnownBadInputsRuleSet"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          }
        },
        {
          managedRuleGroupIdentifier = {
            vendorName           = "AWS",
            managedRuleGroupName = "AWSManagedRulesLinuxRuleSet"
          },
          ruleGroupType = "ManagedRuleGroup",
          ruleGroupArn  = null,
          overrideAction = {
            type = "NONE"
          }
        }
      ],
      postProcessRuleGroups = [
        for arn in data.terraform_remote_state.rulegroups-app1-regional.outputs.rule_group_arns_regional :
        {
          ruleGroupType = "RuleGroup"
          ruleGroupArn  = arn
          overrideAction = {
            type = "NONE"
          }
        }
      ],
      defaultAction = {
        type = var.regional_policy_default_action
      },
      overrideCustomerWebACLAssociation = var.regional_policy_overrideCustomerWebACLAssociation,
      loggingConfiguration = {
        logDestinationConfigs = [
          aws_s3_bucket.waf_logs_bucket.arn
        ]
        logDestinationPrefix = "${var.env}-OMF-waf-regional"
      },
      rateBasedStatement = {
        limit            = 1000
        aggregateKeyType = "IP"
        scopeDownStatement = {
          notStatement = {
            statement = {
              rateBasedStatement = {
                limit            = 1000
                aggregateKeyType = "URI"
              }
            }
          }
        }
      }
    })
  }
}

Steps to Reproduce

set up the explicit behavior in the core rule set using terraform and try to see that value in the console. It is empty

Debug Output

.

Panic Output

.

Important Factoids

.

References

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rule-group-override-options.html

Would you like to implement a fix?

None

github-actions[bot] commented 3 months ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

vandernunes commented 3 weeks ago

Issue Summary After reviewing the Terraform provider logs and AWS API responses, it became clear that the problem was caused by incorrect attribute naming within the Terraform configuration. Specifically, the issue stemmed from the use of rule_action_override and action_to_use instead of the correct attribute names.

Root Cause The correct attribute names, as per the AWS API documentation for RuleActionOverride and Rule action and, should be:

ruleActionOverrides instead of rule_action_override actionToUse instead of action_to_use

Using the incorrect attribute names caused Terraform to believe that the policy was applied correctly, even though the AWS API did not recognize the malformed attributes. This discrepancy led to Terraform reporting successful application, while the policy changes were not actually reflected in the AWS console.

Solution The solution was to update the Terraform configuration with the correct attribute names:

{
  priority      = 6,
  ruleGroupType = "ManagedRuleGroup",
  managedRuleGroupIdentifier = {
    vendorName           = "AWS",
    managedRuleGroupName = "AWSManagedRulesCommonRuleSet"
  },
  ruleActionOverrides = [
    {
      name = "EC2MetaDataSSRF_BODY",
      actionToUse = {
        count = {}
      }
    }
  ],
  overrideAction = { type = "NONE" }
}

After making these changes, Terraform was able to successfully apply the policy, and the expected behavior was observed in the AWS console.

hashicorp / terraform-provider-aws

[Bug]: firewall manager AWSManagedRulesCommonRuleSet override rule_action_override is not showing in the AWS console #37855