Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_networkfirewall_rule_group: Cannot reference multiple ip_sets in source/destination in header for a stateful rule #23686

Open
midestefanis opened this issue Mar 15, 2022 · 2 comments
Open

aws_networkfirewall_rule_group: Cannot reference multiple ip_sets in source/destination in header for a stateful rule #23686

midestefanis opened this issue Mar 15, 2022 · 2 comments
Labels
bug Addresses a defect in current functionality. enhancement Requests to existing resources that expand the functionality or scope. service/networkfirewall Issues and PRs that pertain to the networkfirewall service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.

Comments

@midestefanis
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

  • aws_networkfirewall_rule_group

Potential Terraform Configuration

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  name     = "example"
  type     = "STATEFUL"
  rule_group {
    rule_variables {
      ip_sets {
        key = "WEBSERVER_HOSTS_2"
        ip_set {
          definition = ["10.48.208.0/23"]
        }
      }
      ip_sets {
        key = "WEBSERVER_HOSTS"
        ip_set {
          definition = ["10.0.0.0/16", "10.0.1.0/24", "192.168.0.0/16"]
        }
      }      
    }
    rules_source {
        stateful_rule {
            action = "PASS"
            header {
                destination = "$WEBSERVER_HOSTS$WEBSERVER_HOSTS_2"
                source = "0.0.0.0/0"
                destination_port = "443"
                source_port = "ANY"
                protocol = "TCP"
                direction = "ANY"
            }
            rule_option {
                keyword: "sid:1"
            }
        }
    }
  }
}

Expected Behavior

The source/destination in the header should be able to reference multiple ip_set. This works via AWS Console. This is not working via Terraform

Actual Behavior

InvalidRequestException: stateful rule is invalid, ***** , reason: not every address block was properly closed in "[***", 1 missing closing brackets (]). Note: problem might be in a variable.

References
@midestefanis midestefanis added the enhancement Requests to existing resources that expand the functionality or scope. label Mar 15, 2022
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/networkfirewall Issues and PRs that pertain to the networkfirewall service. labels Mar 15, 2022
@justinretzolk justinretzolk added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Mar 15, 2022
@mike-morris-emis
Copy link

mike-morris-emis commented Nov 24, 2022
edited
Loading

try the following, add a comma between the ip_set variables $WEBSERVER_HOSTS,$WEBSERVER_HOSTS_2

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  name     = "example"
  type     = "STATEFUL"
  rule_group {
    rule_variables {
      ip_sets {
        key = "WEBSERVER_HOSTS_2"
        ip_set {
          definition = ["10.48.208.0/23"]
        }
      }
      ip_sets {
        key = "WEBSERVER_HOSTS"
        ip_set {
          definition = ["10.0.0.0/16", "10.0.1.0/24", "192.168.0.0/16"]
        }
      }      
    }
    rules_source {
        stateful_rule {
            action = "PASS"
            header {
                destination = "$WEBSERVER_HOSTS,$WEBSERVER_HOSTS_2"
                source = "0.0.0.0/0"
                destination_port = "443"
                source_port = "ANY"
                protocol = "TCP"
                direction = "ANY"
            }
            rule_option {
                keyword: "sid:1"
            }
        }
    }
  }
}

@github-actions GitHub Actions
Copy link

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Nov 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. enhancement Requests to existing resources that expand the functionality or scope. service/networkfirewall Issues and PRs that pertain to the networkfirewall service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@justinretzolk @midestefanis @mike-morris-emis