[New]: Data resource for Network Firewall rule groups

[dsantanu]

Description

Using AWS CLI (and boto3), one can retrive ARNs of the AWS managed rule groups, like this:

aws network-firewall list-rule-groups \
    --scope MANAGED \
    --managed-type AWS_MANAGED_THREAT_SIGNATURES  \
    --query 'RuleGroups[?Name==`ThreatSignaturesBotnetActionOrder`].Arn'

There is no such equivalant feature available for Terraform yet, which is a much needed requirment for adding managed rule-groups, without hard-coding the ARNs manually.

It was requested here: https://github.com/hashicorp/terraform-provider-aws/issues/18026; but doesn't look like ever implemented.

Requested Resource(s) and/or Data Source(s)

New Resource

• (data) aws_networkfirewall_rule_group

Potential Terraform Configuration

variable "aws_managed_rule_groups" {
  type        = list(string)
  default     = [
    "ThreatSignaturesBotnetActionOrder",
    "ThreatSignaturesMalwareCoinminingActionOrder",
  ]
  description = "List of AWS managed rule-groups names" 
}

data "aws_networkfirewall_rule_group" "all_managed" {
  scope        = "MANAGED"
  managed_type = "AWS_MANAGED_THREAT_SIGNATURES"
}

data "aws_networkfirewall_rule_group" "specific_managed" {
  for_each        = toset(var.aws_managed_rule_groups)
  scope           = "MANAGED"
  rule_group_name = each.value
}

References

AWS API ref. https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_ListRuleGroups.html

AWS CLI Ref. https://docs.aws.amazon.com/cli/latest/reference/network-firewall/list-rule-groups.html

Boto3 Ref. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/network-firewall/client/list_rule_groups.html

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[wyardley]

Side note that the awscc provider does have awscc_networkfirewall_rule_group and awscc_networkfirewall_rule_groups data sources, however, you can only specify the full ARN vs. name for awscc_networkfirewall_rule_group, and awscc_networkfirewall_rule_groups doesn't seem to return the managed rule groups AFAICT?