While I have a fond love for Cloudformation, sometimes I find myself banging my head against a wall when trying to get past an error.
This time it's related to AWS::NetworkFirewall::FirewallPolicy.
The policy associated with an AWS Network firewall can be configured in either DEFAULT_ACTION_ORDER or STRICT_ORDER ordering for stateful rules.
However, one thing the documentation doesn't state is that this cannot be changed once the policy is created. The cloudformation reference above states the update requires no interruption.
If you attempt to change from default to strict, the following error will rear its ugly head.
Resource handler returned message: "parameter is invalid, parameter: [STRICT_ORDER] (Service: NetworkFirewall, Status Code: 400, Request ID: xxx)" (RequestToken: xxx, HandlerErrorCode: InvalidRequest)
I found this post moaning about this issue from December 2021.
How to fix it
The fix for this is easy, just create another policy and associate it with your firewall, then remove the old one from your template.
The AWS::NetworkFirewall::RuleGroup StatefulRuleOptions suffers from the same issue and cannot be adjusted once provisioned.
I hope this helps someone else and removes any unnecessary head-banging!