hashicorp · bflad · Jul 9, 2018 · Jul 2, 2018 · Jul 2, 2018 · Jul 2, 2018
diff --git a/aws/resource_aws_waf_web_acl.go b/aws/resource_aws_waf_web_acl.go
@@ -50,7 +50,20 @@ func resourceAwsWafWebAcl() *schema.Resource {
 					Schema: map[string]*schema.Schema{
 						"action": &schema.Schema{
 							Type:     schema.TypeSet,
-							Required: true,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"type": &schema.Schema{
+										Type:     schema.TypeString,
+										Required: true,
+									},
+								},
+							},
+						},
+						"override_action": &schema.Schema{
+							Type:     schema.TypeSet,
+							Optional: true,
 							MaxItems: 1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
@@ -72,6 +85,7 @@ func resourceAwsWafWebAcl() *schema.Resource {
 							ValidateFunc: validation.StringInSlice([]string{
 								waf.WafRuleTypeRegular,
 								waf.WafRuleTypeRateBased,
+								waf.WafRuleTypeGroup,
 							}, false),
 						},
 						"rule_id": &schema.Schema{
@@ -184,16 +198,33 @@ func updateWebAclResource(d *schema.ResourceData, meta interface{}, ChangeAction
 		rules := d.Get("rules").(*schema.Set)
 		for _, rule := range rules.List() {
 			aclRule := rule.(map[string]interface{})
-			action := aclRule["action"].(*schema.Set).List()[0].(map[string]interface{})
-			aclRuleUpdate := &waf.WebACLUpdate{
-				Action: aws.String(ChangeAction),
-				ActivatedRule: &waf.ActivatedRule{
-					Priority: aws.Int64(int64(aclRule["priority"].(int))),
-					RuleId:   aws.String(aclRule["rule_id"].(string)),
-					Type:     aws.String(aclRule["type"].(string)),
-					Action:   &waf.WafAction{Type: aws.String(action["type"].(string))},
-				},
+
+			var aclRuleUpdate *waf.WebACLUpdate
+			switch aclRule["type"].(string) {
+			case waf.WafRuleTypeGroup:
+				overrideAction := aclRule["override_action"].(*schema.Set).List()[0].(map[string]interface{})
+				aclRuleUpdate = &waf.WebACLUpdate{
+					Action: aws.String(ChangeAction),
+					ActivatedRule: &waf.ActivatedRule{
+						Priority:       aws.Int64(int64(aclRule["priority"].(int))),
+						RuleId:         aws.String(aclRule["rule_id"].(string)),
+						Type:           aws.String(aclRule["type"].(string)),
+						OverrideAction: &waf.WafOverrideAction{Type: aws.String(overrideAction["type"].(string))},
+					},
+				}
+			default:
+				action := aclRule["action"].(*schema.Set).List()[0].(map[string]interface{})
+				aclRuleUpdate = &waf.WebACLUpdate{
+					Action: aws.String(ChangeAction),
+					ActivatedRule: &waf.ActivatedRule{
+						Priority: aws.Int64(int64(aclRule["priority"].(int))),
+						RuleId:   aws.String(aclRule["rule_id"].(string)),
+						Type:     aws.String(aclRule["type"].(string)),
+						Action:   &waf.WafAction{Type: aws.String(action["type"].(string))},
+					},
+				}
 			}
+
 			req.Updates = append(req.Updates, aclRuleUpdate)
 		}
 		return conn.UpdateWebACL(req)

diff --git a/aws/resource_aws_waf_web_acl_test.go b/aws/resource_aws_waf_web_acl_test.go
@@ -42,6 +42,35 @@ func TestAccAWSWafWebAcl_basic(t *testing.T) {
 	})
 }
 
+func TestAccAWSWafWebAcl_group(t *testing.T) {
+	var v waf.WebACL
+	wafAclName := fmt.Sprintf("wafaclgroup%s", acctest.RandString(5))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSWafWebAclDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSWafWebAclGroupConfig(wafAclName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSWafWebAclExists("aws_waf_web_acl.waf_acl", &v),
+					resource.TestCheckResourceAttr(
+						"aws_waf_web_acl.waf_acl", "default_action.#", "1"),
+					resource.TestCheckResourceAttr(
+						"aws_waf_web_acl.waf_acl", "default_action.4234791575.type", "ALLOW"),
+					resource.TestCheckResourceAttr(
+						"aws_waf_web_acl.waf_acl", "name", wafAclName),
+					resource.TestCheckResourceAttr(
+						"aws_waf_web_acl.waf_acl", "rules.#", "1"),
+					resource.TestCheckResourceAttr(
+						"aws_waf_web_acl.waf_acl", "metric_name", wafAclName),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSWafWebAcl_changeNameForceNew(t *testing.T) {
 	var before, after waf.WebACL
 	wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
@@ -294,6 +323,31 @@ resource "aws_waf_web_acl" "waf_acl" {
 }`, name, name, name, name, name)
 }
 
+func testAccAWSWafWebAclGroupConfig(name string) string {
+	return fmt.Sprintf(`
+
+resource "aws_waf_rule_group" "wafrulegroup" {
+  name = "%s"
+  metric_name = "%s"
+}
+resource "aws_waf_web_acl" "waf_acl" {
+  depends_on = ["aws_waf_rule_group.wafrulegroup"]
+  name = "%s"
+  metric_name = "%s"
+  default_action {
+    type = "ALLOW"
+  }
+  rules {
+    override_action {
+       type = "NONE"
+    }
+    type = "GROUP"
+    priority = 1
+    rule_id = "${aws_waf_rule_group.wafrulegroup.id}"
+  }
+}`, name, name, name, name)
+}
+
 func testAccAWSWafWebAclConfigChangeName(name string) string {
 	return fmt.Sprintf(`resource "aws_waf_ipset" "ipset" {
   name = "%s"

diff --git a/aws/resource_aws_wafregional_web_acl.go b/aws/resource_aws_wafregional_web_acl.go
@@ -49,7 +49,20 @@ func resourceAwsWafRegionalWebAcl() *schema.Resource {
 					Schema: map[string]*schema.Schema{
 						"action": &schema.Schema{
 							Type:     schema.TypeList,
-							Required: true,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"type": &schema.Schema{
+										Type:     schema.TypeString,
+										Required: true,
+									},
+								},
+							},
+						},
+						"override_action": &schema.Schema{
+							Type:     schema.TypeList,
+							Optional: true,
 							MaxItems: 1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
@@ -71,6 +84,7 @@ func resourceAwsWafRegionalWebAcl() *schema.Resource {
 							ValidateFunc: validation.StringInSlice([]string{
 								waf.WafRuleTypeRegular,
 								waf.WafRuleTypeRateBased,
+								waf.WafRuleTypeGroup,
 							}, false),
 						},
 						"rule_id": &schema.Schema{
@@ -227,11 +241,21 @@ func flattenDefaultActionWR(n *waf.WafAction) []map[string]interface{} {
 func flattenWafWebAclRules(ts []*waf.ActivatedRule) []interface{} {
 	out := make([]interface{}, len(ts), len(ts))
 	for i, r := range ts {
-		actionMap := map[string]interface{}{
-			"type": *r.Action.Type,
-		}
 		m := make(map[string]interface{})
-		m["action"] = []interface{}{actionMap}
+
+		switch *r.Type {
+		case waf.WafRuleTypeGroup:
+			actionMap := map[string]interface{}{
+				"type": *r.OverrideAction.Type,
+			}
+			m["override_action"] = []interface{}{actionMap}
+		default:
+			actionMap := map[string]interface{}{
+				"type": *r.Action.Type,
+			}
+			m["action"] = []interface{}{actionMap}
+		}
+
 		m["priority"] = *r.Priority
 		m["rule_id"] = *r.RuleId
 		m["type"] = *r.Type
@@ -241,13 +265,27 @@ func flattenWafWebAclRules(ts []*waf.ActivatedRule) []interface{} {
 }
 
 func expandWafWebAclUpdate(updateAction string, aclRule map[string]interface{}) *waf.WebACLUpdate {
-	ruleAction := aclRule["action"].([]interface{})[0].(map[string]interface{})
+	var rule *waf.ActivatedRule
+
+	switch aclRule["type"].(string) {
+	case waf.WafRuleTypeGroup:
+		ruleAction := aclRule["override_action"].([]interface{})[0].(map[string]interface{})
 
-	rule := &waf.ActivatedRule{
-		Action:   &waf.WafAction{Type: aws.String(ruleAction["type"].(string))},
-		Priority: aws.Int64(int64(aclRule["priority"].(int))),
-		RuleId:   aws.String(aclRule["rule_id"].(string)),
-		Type:     aws.String(aclRule["type"].(string)),
+		rule = &waf.ActivatedRule{
+			OverrideAction: &waf.WafOverrideAction{Type: aws.String(ruleAction["type"].(string))},
+			Priority:       aws.Int64(int64(aclRule["priority"].(int))),
+			RuleId:         aws.String(aclRule["rule_id"].(string)),
+			Type:           aws.String(aclRule["type"].(string)),
+		}
+	default:
+		ruleAction := aclRule["action"].([]interface{})[0].(map[string]interface{})
+
+		rule = &waf.ActivatedRule{
+			Action:   &waf.WafAction{Type: aws.String(ruleAction["type"].(string))},
+			Priority: aws.Int64(int64(aclRule["priority"].(int))),
+			RuleId:   aws.String(aclRule["rule_id"].(string)),
+			Type:     aws.String(aclRule["type"].(string)),
+		}
 	}
 
 	update := &waf.WebACLUpdate{

diff --git a/aws/resource_aws_wafregional_web_acl_test.go b/aws/resource_aws_wafregional_web_acl_test.go
@@ -72,6 +72,35 @@ func TestAccAWSWafRegionalWebAcl_createRateBased(t *testing.T) {
 	})
 }
 
+func TestAccAWSWafRegionalWebAcl_createGroup(t *testing.T) {
+	var v waf.WebACL
+	wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSWafRegionalWebAclDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSWafRegionalWebAclConfigGroup(wafAclName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSWafRegionalWebAclExists("aws_wafregional_web_acl.waf_acl", &v),
+					resource.TestCheckResourceAttr(
+						"aws_wafregional_web_acl.waf_acl", "default_action.#", "1"),
+					resource.TestCheckResourceAttr(
+						"aws_wafregional_web_acl.waf_acl", "default_action.0.type", "ALLOW"),
+					resource.TestCheckResourceAttr(
+						"aws_wafregional_web_acl.waf_acl", "name", wafAclName),
+					resource.TestCheckResourceAttr(
+						"aws_wafregional_web_acl.waf_acl", "rule.#", "1"),
+					resource.TestCheckResourceAttr(
+						"aws_wafregional_web_acl.waf_acl", "metric_name", wafAclName),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSWafRegionalWebAcl_changeNameForceNew(t *testing.T) {
 	var before, after waf.WebACL
 	wafAclName := fmt.Sprintf("wafacl%s", acctest.RandString(5))
@@ -266,10 +295,11 @@ func computeWafRegionalWebAclRuleIndex(ruleId **string, priority int, ruleType s
 			"type": actionType,
 		}
 		m := map[string]interface{}{
-			"rule_id":  **ruleId,
-			"type":     ruleType,
-			"priority": priority,
-			"action":   []interface{}{actionMap},
+			"rule_id":         **ruleId,
+			"type":            ruleType,
+			"priority":        priority,
+			"action":          []interface{}{actionMap},
+			"override_action": []interface{}{},
 		}
 
 		f := schema.HashResource(ruleResource)
@@ -432,6 +462,31 @@ resource "aws_wafregional_web_acl" "waf_acl" {
 }`, name, name, name, name)
 }
 
+func testAccAWSWafRegionalWebAclConfigGroup(name string) string {
+	return fmt.Sprintf(`
+
+resource "aws_wafregional_rule_group" "wafrulegroup" {
+  name = "%s"
+  metric_name = "%s"
+}
+
+resource "aws_wafregional_web_acl" "waf_acl" {
+  name = "%s"
+  metric_name = "%s"
+  default_action {
+    type = "ALLOW"
+  }
+  rule {
+    override_action {
+       type = "NONE"
+    }
+    priority = 1
+    type = "GROUP"
+    rule_id = "${aws_wafregional_rule_group.wafrulegroup.id}" # todo
+  }
+}`, name, name, name, name)
+}
+
 func testAccAWSWafRegionalWebAclConfig_changeName(name string) string {
 	return fmt.Sprintf(`
 resource "aws_wafregional_rule" "wafrule" {

diff --git a/website/docs/r/waf_web_acl.html.markdown b/website/docs/r/waf_web_acl.html.markdown
@@ -80,11 +80,12 @@ See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ActivatedRule.
 #### Arguments
 
 * `action` - (Required) The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.
-  e.g. `ALLOW`, `BLOCK` or `COUNT`
+  e.g. `ALLOW`, `BLOCK` or `COUNT`.  Not used if `type` is `GROUP`.
+* `override_action` - (Required) Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule.  Only used if `type` is `GROUP`.
 * `priority` - (Required) Specifies the order in which the rules in a WebACL are evaluated.
   Rules with a lower value are evaluated before rules with a higher value.
 * `rule_id` - (Required) ID of the associated [rule](/docs/providers/aws/r/waf_rule.html)
-* `type` - (Optional) The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), or `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`.
+* `type` - (Optional) The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`.
 
 ## Attributes Reference
 

diff --git a/website/docs/r/wafregional_web_acl.html.markdown b/website/docs/r/wafregional_web_acl.html.markdown
@@ -70,11 +70,12 @@ See [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_Acti
 
 #### Arguments
 
-* `action` - (Required) The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.
+* `action` - (Required) The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.  Not used if `type` is `GROUP`.
+* `override_action` - (Required) Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule.  Only used if `type` is `GROUP`.
 * `priority` - (Required) Specifies the order in which the rules in a WebACL are evaluated.
   Rules with a lower value are evaluated before rules with a higher value.
 * `rule_id` - (Required) ID of the associated [rule](/docs/providers/aws/r/wafregional_rule.html)
-* `type` - (Optional) The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), or `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`.
+* `type` - (Optional) The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`.
 
 ### `default_action` / `action`