I've created a managed rule group statement using Terraform and i'm now trying to add a scope down statement to it in order to exclude requests from a specific url. This can be done very easily on the AWS console however according to Terraform docs it appears that scope_down_statement can't be associated with managed_rule_group_statement.
Am I missing something? Here's is where i'm trying to add the scope_down_statement:
resource "aws_wafv2_web_acl" "example" {
name = "waf-example"
description = "Example of a managed rule"
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "AWSManagedRulesAnonymousIpList"
priority = 0
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
}
}
I was experiencing the same issue. You need to upgrade the AWS provider version to 3.50. Please see the https://github.com/hashicorp/terraform-provider-aws/pull/19407
Thanks
Related
i have a use case where need help to use for_each to loop through multiple providers( AWS accounts & regions) and this is a module, the TF will be using hub and spoke model.
below is the TF Pseudo code i would like to achieve.
module.tf
---------
app_accounts = [
{ "account" : "53xxxx08", "app_vpc_id" : "vpc-0fxxxxxfec8", "role" : "xxxxxxx", "profile" : "child1"},
{ "account" : "53xxxx08", "app_vpc_id" : "vpc-0fxxxxxfec8", "role" : "xxxxxxx", "profile" : "child2"}
]
below are the provider and resource files, pleas ignore the variables and output files, as its not relevant here
provider.tf
------------
provider "aws" {
for_each = var.app_accounts
alias = "child"
profile = each.value.role
}
here is the main resouce block where i want to multiple child accounts against single master account, so i want to iterate through the loop
resource "aws_route53_vpc_association_authorization" "master" {
provider = aws.master
vpc_id = vpc_id
zone_id = zone_id
}
resource "aws_route53_zone_association" "child" {
provider = aws.child
vpc_id = vpc_id
zone_id = zone_id
}
any idea on how to achieve this, please? thanks in advance.
The typical way to achieve your goal in Terraform is to define a shared module representing the objects that should be present in a single account and then to call that module once for each account, passing a different provider configuration into each.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
}
provider "aws" {
alias = "master"
# ...
}
provider "aws" {
alias = "example1"
profile = "example1"
}
module "example1" {
source = "./modules/account"
account = "53xxxx08"
app_vpc_id = "vpc-0fxxxxxfec8"
providers = {
aws = aws.example1
aws.master = aws.master
}
}
provider "aws" {
alias = "example2"
profile = "example2"
}
module "example2" {
source = "./modules/account"
account = "53xxxx08"
app_vpc_id = "vpc-0fxxxxxfec8"
providers = {
aws = aws.example2
aws.master = aws.master
}
}
The ./modules/account directory would then contain the resource blocks describing what should exist in each individual account. For example:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
configuration_aliases = [ aws, aws.master ]
}
}
}
variable "account" {
type = string
}
variable "app_vpc_id" {
type = string
}
resource "aws_route53_zone" "example" {
# (omitting the provider argument will associate
# with the default provider configuration, which
# is different for each instance of this module)
# ...
}
resource "aws_route53_vpc_association_authorization" "master" {
provider = aws.master
vpc_id = var.app_vpc_id
zone_id = aws_route53_zone.example.id
}
resource "aws_route53_zone_association" "child" {
provider = aws.master
vpc_id = var.app_vpc_id
zone_id = aws_route53_zone.example.id
}
(I'm not sure if you actually intended var.app_vpc_id to be the VPC specified for those zone associations, but my goal here is only to show the general pattern, not to show a fully-working example.)
Using a shared module in this way allows to avoid repeating the definitions for each account separately, and keeps each account-specific setting specified in only one place (either in a provider "aws" block or in a module block).
There is no way to make this more dynamic within the Terraform language itself, but if you expect to be adding and removing accounts regularly and want to make it more systematic then you could use code generation for the root module to mechanically produce the provider and module block for each account, to ensure that they all remain consistent and that you can update them all together in case you need to change the interface of the shared module in a way that will affect all of the calls.
I want to create an internet gateway with terraform. Following the [terraform documentation][1] I have the following block
resource "aws_internet_gateway" "prod-igw" {
vpc_id = "${aws_vpc.prod-vpc.id}"
tags = {{
Name = "pos-igw"
}
}
After applying I get this error message.
Error: Missing attribute value
Expected an attribute value, introduced by an equals sign ("=").
There's nothing about value in the documentation though.
[1]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway
You have a typo:
resource "aws_internet_gateway" "prod-igw" {
vpc_id = aws_vpc.prod-vpc.id
tags = { # <--- there was an extra {
Name = "pos-igw"
}
}
Please make sure to use a modern IDE (e.g., VScode) where there is a terraform extension which will prevent these things from happening and you will not have to ask a question on SO.
I would like to understand about the resources reference in terraform.
Example:
In my project, pubsub topic has been referred with .name as well as .id
resource "google_pubsub_topic" "topic" {
name = "my_topic"
}
resource "google_pubsub_subscription" "subscription" {
name = "my_subscription"
topic = google_pubsub_topic.topic.name
}
resource "google_cloudiot_registry" "cloudiot" {
name = "my_iot_registry"
region = "us-central1"
log_level = "ERROR"
event_notification_configs {
pubsub_topic_name = google_pubsub_topic.topic.id
}
mqtt_config = {
mqtt_enabled_state = "MQTT_ENABLED"
}
}
I could not get the information the difference in referring by .name/.id from many online forums.
For which resources using terraform we need to refer by .name and .id?
There is no such hard referring notion, it appears to be an anomaly with usage specific to this resource.
I guess it needs to be
event_notification_configs {
pubsub_topic_id = google_pubsub_topic.topic.id
}
From google_cloudiot_registry, I see id being returned by the resource which contains the resource name & the same is being passed to pubsub_topic_name part of event_notification_configs block.
If you wish to change pubsub_topic_name to pubsub_topic_id, you could create PR on the provider code base.
To conclude, if you would like to refer output of some resource/data source, you would need to fetch the attributes returned in the response & assign it to appropriate field in the next resource.
I want to create a resource group in AWS inspector with terraform, that has few tags with key "Name" and different values. I can do this with AWS GUI, but I Want to do it in terraform also. If I do it like in the example below, it will just override the name..
resource "aws_inspector_resource_group" "bar" {
tags = {
Name = "Master"
Name = "UF"
}
}
Could you please try the following:
resource "aws_inspector_resource_group" "bar" {
tags = {
Name = ["Master", "UF"]
}
}
If that doesn't work you could just use the aws_ec2_tag resource:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag
Should do the job
I have created a WAF ACL using AWS Console. Now I need to create WAF Rule using Terraform, so I have implemented below rule.
resource "aws_wafregional_byte_match_set" "blocked_path_match_set" {
name = format("%s-%s-blocked-path", local.name, var.module)
dynamic "byte_match_tuples" {
for_each = length(var.blocked_path_prefixes) > 0 ? var.blocked_path_prefixes : []
content {
field_to_match {
type = lookup(byte_match_tuples.value, "type", null)
}
target_string = lookup(byte_match_tuples.value, "target_string", null)
positional_constraint = lookup(byte_match_tuples.value, "positional_constraint", null)
text_transformation = lookup(byte_match_tuples.value, "text_transformation", null)
}
}
}
resource "aws_wafregional_rule" "blocked_path_allowed_ipaccess" {
metric_name = format("%s%s%sBlockedPathIpaccess", var.application, var.environment, var.module)
name = format("%s%s%sBlockedPathIpaccessRule", var.application, var.environment, var.module)
predicate {
type = "ByteMatch"
data_id = aws_wafregional_byte_match_set.blocked_path_match_set.id
negated = false
}
}
But how do I map this new rule to existing "web_acl" which was created through AWS Console. As per documentation I can use "aws_wafregional_web_acl" to create new web_acl, but is there a way to associate rule created through terraform with existing waf_acl ? I have a gitlab pipeline which deploys terraform code to aws, so eventually I will pass id/arn of existing web_acl and through pipeline just add/update new rule without impacting existing rules which were created through console.
Please share your valuable feedback.
Thank you.
As per the WAF documentation you associate the rule via an AWS WAF resource, see the example below for a code snippet.
resource "aws_wafregional_web_acl" "foo" {
name = "foo"
metric_name = "foo"
default_action {
type = "ALLOW"
}
rule {
action {
type = "BLOCK"
}
priority = 1
rule_id = aws_wafregional_rule.blocked_path_allowed_ipaccess.id
}
}
However, as you said you have created the resource already in the AWS console. Terraform does support the import of an AWS resource, so you would need to go with this method if you would like to manage it via Terraform.