A multi-tenant SaaS platform migrating from F5 and Suricata to AWS Network Firewall faced a core conflict: Terraform's declarative model clashed with the need for real-time, dynamic rule updates for ephemeral tenant hostnames. The solution required decoupling ownership to prevent state drift.

The architecture splits rule groups into Self-Managed (Terraform-owned) and Custom-Managed (external automation-owned). Terraform initializes dynamic groups but uses a lifecycle block to ignore subsequent rule changes, handing control to a Lambda function. This prevents the classic 'tug-of-war' between IaC and external APIs.

A parent module enforces a deterministic stateful_rule_group_order, ensuring Suricata, Domain Lists, and AWS-managed rules are evaluated in a strict sequence. This hybrid model maintains a clean Terraform state while enabling high-frequency updates, crucial for scalable, zero-touch security in a dynamic SaaS environment.