Add Support for WAFv2 Managed Rule Group Configuration

[cyn110]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Add Support for WAFv2 Managed Rule Group Configuration

WAFv2 recently added AWS WAF Fraud Control account takeover prevention (ATP) feature as a new aws managed rule group. In order to use this managed rule group, some configuration is required to be put in, which is a new data structure that the current aws_wafv2_rule_group resource doesn't support.

New or Affected Resource(s)

• aws_wafv2_rule_group

References

• https://aws.amazon.com/about-aws/whats-new/2022/02/aws-waf-fraud-control-login-credential-attacks/
• https://docs.aws.amazon.com/waf/latest/developerguide/waf-atp.html

[justinretzolk]

Related: #23290

[DannySto]

any update?

[fillz-noh]

I am sad that I am unable to integrate the ATP. Could you please progress this issue?

[adrianosela]

+1 on sadness, please prioritize :(

[marianod92]

Hello everyone!

Has anyone been able to solve this problem with some workaround through aws-cli for example?

I tried to activate Account Takeover Prevention through Terraform with a null_resource and aws-cli, but I did not find this option in the documentation and reference examples.

Thanks!

[maiconbaum]

Any update on this? =`(

[maiconbaum]

Well, meanwhile, this is my workaround (in Brazil we say "gambiarra")

1. Create a null_resource with a local-exec Provisioner to execute a shell script:

Note 1: There is only one trigger in null_resource. The timestamp() function will ensure that this local-exec always ran.

Note 2: Replace the aws_wafv2_web_acl references properly.

Note 3: Replace the path to custom rules properly.

resource "null_resource" "aws_wafv2_webacl_add_custom_rules" {
  triggers = {
    # Ensures this local-exec always ran.
    timestamp = timestamp()
  }


  provisioner "local-exec" {
    command = "./files/scripts/aws_wafv2_web_acl_add_custom_rules.sh '${aws_wafv2_web_acl.example.name}' '${aws_wafv2_web_acl.example.id}' '${aws_wafv2_web_acl.example.scope}' '${file("./files/aws_wafv2_web_acl_custom_rules.json")}'"
  }
}

2. Create the shell script that does the trick:

Note 1: This is a simple shell script that helped me to achieve this. You can replace this with any script in any language using any logic that you want.

Note 2: This shell script assumes that you have aws-cli and jq installed. Tested with aws-cli version aws-cli/1.25.47 Python/3.9.13 Darwin/21.6.0 botocore/1.27.47 and jq version jq-1.6

#!/usr/bin/env bash

WEB_ACL_NAME=$1
WEB_ACL_ID=$2
WEB_ACL_SCOPE=$3
WEB_ACL_CUSTOM_RULES=$4

# Retrieves the Web ACL document.
WEB_ACL_DOCUMENT=$(aws wafv2 get-web-acl --name $WEB_ACL_NAME --scope $WEB_ACL_SCOPE --id $WEB_ACL_ID)

# Copy Web ACL default action.
WEB_ACL_DEFAULT_ACTION=$(echo $WEB_ACL_DOCUMENT | jq '.WebACL.DefaultAction' -r)

# Copy Web ACL description.
WEB_ACL_DESCRIPTION=$(echo $WEB_ACL_DOCUMENT | jq '.WebACL.Description' -r)

# Copy Web ACL visibility config.
WEB_ACL_VISIBILITY_CONFIG=$(echo $WEB_ACL_DOCUMENT | jq '.WebACL.VisibilityConfig' -r)

# Copy Web ACL rules.
WEB_ACL_RULES=$(echo $WEB_ACL_DOCUMENT | jq '.WebACL.Rules' -r)

# Set Web ACL lock token.
WEB_ACL_LOCK_TOKEN=$(echo $WEB_ACL_DOCUMENT | jq '.LockToken' -r)

# Set Web ACL new rules.
WEB_ACL_NEW_RULES=$(jq --null-input --argjson  WEB_ACL_RULES "$WEB_ACL_RULES" --argjson WEB_ACL_CUSTOM_RULES "$WEB_ACL_CUSTOM_RULES" '$WEB_ACL_RULES  + $WEB_ACL_CUSTOM_RULES')

# Update the Web ACL.
OUTPUT=$(aws wafv2 update-web-acl \
          --name $WEB_ACL_NAME \
          --scope $WEB_ACL_SCOPE \
          --id $WEB_ACL_ID \
          --description "$WEB_ACL_DESCRIPTION" \
          --lock-token $WEB_ACL_LOCK_TOKEN \
          --default-action "$WEB_ACL_DEFAULT_ACTION" \
          --visibility-config "$WEB_ACL_VISIBILITY_CONFIG" \
          --rules "$WEB_ACL_NEW_RULES"
)

3. Create a JSON file containing all custom rules that you need:

Note 1: This custom rule is just an example, note that ManagedRuleGroupConfigs values are redacted, so adjust it properly.
Note 2: Remember to adjust the Priority properly.

[
  {
    "Name": "AWS-AWSManagedRulesATPRuleSet",
    "Priority": 3,
    "Statement": {
      "ManagedRuleGroupStatement": {
        "VendorName": "AWS",
        "Name": "AWSManagedRulesATPRuleSet",
        "ManagedRuleGroupConfigs": [
          {
            "LoginPath": "redacted"
          },
          {
            "PayloadType": "redacted"
          },
          {
            "UsernameField": {
              "Identifier": "redacted"
            }
          },
          {
            "PasswordField": {
              "Identifier": "redacted"
            }
          }
        ]
      }
    },
    "OverrideAction": {
      "None": {}
    },
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "AWS-AWSManagedRulesATPRuleSet"
    }
  }
]

4. Enjoy.

[hermes-pimentel]

you're a lifesaver @maiconbaum! Thank you.