CKV_AWS_342 Ensure WAF rule has any actions should not consider a managed rule group

[ziggythehamster]

Describe the issue

CKV_AWS_342 currently will flag a WAFv2 WebACL that uses only managed rule groups. Managed rule groups have AWS-defined behavior regarding the actions that are taken (and some, like bot control, are not possible to express with the rule syntax), so you don't specify an action unless you want to override it, and the only override options are to count without blocking or to do nothing at all. This means it is not possible to actually satisfy this Checkov check while ensuring you are blocking traffic as intended.

This check should apply in situations where you're not specifying a managed rule group.

Examples

This currently fails but should pass:

resource "aws_wafv2_web_acl" "this" {
  name          = var.name
  description   = "Managed by Terraform, do not edit in the console"
  scope         = "REGIONAL"
  token_domains = [var.dns.fqdn, aws_lb.this.dns_name]

  default_action {
    allow {}
  }

  rule {
    name     = "aws-managed-rules-common"
    priority = 1

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }
  }
}

Version (please complete the following information):

2.3.317

Additional information:

It may also be that managed rules themselves are usable in a statement and thus should also be ignored for the purposes of checking that rules have actions, but I'm not sure what that looks like.

[JamesWoolfenden]

Quite right Ziggy. Fixed