Hi, I tried to add an AWS managed rule "AWSManagedRulesCommonRuleSet" in the below template and ended up with an error, I tried to resolve but I couldn't. Kindly help.

Hello.
Managed rules cannot be configured for WAF rule groups.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-statement.html
In other words, the following parts cannot be set within a rule group.

        - Action:
            Allow: {} 
            Name: ManagedRuleGroupRule
            Priority: 2
            Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: !Ref MyManagedRuleGroup 
            VisibilityConfig:
                SampledRequestsEnabled: true 
                CloudWatchMetricsEnabled: true

If it is to be set, it must be set in the Web ACL.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html#cfn-wafv2-webacl-rules
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-rule.html#cfn-wafv2-webacl-rule-statement
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-statement.html

I created a sample template.
This template will create a Web ACL.
It also sets "AWSManagedRulesCommonRuleSet" as the managed rules.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenyb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetb
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllowb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllowb
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRuleb
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenyb
          Priority: 0
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetdenyb.Arn 
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllowb
          Priority: 1
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetAllowb.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true

  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      DefaultAction:
        Allow: {}
      Name: waf-acl
      Rules:
        - Name: managed-rule
          OverrideAction:
            None: {}
          Priority: 0
          Statement:
            ManagedRuleGroupStatement:
              Name: AWSManagedRulesCommonRuleSet
              VendorName: AWS
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWSManagedRulesCommonRuleSet
            SampledRequestsEnabled: true
        - Name: custom-rule-group
          OverrideAction:
            None: {}
          Priority: 1
          Statement:
            RuleGroupReferenceStatement:
                Arn: !GetAtt MyIPSetRule.Arn
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: custom-rule-group
            SampledRequestsEnabled: true
      Scope: REGIONAL
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-acl
        SampledRequestsEnabled: true