search

cloudposse / terraform-aws-waf

https://cloudposse.com/accelerate
Apache License 2.0
40 stars 57 forks source link

Continuous recreation of ATP rule #77

Open vodila-privet opened 4 months ago

vodila-privet commented 4 months ago

Describe the Bug

I added the ATP rule at module setup, and the terraform plan works. The rules are successfully created. The problem is that when I call the plan again, I see that the module tries to delete and recreate some rules again, which happens repeatedly. The strangest thing is that I have created many different rules before, this problem appears if you add an ATP rule. I have tried changing the priorities of the rules, however this does not help either. Here is what the rule I add looks like:

managed_rule_group_statement_rules = [
    {
      name            = "rule-AWSManagedRulesCommonRuleSet"
      override_action = "none"
      priority        = 50

      statement = {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"

        rule_action_override = var.common_rule_set_rule_action_override_regional
      }

      visibility_config = {
        cloudwatch_metrics_enabled = true
        sampled_requests_enabled   = true
        metric_name                = "rule-AWSManagedRulesCommonRuleSet-metric"
      }
    },
    {
      name            = "rule-AWSManagedRulesAmazonIpReputationList"
      override_action = "none"
      priority        = 60

      statement = {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"

        rule_action_override = var.amazon_ip_reputation_list_rule_action_override_regional
      }

      visibility_config = {
        cloudwatch_metrics_enabled = true
        sampled_requests_enabled   = true
        metric_name                = "rule-AWSManagedRulesAmazonIpReputationList-metric"
      }
    },
    {
      name            = "rule-AWSManagedRulesKnownBadInputsRuleSet"
      override_action = "none"
      priority        = 70

      statement = {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"

        rule_action_override = var.known_bad_inputs_rule_set_rule_action_override_regional

      }

      visibility_config = {
        cloudwatch_metrics_enabled = true
        sampled_requests_enabled   = true
        metric_name                = "rule-AWSManagedRulesKnownBadInputsRuleSet-metric"
      }
    },
    {
      name     = "rule-AWSManagedRulesAnonymousIpList"
      priority = 80

      statement = {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"

        rule_action_override = var.anonymous_ip_list_rule_set_rule_action_override_regional

      }

      visibility_config = {
        cloudwatch_metrics_enabled = true
        sampled_requests_enabled   = true
        metric_name                = "rule-AWSManagedRulesAnonymousIpList-metric"
      }
    },
    {
      name            = "rule-AWSManagedRulesSQLiRuleSet"
      override_action = "none"
      priority        = 90

      statement = {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"

        rule_action_override = var.sqli_rule_set_rule_action_override_regional

      }

      visibility_config = {
        cloudwatch_metrics_enabled = true
        sampled_requests_enabled   = true
        metric_name                = "rule-AWSManagedRulesSQLiRuleSet-metric"
      }
    },
    {
    name            = "rule-AWSManagedRulesATPRuleSet"
    override_action = "none"
    priority        = 100

    statement = {
      name        = "AWSManagedRulesATPRuleSet"
      vendor_name = "AWS"

      managed_rule_group_configs = [
        {
          aws_managed_rules_atp_rule_set = {
            login_path = var.atp_login_path
            request_inspection = {
              payload_type   = var.atp_payload_type
              password_field = { identifier = var.atp_password_field }
              username_field = { identifier = var.atp_username_field }
            }
          }
        }
      ]

      rule_action_override = var.atp_list_rule_set_rule_action_override_regional
    }

    visibility_config = {
      cloudwatch_metrics_enabled = true
      sampled_requests_enabled   = true
      metric_name                = "rule-AWSManagedRulesATPRuleSet-metric"
    }
  },
  ]

This is what the plan looks like after re-running the terraform plan:

~ resource "aws_wafv2_web_acl" "default" {
        id                          = "8006b55a-7c18-459a-a1e0-06aebc267190"
        name                        = "dev-my-project"
        tags                        = {
            "Environment" = "dev"
            "Name"        = "dev-my-project"
        }
        # (8 unchanged attributes hidden)

      - rule {
          - name     = "rule-AWSManagedRulesATPRuleSet" -> null
          - priority = 100 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesATPRuleSet" -> null
                  - vendor_name = "AWS" -> null

                  - managed_rule_group_configs {
                      - aws_managed_rules_atp_rule_set {
                          - enable_regex_in_path = false -> null
                          - login_path           = "/sign-in" -> null

                          - request_inspection {
                              - payload_type = "JSON" -> null

                              - password_field {
                                  - identifier = "/password" -> null
                                }

                              - username_field {
                                  - identifier = "/email" -> null
                                }
                            }
                        }
                    }

                  - rule_action_override {
                      - name = "AttributeLongSession" -> null

                      - action_to_use {
                          - count {
                            }
                        }
                    }
                  - rule_action_override {
                      - name = "TokenRejected" -> null

                      - action_to_use {
                          - count {
                            }
                        }
                    }
                  - rule_action_override {
                      - name = "UnsupportedCognitoIDP" -> null

                      - action_to_use {
                          - count {
                            }
                        }
                    }
                  - rule_action_override {
                      - name = "VolumetricSession" -> null

                      - action_to_use {
                          - count {
                            }
                        }
                    }
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "rule-AWSManagedRulesATPRuleSet-metric" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      - rule {
          - name     = "rule-AWSManagedRulesAmazonIpReputationList" -> null
          - priority = 60 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesAmazonIpReputationList" -> null
                  - vendor_name = "AWS" -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "rule-AWSManagedRulesAmazonIpReputationList-metric" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      - rule {
          - name     = "rule-AWSManagedRulesKnownBadInputsRuleSet" -> null
          - priority = 70 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesKnownBadInputsRuleSet" -> null
                  - vendor_name = "AWS" -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "rule-AWSManagedRulesKnownBadInputsRuleSet-metric" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      - rule {
          - name     = "rule-AWSManagedRulesSQLiRuleSet" -> null
          - priority = 90 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesSQLiRuleSet" -> null
                  - vendor_name = "AWS" -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "rule-AWSManagedRulesSQLiRuleSet-metric" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      + rule {
          + name     = "rule-AWSManagedRulesATPRuleSet"
          + priority = 100

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesATPRuleSet"
                  + vendor_name = "AWS"

                  + managed_rule_group_configs {
                      + aws_managed_rules_atp_rule_set {
                          + enable_regex_in_path = (known after apply)
                          + login_path           = "/sign-in"

                          + request_inspection {
                              + payload_type = "JSON"

                              + password_field {
                                  + identifier = "/password"
                                }

                              + username_field {
                                  + identifier = "/email"
                                }
                            }
                        }
                    }

                  + rule_action_override {
                      + name = "AttributeLongSession"

                      + action_to_use {
                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "TokenRejected"

                      + action_to_use {
                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "UnsupportedCognitoIDP"

                      + action_to_use {
                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "VolumetricSession"

                      + action_to_use {
                          + count {
                            }
                        }
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "rule-AWSManagedRulesATPRuleSet-metric"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "rule-AWSManagedRulesAmazonIpReputationList"
          + priority = 60

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesAmazonIpReputationList"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "rule-AWSManagedRulesAmazonIpReputationList-metric"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "rule-AWSManagedRulesKnownBadInputsRuleSet"
          + priority = 70

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesKnownBadInputsRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "rule-AWSManagedRulesKnownBadInputsRuleSet-metric"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "rule-AWSManagedRulesSQLiRuleSet"
          + priority = 90

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesSQLiRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "rule-AWSManagedRulesSQLiRuleSet-metric"
              + sampled_requests_enabled   = true
            }
        }

        # (10 unchanged blocks hidden)
    }

After recreating the rules nothing changes, however, it is very confusing.

Expected Behavior

I expect that after I create an ATP rule, when I re-run the terraform plan I will not see the planned changes

Steps to Reproduce

Just add the ATP rule, run the terraform plan, terraform apply Then run the terraform plan again and you will see everything I described above

Screenshots

No response

Environment

terraform {
  required_version = "~> 1.7.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }

Additional Context

No response