Unable to add AWS Managed RuleSets to WAFV2

quinnjr commented 3 months ago

Describe what happened

I'm trying to add the following rule group statements to my WAFV2, but pulumi keeps reporting an error with each import:

AWSManagedRulesAdminProtectionRuleSet
AWSManagedRulesAmazonIpReputationList
AWSManagedRulesAnonymousIpList
AWSManagedRulesCommonRuleSet
AWSManagedRulesKnownBadInputsRuleSet
AWSManagedRulesLinuxRuleSet
AWSManagedRulesPHPRuleSet

Sample program

const wafACL = new aws.wafv2.WebAcl(generateNameTag('waf'), {
      name: generateNameTag('waf'),
      scope: 'REGIONAL',
      defaultAction: {
        allow: {}
      },
      visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: generateNameTag('waf-acl'),
        sampledRequestsEnabled: true
      },
      rules: [
        {
          name: 'Whitelist',
          priority: 0,
          statement: {
            ipSetReferenceStatement: {
              arn: whitelist.arn
            }
          },
          action: { allow: {} },
          visibilityConfig: {
            cloudwatchMetricsEnabled: true,
            metricName: generateNameTag('waf-whitelist'),
            sampledRequestsEnabled: true
          }
        },
        {
          name: 'BlockRussia',
          priority: 1,
          action: { block: {} },
          statement: {
            geoMatchStatement: {
              countryCodes: ['RU']
            }
          },
          visibilityConfig: {
            cloudwatchMetricsEnabled: true,
            metricName: generateNameTag('waf-block-russia-rule'),
            sampledRequestsEnabled: true
          }
        },
        {
          name: 'BlockChina',
          priority: 2,
          action: { block: {} },
          statement: {
            geoMatchStatement: {
              countryCodes: ['CN']
            }
          },
          visibilityConfig: {
            cloudwatchMetricsEnabled: true,
            metricName: generateNameTag('waf-block-china-rule'),
            sampledRequestsEnabled: true
          }
        },
        {
          name: 'AWSManagedRulesAdminProtectionRuleSet',
          priority: 3,
          action: { block: {} },
          statement: {
            managedRuleGroupStatement: {
              name: 'AWSManagedRulesAdminProtectionRuleSet',
              vendorName: 'AWS',
              // ruleActionOverrides: [
              //   { name: 'AdminProtection_URIPATH', actionToUse: { count: {} } }
              // ]
            }
          },
          visibilityConfig: {
            cloudwatchMetricsEnabled: true,
            metricName: 'AWSManagedRulesAdminProtectionRuleSet',
            sampledRequestsEnabled: true
          }
        }
        {
          name: 'AWSManagedRulesAdminProtectionRuleSet',
          priority: 4,
          action: { block: {} },
          statement: {
            managedRuleGroupStatement: {
              name: 'AWSManagedRulesAmazonIpReputationList',
              vendorName: 'AWS'
            }
          },
          visibilityConfig: {
            cloudwatchMetricsEnabled: true,
            metricName: 'AWSManagedRulesAmazonIpReputationList',
            sampledRequestsEnabled: true
          }
        },
        // {
        //   name: 'AWSManagedRulesAnonymousIpList',
        //   priority: 5,
        //   action: { block: {} },
        //   overrideAction: { count: {} },
        //   statement: {
        //     managedRuleGroupStatement: {
        //       name: 'AWSManagedRulesAnonymousIpList',
        //       vendorName: 'AWS'
        //     }
        //   },
        //   visibilityConfig: {
        //     cloudwatchMetricsEnabled: true,
        //     metricName: 'AWSManagedRulesAnonymousIpList',
        //     sampledRequestsEnabled: true
        //   }
        // },
        // {
        //   name: 'AWSManagedRulesCommonRuleSet',
        //   priority: 6,
        //   action: { block: {} },
        //   overrideAction: { count: {} },
        //   statement: {
        //     managedRuleGroupStatement: {
        //       name: 'AWSManagedRulesCommonRuleSet',
        //       vendorName: 'AWS',
        //       ruleActionOverrides: [
        //         { name: 'NoUserAgent_HEADER', actionToUse: { count: {} } },
        //         {
        //           name: 'SizeRestrictions_QUERYSTRING',
        //           actionToUse: { count: {} }
        //         },
        //         { name: 'SizeRestrictions_BODY', actionToUse: { count: {} } },
        //         {
        //           name: 'SizeRestrictions_URIPATH',
        //           actionToUse: { count: {} }
        //         },
        //         {
        //           name: 'CrossSiteScripting_COOKIE',
        //           actionToUse: { count: {} }
        //         },
        //         {
        //           name: 'CrossSiteScripting_QUERYARGUMENTS',
        //           actionToUse: { count: {} }
        //         },
        //         { name: 'CrossSiteScripting_BODY', actionToUse: { count: {} } },
        //         {
        //           name: 'CrossSiteScripting_URIPATH',
        //           actionToUse: { count: {} }
        //         }
        //       ]
        //     }
        //   },
        //   visibilityConfig: {
        //     cloudwatchMetricsEnabled: true,
        //     metricName: 'AWSManagedRulesCommonRuleSet',
        //     sampledRequestsEnabled: true
        //   }
        // },
        // {
        //   name: 'AWSManagedRulesKnownBadInputsRuleSet',
        //   priority: 7,
        //   action: { block: {} },
        //   overrideAction: { count: {} },
        //   statement: {
        //     managedRuleGroupStatement: {
        //       name: 'AWSManagedRulesKnownBadInputsRuleSet',
        //       vendorName: 'AWS'
        //     }
        //   },
        //   visibilityConfig: {
        //     cloudwatchMetricsEnabled: true,
        //     metricName: 'AWSManagedRulesKnownBadInputsRuleSet',
        //     sampledRequestsEnabled: true
        //   }
        // },
        // {
        //   name: 'AWSManagedRulesLinuxRuleSet',
        //   priority: 8,
        //   action: { block: {} },
        //   overrideAction: { count: {} },
        //   statement: {
        //     managedRuleGroupStatement: {
        //       name: 'AWSManagedRulesLinuxRuleSet',
        //       vendorName: 'AWS'
        //     }
        //   },
        //   visibilityConfig: {
        //     cloudwatchMetricsEnabled: true,
        //     metricName: 'AWSManagedRulesLinuxRuleSet',
        //     sampledRequestsEnabled: true
        //   }
        // },
        // {
        //   name: 'AWSManagedRulesPHPRuleSet',
        //   priority: 9,
        //   action: { block: {} },
        //   overrideAction: { count: {} },
        //   statement: {
        //     managedRuleGroupStatement: {
        //       name: 'AWSManagedRulesPHPRuleSet',
        //       vendorName: 'AWS'
        //     }
        //   },
        //   visibilityConfig: {
        //     cloudwatchMetricsEnabled: true,
        //     metricName: 'AWSManagedRulesPHPRuleSet',
        //     sampledRequestsEnabled: true
        //   }
        // }
      ],
      tags: {
        Name: generateNameTag('waf'),
        ...commonTag
      }
    });

Log output

error:   sdk-v2/provider2.go:364: sdk.helper_schema: updating WAFv2 WebACL (2c5c110c-dcdb-4634-8267-2f8d331531fc): o│·························

peration error WAFV2: UpdateWebACL, https response error StatusCode: 400, RequestID: 2a4b3685-c226-4274-aa74-b9304899d82│························· 3, WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter:│························· Statement: provider=aws@v6.39.0 │························· error: 1 error occurred: │·························

updating WAFv2 WebACL (2c5c110c-dcdb-4634-8267-2f8d331531fc): operation error WAFV2: UpdateWebACL, https respo│························· nse error StatusCode: 400, RequestID: 2a4b3685-c226-4274-aa74-b9304899d823, WAFInvalidParameterException: Error reason: │························· A reference in your rule statement is not valid., field: RULE, parameter: Statement

Affected Resource(s)

No response

Output of `pulumi about`

CLI
Version 3.119.0 Go Version go1.22.3 Go Compiler gc

Plugins KIND NAME VERSION resource aws 6.39.0 resource aws 6.29.1 resource aws 5.43.0 resource awsx 2.11.0 resource awsx 1.0.6 resource docker 4.5.4 resource docker 3.6.1 resource docker 3.6.1 resource grafana 0.4.2 language nodejs unknown

Host
OS ubuntu Version 22.04 Arch x86_64

This project is written in nodejs: executable='/home/joseph/.local/share/nvm/versions/node/v20.11.0/bin/node' version='v20.11.0'

Backend
Name pulumi.com URL https://app.pulumi.com/jquinn User jquinn Organizations jquinn, recordboss Token type personal

Dependencies: NAME VERSION @pulumi/pulumi 3.119.0 @pulumi/awsx v2.11.0 eslint 8.57.0 ts-node 10.9.2 eslint-plugin-unicorn 52.0.0 @pulumi/aws 6.39.0 lint-staged 15.2.5 husky 9.0.11 prettier 3.3.2 eslint-plugin-prettier 5.1.3 @typescript-eslint/parser 7.13.0 @pulumiverse/grafana v0.4.2 @types/node 20.14.2 uuid 9.0.1 @typescript-eslint/eslint-plugin 7.13.0 eslint-config-prettier 9.1.0 typescript 5.4.5

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

corymhall commented 3 months ago

@quinnjr it looks like for managed rules you should use overrideAction instead of action

From

rules: [
  {
    action: { block: {} },
  }
]

To

rules: [
  {
    overrideAction: { none: {} },
  }
]

Let me know if switching to that works.

quinnjr commented 3 months ago

Yes, that fixed it.

pulumi / pulumi-aws