WAFWebACL Drift for Security Automations for AWS WAF Solution

[chrisfleming-chq]

Describe the bug Deploying the Security Automations for AWS WAF solution creates drift on the WebACL nested Stack - I believe due to how AWS process Single Header names.

WAF treats these Single Headers as case insensitive and converts them to lowercase internally which is causing drift in that specific item.

https://docs.aws.amazon.com/waf/latest/APIReference/API_SingleHeader.html

To Reproduce This can be reproduced by deploying the Security Automations for AWS WAF solution and associating the Web ACL.

Detect Drift on the nested WebACL Stack - WAFWebACL will show as MODIFIED.

Expected behavior I expect WAFWebACL to reflect IN_SYNC and not MODIFIED.

To resolve the Drift to IN_SYNC - There are three (3) references of Single Headers, each of these need to be changed to lowercase to match how they are processed internally by AWS.

Once changes are made, running another drift check. This should confirm the once drifted WAFWebACL is now IN_SYNC.

Please complete the following information about the solution:

• Version: [v4.0.2]
• Region: [eu-west-1 (Ireland)]
• Was the solution modified from the version published on this repository? [No]
• If the answer to the previous question was yes, are the changes available on GitHub? [-]
• Have you checked your [service quotas] (https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) for the services this solution uses? [Yes]
• Were there any errors in the CloudWatch Logs? [No]

[aijunpeng]

Thanks for reporting the issue. This seems a by-design per the WAF service. Based on the https://docs.aws.amazon.com/waf/latest/APIReference/API_SingleHeader.html, the name isn't case sensitive. This means WAF allows both upper and lower cases, and it handles case conversion to lower case internally. Although using upper case in the WAF CloudFormation template creates a unintentional drift, it shouldn't affect functionality. We have added this to our backlog for future releases.