search

cloudposse / terraform-aws-waf

https://cloudposse.com/accelerate
Apache License 2.0
40 stars 57 forks source link

dynamic "excluded_rule" { Blocks of type "excluded_rule" are not expected here. #36

Closed gavinconnellotten closed 1 year ago

gavinconnellotten commented 1 year ago

Describe the Bug

I'm using the WAF module to handle a collection of rules in an ACL - it's been working fine for some months, but today it is breaking my Terraform pipeline - no changes have been made to how we're using the module:

Error: Unsupported block type on .terraform/modules/waf/rules.tf line 364, in resource "aws_wafv2_web_acl" "default": 364: dynamic "excluded_rule" { Blocks of type "excluded_rule" are not expected here.

Expected Behavior

I'm not making any changes to the use of the WAF module, so it should keep working - no changes.

Steps to Reproduce

I have a rule in my ACL which uses the excluded_rule config - see below:

  managed_rule_group_statement_rules = [
    {
      name            = "AWSManagedRulesCommonRuleSet"
      override_action = "count"
      priority        = 2

      statement = {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"

        excluded_rule = [
          "SizeRestrictions_QUERYSTRING",
          "NoUserAgent_HEADER"
        ]
      }

      visibility_config = {
        cloudwatch_metrics_enabled = true
        sampled_requests_enabled   = false
        metric_name                = "AWSManagedRulesCommonRuleSet-metric"
      }
    }
  ]

If I remove this, the module works again. I'm assuming that AWS have stopped supporting this "excluded_rule" option, but CloudPosse are still using it (or trying to). Some advice on how to move forward with the above config would be helpful.

Screenshots

image

Environment

Shared Github Runners I have updated my Terraform provider and Module version to latest - no difference.

Additional Context

No response

slar-capco commented 1 year ago

We downgraded the aws provider below version 5 and this problem went away (v4.54.0)

arcaven commented 1 year ago

The root cause is changes to AWS provider in v5: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-5-upgrade#resourceaws_wafv2_web_acl

isaccavalcante commented 10 months ago

In my case I upgraded the syntax from:

excluded_rule = [
    "SizeRestrictions_BODY"
]

to:

rule_action_override = {
    SizeRestrictions_BODY = {
        action = "allow"
    }
}