Cannot create WAFv2 Web ACL with multiple rules

[jackfarzan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform=v0.12.28
provider.aws=v2.69.0

Affected Resource(s)

• aws_wafv2_web_acl

Terraform Configuration Files

resource aws_wafv2_web_acl sample {
  name        = "sample-waf"
  scope       = "CLOUDFRONT"

  default_action {
    allow {}
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "sample"
    sampled_requests_enabled   = true
  }

  rule {
    name     = "AWS-AWSManagedRulesCommonRuleSet"
    priority = 0

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWS-AWSManagedRulesAnonymousIpList"
    priority = 1

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAnonymousIpList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWS-AWSManagedRulesAmazonIpReputationList"
    priority = 2

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
      sampled_requests_enabled   = true
    }
  }
}

Debug Output

https://gist.github.com/jackfarzan/f32ecb8e820005f4c5c3f6f3ef15ad77

Expected Behavior

Web ACL is created with multiple rules

Actual Behavior

Web ACL is not created with message:

Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: Your statement has multiple values set for a field that requires exactly one value., field: RULE, parameter: Rule
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "314372a1-927e-4cd2-b4a9-f3962368ee22"
  },
  Field: "RULE",
  Message_: "Error reason: Your statement has multiple values set for a field that requires exactly one value., field: RULE, parameter: Rule",
  Parameter: "Rule",
  Reason: "Your statement has multiple values set for a field that requires exactly one value."
}

Steps to Reproduce

1. terraform apply

[anGie44]

Hi @jackfarzan, thank you for reporting this issue! I believe the error documented in the description stems from the 2nd managed rule in your config (name = "AWS-AWSManagedRulesAnonymousIpList"). It needs the override_action block similar to the other 2 rules you have configured (if it were not a rule that refs a rule group or a managed rule, the action block would be needed. The error there isn't very clear about what part of the rule needs adjustment unfortunately.

Hope this helps! If any further questions arise please let me know! As well, if the documentation (hosted at terraform.io) for this resource isn't clear about these fields and could be improved, your feedback is greatly appreciated 😃

[jackfarzan]

Hi @anGie44, that was definitely the issue! The docs were indeed unclear, I thought I only needed to specify the override_action block if I wanted to do anything other than block the action.

So then, what would I specify if I do want to use the default action? Overriding to block {} does not work.

[anGie44]

Ahh gotcha! Yeah for any given rule block you specify in your config, one of action or override_action is technically required (I'll make a note of this to update our documentation as that gets a bit lost w/in the bullet points). Also note that the override_action block only supports count{} and none{} unlike action, documented in this section. With that being said, you can configure the override_action to none {} to leave the actions in effect. It does seem a bit counter-intuitive since no action is really being overridden 😅 but by design of the AWS WAFv2 API, it's expected.

[jackfarzan]

@anGie44 Gotcha. Thanks for the help!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!