Add Support for WAFv2 Managed Rule Group Configuration

[cyn110]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Add Support for WAFv2 Managed Rule Group Configuration

WAFv2 recently added AWS WAF Fraud Control account takeover prevention (ATP) feature as a new aws managed rule group. In order to use this managed rule group, some configuration is required to be put in, which is a new data structure that the current aws_wafv2_rule_group resource doesn't support.

New or Affected Resource(s)

• aws_wafv2_rule_group

References

• https://aws.amazon.com/about-aws/whats-new/2022/02/aws-waf-fraud-control-login-credential-attacks/
• https://docs.aws.amazon.com/waf/latest/developerguide/waf-atp.html

[justinretzolk]

Related: #23290

[DannySto]

any update?

[fillz-noh]

I am sad that I am unable to integrate the ATP. Could you please progress this issue?

[adrianosela]

+1 on sadness, please prioritize :(

[marianod92]

Hello everyone!

Has anyone been able to solve this problem with some workaround through aws-cli for example?

I tried to activate Account Takeover Prevention through Terraform with a null_resource and aws-cli, but I did not find this option in the documentation and reference examples.

Thanks!

[maiconbaum]

Any update on this? =`(

[maiconbaum]

Well, meanwhile, this is my workaround (in Brazil we say "gambiarra")

1. Create a null_resource with a local-exec Provisioner to execute a shell script:

Note 1: There is only one trigger in null_resource. The timestamp() function will ensure that this local-exec always ran.

Note 2: Replace the aws_wafv2_web_acl references properly.

Note 3: Replace the path to custom rules properly.

resource "null_resource" "aws_wafv2_webacl_add_custom_rules" {
  triggers = {
    # Ensures this local-exec always ran.
    timestamp = timestamp()
  }


  provisioner "local-exec" {
    command = "./files/scripts/aws_wafv2_web_acl_add_custom_rules.sh '${aws_wafv2_web_acl.example.name}' '${aws_wafv2_web_acl.example.id}' '${aws_wafv2_web_acl.example.scope}' '${file("./files/aws_wafv2_web_acl_custom_rules.json")}'"
  }
}

2. Create the shell script that does the trick:

Note 1: This is a simple shell script that helped me to achieve this. You can replace this with any script in any language using any logic that you want.

Note 2: This shell script assumes that you have aws-cli and jq installed. Tested with aws-cli version aws-cli/1.25.47 Python/3.9.13 Darwin/21.6.0 botocore/1.27.47 and jq version jq-1.6

#!/usr/bin/env bash

WEB_ACL_NAME=$1
WEB_ACL_ID=$2
WEB_ACL_SCOPE=$3
WEB_ACL_CUSTOM_RULES=$4

# Retrieves the Web ACL document.
WEB_ACL_DOCUMENT=$(aws wafv2 get-web-acl --name $WEB_ACL_NAME --scope $WEB_ACL_SCOPE --id $WEB_ACL_ID)

# Copy Web ACL default action.
WEB_ACL_DEFAULT_ACTION=$(echo $WEB_ACL_DOCUMENT | jq '.WebACL.DefaultAction' -r)

# Copy Web ACL description.
WEB_ACL_DESCRIPTION=$(echo $WEB_ACL_DOCUMENT | jq '.WebACL.Description' -r)

# Copy Web ACL visibility config.
WEB_ACL_VISIBILITY_CONFIG=$(echo $WEB_ACL_DOCUMENT | jq '.WebACL.VisibilityConfig' -r)

# Copy Web ACL rules.
WEB_ACL_RULES=$(echo $WEB_ACL_DOCUMENT | jq '.WebACL.Rules' -r)

# Set Web ACL lock token.
WEB_ACL_LOCK_TOKEN=$(echo $WEB_ACL_DOCUMENT | jq '.LockToken' -r)

# Set Web ACL new rules.
WEB_ACL_NEW_RULES=$(jq --null-input --argjson  WEB_ACL_RULES "$WEB_ACL_RULES" --argjson WEB_ACL_CUSTOM_RULES "$WEB_ACL_CUSTOM_RULES" '$WEB_ACL_RULES  + $WEB_ACL_CUSTOM_RULES')

# Update the Web ACL.
OUTPUT=$(aws wafv2 update-web-acl \
          --name $WEB_ACL_NAME \
          --scope $WEB_ACL_SCOPE \
          --id $WEB_ACL_ID \
          --description "$WEB_ACL_DESCRIPTION" \
          --lock-token $WEB_ACL_LOCK_TOKEN \
          --default-action "$WEB_ACL_DEFAULT_ACTION" \
          --visibility-config "$WEB_ACL_VISIBILITY_CONFIG" \
          --rules "$WEB_ACL_NEW_RULES"
)

3. Create a JSON file containing all custom rules that you need:

Note 1: This custom rule is just an example, note that ManagedRuleGroupConfigs values are redacted, so adjust it properly.
Note 2: Remember to adjust the Priority properly.

[
  {
    "Name": "AWS-AWSManagedRulesATPRuleSet",
    "Priority": 3,
    "Statement": {
      "ManagedRuleGroupStatement": {
        "VendorName": "AWS",
        "Name": "AWSManagedRulesATPRuleSet",
        "ManagedRuleGroupConfigs": [
          {
            "LoginPath": "redacted"
          },
          {
            "PayloadType": "redacted"
          },
          {
            "UsernameField": {
              "Identifier": "redacted"
            }
          },
          {
            "PasswordField": {
              "Identifier": "redacted"
            }
          }
        ]
      }
    },
    "OverrideAction": {
      "None": {}
    },
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "AWS-AWSManagedRulesATPRuleSet"
    }
  }
]

4. Enjoy.

[hermes-pimentel]

you're a lifesaver @maiconbaum! Thank you.

[github-actions]

This functionality has been released in v4.49.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.