Description

Current Limitations

The Terraform AWS provider does use the UpdateWebACL API, but only for updating WAF ACLs that it manages and not quite in the way we need for dynamically managing shared Web ACLs within organizations using AWS Firewall Manager (FMS). This functionality is key as it allows different accounts to add their own rules to a shared Web ACL, promoting a flexible approach to security management.

Why We Need Enhanced UpdateWebACL Support

As outlined in the AWS documentation on WAF policies, web ACLs managed by FMS have three sets of rules:

1. First rule groups: These are defined by the Firewall Manager policy and are the first to be evaluated.
2. Account-managed rules: These are added and managed by account managers and come next in the evaluation order.
3. Last rule groups: Like the first, these are defined by the Firewall Manager policy and evaluated last.

Currently, the aws_fms_policy resource in Terraform handles the first and last rule groups. What we’re missing is the ability for Terraform to handle the middle group — the account-managed rules — using an enhanced version of the UpdateWebACL API.

Proposed Feature

I suggest we beef up the existing implementation of the UpdateWebACL API within the Terraform AWS provider. This enhancement would allow account managers to update rules within shared Web ACLs directly through Terraform, which would be especially useful for environments managed across multiple accounts through FMS.

Use Case

This feature is crucial for organizations that manage centralized security policies but need the flexibility to tailor rules to specific account needs. Allowing account managers to update rules directly through Terraform will help ensure that security setups are both adaptable and consistently applied.

Requested Resource(s) and/or Data Source(s)

aws_wafv2_updatesharedacl

Potential Terraform Configuration

Similar to what is currently supported by `aws_wafv2_rule_group`

References

No response

Would you like to implement a fix?

No