Implemented Scope-down statements on WAFv2 Web ACL Managed Rules

[Adirael]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #18584
Closes #19125
Relates #15580

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAwsWafv2WebACL_ManagedRuleGroupStatement'

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAwsWafv2WebACL_ManagedRuleGroupStatement -timeout 180m
=== RUN   TestAccAwsWafv2WebACL_ManagedRuleGroupStatement
=== PAUSE TestAccAwsWafv2WebACL_ManagedRuleGroupStatement
=== CONT  TestAccAwsWafv2WebACL_ManagedRuleGroupStatement
    resource_aws_wafv2_web_acl_test.go:534: Step 2/3 error: After applying this test step and performing a `terraform refresh`, the plan was not empty.
        stdout


        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place

        Terraform will perform the following actions:

          # aws_wafv2_web_acl.test will be updated in-place
          ~ resource "aws_wafv2_web_acl" "test" {
                id          = "38e30f56-fdbf-4622-aedd-c931aa410384"
                name        = "tf-acc-test-1625682019993276028"
                tags        = {
                    "Tag1" = "Value1"
                    "Tag2" = "Value2"
                }
                # (6 unchanged attributes hidden)


              + rule {
                  + name     = "rule-1"
                  + priority = 1

                  + override_action {
                      + count {}
                    }

                  + statement {

                      + managed_rule_group_statement {
                          + name        = "AWSManagedRulesCommonRuleSet"
                          + vendor_name = "AWS"

                          + excluded_rule {
                              + name = "SizeRestrictions_QUERYSTRING"
                            }
                          + excluded_rule {
                              + name = "NoUserAgent_HEADER"
                            }

                          + scope_down_statement {

                              + geo_match_statement {
                                  + country_codes = [
                                      + "US",
                                      + "NL",
                                    ]
                                }
                            }
                        }
                    }

                  + visibility_config {
                      + cloudwatch_metrics_enabled = false
                      + metric_name                = "friendly-rule-metric-name"
                      + sampled_requests_enabled   = false
                    }
                }
              - rule {
                  - name     = "rule-1" -> null
                  - priority = 1 -> null

                  - override_action {
                      - count {}
                    }

                  - statement {

                      - managed_rule_group_statement {
                          - name        = "AWSManagedRulesCommonRuleSet" -> null
                          - vendor_name = "AWS" -> null

                          - excluded_rule {
                              - name = "SizeRestrictions_QUERYSTRING" -> null
                            }
                          - excluded_rule {
                              - name = "NoUserAgent_HEADER" -> null
                            }
                        }
                    }

                  - visibility_config {
                      - cloudwatch_metrics_enabled = false -> null
                      - metric_name                = "friendly-rule-metric-name" -> null
                      - sampled_requests_enabled   = false -> null
                    }
                }

                # (2 unchanged blocks hidden)
            }

        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccAwsWafv2WebACL_ManagedRuleGroupStatement (52.10s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	52.171s
FAIL
GNUmakefile:27: recipe for target 'testacc' failed
make: *** [testacc] Error 1

[Adirael]

This is a work in progress. The functionality works but the acceptance tests are not passing at the moment.

[github-actions]

Welcome @Adirael 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[YakDriver]

@Adirael Thanks for your work on this! Let us know when it's ready for review (although it may take a little while to review, we'll do our best).

[Adirael]

@Adirael Thanks for your work on this! Let us know when it's ready for review (although it may take a little while to review, we'll do our best).

I would say that this is ready! Thanks for your patience :)

[shubydo]

Any updates on this? This is a feature that our team is looking to utilize

[mbsimonovic]

I run into this problem, assuming scope down would be supported, only later realised https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#managed-rule-group-statement
says the managed_rule_group_statement block supports ONLY the following arguments: excluded_rule, name and vendor_name.

Please consider stating this explicitly in the docs: scope_down_statement is not yet supported.

[manishthakur4190]

Any updates on this? This is a feature that our team is looking to utilize

[YakDriver]

Looks good! 🎉

Output from acceptance tests (us-west-2):

--- PASS: TestAccAwsWafv2WebACL_disappears (54.10s)
--- PASS: TestAccAwsWafv2WebACL_basic (55.67s)
--- PASS: TestAccAwsWafv2WebACL_RateBased_forwardedIPConfig (58.12s)
--- PASS: TestAccAwsWafv2WebACL_Update_nameForceNew (58.25s)
--- PASS: TestAccAwsWafv2WebACL_minimal (73.92s)
--- PASS: TestAccAwsWafv2WebACL_tags (74.36s)
--- PASS: TestAccAwsWafv2WebACL_GeoMatch_forwardedIPConfig (83.29s)
--- PASS: TestAccAwsWafv2WebACL_RuleGroupReference_basic (85.28s)
--- PASS: TestAccAwsWafv2WebACL_ManagedRuleGroup_basic (85.45s)
--- PASS: TestAccAwsWafv2WebACL_IPSetReference_basic (92.49s)
--- PASS: TestAccAwsWafv2WebACL_GeoMatch_basic (96.57s)
--- PASS: TestAccAwsWafv2WebACL_RateBased_maxNested (98.17s)
--- PASS: TestAccAwsWafv2WebACL_RateBased_basic (98.86s)
--- PASS: TestAccAwsWafv2WebACL_Custom_requestHandling (109.50s)
--- PASS: TestAccAwsWafv2WebACL_Custom_response (115.56s)
--- PASS: TestAccAwsWafv2WebACL_Operators_maxNested (144.78s)
--- PASS: TestAccAwsWafv2WebACL_Update_ruleProperties (147.90s)
--- PASS: TestAccAwsWafv2WebACL_Update_rule (155.24s)
--- PASS: TestAccAwsWafv2WebACL_IPSetReference_forwardedIPConfig (161.90s)

Output from acceptance tests (GovCloud):

--- PASS: TestAccAwsWafv2WebACL_minimal (25.21s)
--- PASS: TestAccAwsWafv2WebACL_basic (34.70s)
--- PASS: TestAccAwsWafv2WebACL_disappears (42.97s)
--- PASS: TestAccAwsWafv2WebACL_RateBased_maxNested (58.74s)
--- PASS: TestAccAwsWafv2WebACL_RateBased_basic (66.02s)
--- PASS: TestAccAwsWafv2WebACL_Update_nameForceNew (72.26s)
--- PASS: TestAccAwsWafv2WebACL_RateBased_forwardedIPConfig (89.30s)
--- PASS: TestAccAwsWafv2WebACL_IPSetReference_basic (92.80s)
--- PASS: TestAccAwsWafv2WebACL_GeoMatch_basic (96.44s)
--- PASS: TestAccAwsWafv2WebACL_RuleGroupReference_basic (99.86s)
--- PASS: TestAccAwsWafv2WebACL_Update_rule (102.27s)
--- PASS: TestAccAwsWafv2WebACL_ManagedRuleGroup_basic (107.80s)
--- PASS: TestAccAwsWafv2WebACL_Operators_maxNested (120.29s)
--- PASS: TestAccAwsWafv2WebACL_Custom_requestHandling (132.81s)
--- PASS: TestAccAwsWafv2WebACL_IPSetReference_forwardedIPConfig (135.89s)
--- PASS: TestAccAwsWafv2WebACL_Update_ruleProperties (142.20s)
--- PASS: TestAccAwsWafv2WebACL_tags (152.50s)
--- PASS: TestAccAwsWafv2WebACL_GeoMatch_forwardedIPConfig (161.98s)
--- PASS: TestAccAwsWafv2WebACL_Custom_response (168.19s)

[github-actions]

This functionality has been released in v3.50.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.