[Bug]: aws_wafv2_web_acl is unable to use dynamic block to manage "rule_action_override" #28672
Comments
88lexd
added
bug
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
github-actions
bot
added
the
service/wafv2
justinretzolk
removed
the
needs-triage
|
I have found I also have this issue when adding or removing managed rule sets in an existing ACL. A good indication that it's going to die with The plan output below results from adding Other observations I have made are;
Plan output after adding As above, when it show rules that need to be both removed and re-added again it seems to result in the same outcome; Version info:
|
|
There are several bugs opened that look related to this issue. I was in the same boat having to taint the existing resource to get it to apply. The comment in issue 28191 resolved it for me with AWS provider 4.5x. Hope it helps. Kudos to the author. |
|
Did this ever get resolved? I still can't create a dynamic block with "rule_action_override", and I'm using AWS Provider 4.58.0. |
|
No :( |
|
I got my issue resolved with a little help from a guy on Reddit. Here's a great example using a dynamic block with "rule_action_override". Thank you Trussworks. I'm using AWS Provider 5.4.0 and Terraform 1.50. Check this out: |
aws_wafv2_web_acl configurations
#27273
|
NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim). |
YakDriver
added
the
waiting-response
|
I am still facing the same issue by using my test code above to reproduce this issue. I am using the aws provider v5.8.0 |
github-actions
bot
removed
the
waiting-response
|
Unfortunately, I still cannot reproduce the bug. See exactly what I did below and let me know if I've missed something. Terraform v1.4+I believe this is fixed in Terraform v1.4+. Can you try on Terraform 1.4+? Terraform v1.5.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.7.0Step 1
variable "rulesets" {
type = any
default = [
{
rule_name = "AWSManagedRulesKnownBadInputsRuleSet"
priority = 1
rules_override_to_count = ["Log4JRCE_QUERYSTRING"]
}
]
}
resource "aws_wafv2_web_acl" "test" {
scope = "REGIONAL"
name = "issue28672"
default_action {
allow {}
}
#######################
# Begin Rules
dynamic "rule" {
for_each = { for this in var.rulesets : this.rule_name => this }
content {
name = rule.key
priority = rule.value.priority
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = rule.key
vendor_name = "AWS"
dynamic "rule_action_override" {
for_each = [for rule_override in rule.value.rules_override_to_count : rule_override]
content {
name = rule_action_override.value
action_to_use {
count {}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = rule.key
sampled_requests_enabled = false
}
}
}
#######################
# End Rules
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "test-waf-metrics"
sampled_requests_enabled = true
}
}Step 2Reapply same config without changes. No issues. Step 3Apply this: variable "rulesets" {
# Using "type any" here for simplicity to reproduce bug
type = any
default = [
{
rule_name = "AWSManagedRulesKnownBadInputsRuleSet"
priority = 1
rules_override_to_count = ["Log4JRCE_QUERYSTRING"]
},
{
rule_name = "AWSManagedRulesAmazonIpReputationList"
priority = 2
rules_override_to_count = ["AWSManagedIPReputationList", "AWSManagedReconnaissanceList"]
}
]
}
resource "aws_wafv2_web_acl" "test" {
scope = "REGIONAL"
name = "issue28672"
default_action {
allow {}
}
#######################
# Begin Rules
dynamic "rule" {
for_each = { for this in var.rulesets : this.rule_name => this }
content {
name = rule.key
priority = rule.value.priority
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = rule.key
vendor_name = "AWS"
dynamic "rule_action_override" {
for_each = [for rule_override in rule.value.rules_override_to_count : rule_override]
content {
name = rule_action_override.value
action_to_use {
count {}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = rule.key
sampled_requests_enabled = false
}
}
}
#######################
# End Rules
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "test-waf-metrics"
sampled_requests_enabled = true
}
}Step 4Apply Step 3 config again. No issues. Step 5Apply original Step 1 config again. No issues. Step 6Reapply original Step 1 config again. No issues. |
YakDriver
added
the
waiting-response
|
Interesting! Works for me using the following versions! will close this issue off thanks! |
github-actions
bot
removed
the
waiting-response
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Related:
aws_wafv2_web_acl#27175aws_wafv2_web_aclconfigurations #27273aws_wafv2_web_acldescription/tag changes result in inconsistent final plan #27479Terraform Core Version
1.3.0
AWS Provider Version
4.44.0
Affected Resource(s)
aws_wafv2_web_acl
Expected Behavior
Certain rule actions I want to set to count mode should work via my dynamic block
Actual Behavior
Terraform errors out and ends with "This is a bug in the provider, which should be reported in the provider's own issue tracker"
Relevant Error/Panic Output Snippet
Terraform Configuration Files
This is the short version of the Terraform code I have
Steps to Reproduce
When I uncomment the variable from my configuration file so the variable looks like this, then Terraform errors out
I notice the bug only happens if I am using "rules_override_to_count". Say for example if I have the following variables, I can add/remove as many rules as I want. As long as I am not using the
dynamic "rule_action_override"block.Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: