[WAFv2] Error creating WAFv2 RuleGroup when using a RateBasedStatement

[anGie44]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [x] I've gone though Developer Guide and API reference
• [x] I've checked AWS Forums and StackOverflow for answers
• [x] I've searched for previous similar issues and didn't find any solution

Describe the bug Creating a Rule Group with a RateBasedStatement returns 400 (similar to aws cli error reported in https://github.com/aws/aws-cli/issues/5015)

WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RATE_BASED_STATEMENT, parameter: RateBasedStatement
        {
          RespMetadata: {
            StatusCode: 400,
            ...
          },
          Field: "RATE_BASED_STATEMENT",
          Message_: "Error reason: A reference in your rule statement is not valid., field: RATE_BASED_STATEMENT, parameter: RateBasedStatement",
          Parameter: "RateBasedStatement",
          Reason: "A reference in your rule statement is not valid."
        }

Version of AWS SDK for Go?

• v1.33.21

Version of Go (go version)?

• 1.14

To Reproduce (observed behavior) Steps to reproduce the behavior (please share code or minimal repo)

• create basic input (w/o inner scope_down_statement reference, though that has failed as well):

  
  rateBased := &wafv2.RateBasedStatement{
  AggregateKeyType: aws.String("IP"),
  Limit: aws.Int64(int64(100)),
  }

statement := &wafv2.Statement{RateBasedStatement: rateBased}

visibilityConfig := &wafv2.VisbilityConfig { CloudWatchMetricsEnabled: aws.Bool(false), MetricName: aws.String("example-metric"), SampledRequestsEnabled: aws.Bool(false), }

var rules []*wafv2.Rule rule := &wafv2.Rule{ Name: aws.String("rule-1"), Priority: aws.Int64(int64(1)), Action: &wafv2.RuleAction{ Allow: &wafv2.AllowAction{} }, // or {Block: &wafv2.BlockAction{}} or {Count: &wafv2.CountAction{}} also tested Statement: statement, VisibilityConfig: visibilityConfig, }

rules = append(rules, rule)

params := &wafv2.CreateRuleGroupInput { Name: aws.String("example"), Scope: aws.String("REGIONAL"), Capacity: aws.Int64(int64(300)), Rules: rules, VisibilityConfig: visibilityConfig, }

output, err := conn.CreateRuleGroup(params)

**Expected behavior**
Request succeeds without error and Rule Group is created

**Additional context**
* API docs suggest `RateBasedStatement` is supported https://docs.aws.amazon.com/waf/latest/APIReference/API_CreateRuleGroup.html
* AWS Console validates a RateBasedStatement similar to the config above in JSON, but at actual creation time, an error also occurs

[leecookson]

From AWS Support, a very clear answer:

Rule groups and web ACLs both contain rules, which are defined in the same manner in both places. Rule groups differ from web ACLs in the following ways:

Rule groups can't contain the following rule statement types:
-Rule group reference statements
-Rate-based rule statements

I would like to confirm that Rate-based rules cannot be added in Rule group and can be added only in WebACLS[1]

Hope I was able to confirm and answer your question. In case of any additional queries, feel free to respond back and I will be more happy to assist you.

Have a nice day!!

[diehlaws]

Thanks for reaching out to us about this @anGie44, and thanks @leecookson for the insight from Premium Support. While I was able to reproduce the described behavior, the error returned suggests this behavior is due to the way the service behaves rather than a problem with the AWS SDK for Go, which is confirmed by our Premium Support team's statement in @leecookson's reply.

Unfortunately this behavior is not something that can be altered from the SDK's end, as such I will be closing out this issue. If you'd like to see this behavior changed from the service end I suggest creating a new Technical Support case under the WAF service and Feature Request category so your request goes through the appropriate channels.

[anGie44]

i see! thanks @diehlaws and @leecookson for following up with this behavior. anyway we can help make a request to update the API documentation?

[diehlaws]

@anGie44 Certainly! You can use the Provide feedback link on the CreateRuleGroup page for WAF's API Reference, this will create a ticket for the service's documentation team containing the information provided in the form.

[anGie44]

awesome 👍 , thanks @diehlaws!

[zulfiqarhaider]

Hi Team, This is now possible; can we please reopen this issue. I am facing the same issue despite having this option on the console cannot do it via terraform. thanks.

[leftyb]

Hi Team , Same issue here. I managed to create the "rate_based_statement" from console inside a rule group, but not working with terraform yet.

Thanks.

[praddc]

+1 to the above.

[dnoach]

• 1