Why module add many default rule, that did not define in code

tatdatpham commented 2 years ago

Here is my Terraform code

module "alb_wafv2" {
  source  = "trussworks/wafv2/aws"
  version = "2.4.0"

  name  = "${var.project_name}-web-${var.environment}"
  scope = "REGIONAL"

  alb_arn       = var.alb_arn
  associate_alb = true
  group_rules = [
    {
      excluded_rules : [],
      name : aws_wafv2_rule_group.allow_ip.name,
      arn : aws_wafv2_rule_group.allow_ip.arn,
      override_action : "none",
      priority : 11
    }
  ]
  tags = merge(var.common_tags, {
    Name = "${var.project_name}-web-${var.environment}"
  })
}

My rule group has only rule block all requests if its not come from a specific IP set. (Capacity 100). But when I run plan check change, have many default rule added to WEB ACL ? And I can't create Webacl, it said

Field: "WEB_ACL",
│   Message_: "Error reason: You exceeded the capacity limit for a rule group or web ACL., field: WEB_ACL, parameter: 1525",
│   Parameter: "1525",
│   Reason: "You exceeded the capacity limit for a rule group or web ACL."

Here is plan change log

# module.waf.module.alb_wafv2.aws_wafv2_web_acl.main will be created
  + resource "aws_wafv2_web_acl" "main" {
      + arn         = (known after apply)
      + capacity    = (known after apply)
      + description = "WAFv2 ACL for my-project-web-dev"
      + id          = (known after apply)
      + lock_token  = (known after apply)
      + name        = "my-project-web-dev"
      + scope       = "REGIONAL"

      + default_action {
          + allow {
            }
        }

      + rule {
          + name     = "AWSManagedRulesAmazonIpReputationList"
          + priority = 20

          + override_action {

              + none {}
            }

          + statement {

              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesAmazonIpReputationList"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesAmazonIpReputationList"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesCommonRuleSet"
          + priority = 10

          + override_action {

              + none {}
            }

          + statement {

              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesCommonRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesCommonRuleSet"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesKnownBadInputsRuleSet"
          + priority = 30

          + override_action {

              + none {}
            }

          + statement {

              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesKnownBadInputsRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesKnownBadInputsRuleSet"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesLinuxRuleSet"
          + priority = 50

          + override_action {

              + none {}
            }

          + statement {

              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesLinuxRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesLinuxRuleSet"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesSQLiRuleSet"
          + priority = 40

          + override_action {

              + none {}
            }

          + statement {

              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesSQLiRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesSQLiRuleSet"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesUnixRuleSet"
          + priority = 60

          + override_action {

              + none {}
            }

          + statement {

              + managed_rule_group_statement {

      + visibility_config {
          + cloudwatch_metrics_enabled = true
          + metric_name                = "my-project-web-dev"
          + sampled_requests_enabled   = true
        }
    }

tatdatpham commented 2 years ago

Hmm, I found the problem. In your module, managed_rules is enabled by default, must set managed_rules = [] to overwrite default if you don't need adding manage rule into Web ACL

jsclarridge commented 2 years ago

@tatdatpham That's correct. By default, this module's managed_rules variable adds certain AWS managed rules to the Web ACL, but the variable can be set to a custom list or [] when using the module.

It sounds like that resolves this issue's original question, so I'll close the issue for now. Feel free to reopen or file a new issue if you have any other questions.

trussworks / terraform-aws-wafv2

Why module add many default rule, that did not define in code #87