wafv2 rule-group - rule "statement" is not getting reflected in the cdk.tf.json

[Abhishek-singhcoupa]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

cdktf & Language Versions

language: python cdktf-cli: 0.13.3 node: v18.12.1 cdktf: 0.13.3 constructs: 10.1.188 jsii: 1.72.0 terraform: 1.1.9 arch: x64 os: darwin 22.2.0 python: Python 3.10.8 pip: pip 22.3.1 from /usr/local/lib/python3.10/site-packages/pip (python 3.10) pipenv: pipenv, version 2022.9.24

Affected Resource(s)

wafv2 RuleGroup , Rules

Debug Output

deploy fails with error -

---

[ERROR] default - ╷ │ Error: creating WAFv2 RuleGroup (test-cdk): WAFInvalidParameterException: Error reason: EXACTLY_ONE_CONDITIONREQUIRED, field: STATEMENT, parameter: Statement │ { │ RespMetadata: { │ StatusCode: 400, │ RequestID: "7beaebeb-dc61-460d-9c47-10a9188b56eb" │ }, │ Field: "STATEMENT", │ Message: "Error reason: EXACTLY_ONE_CONDITION_REQUIRED, field: STATEMENT, parameter: Statement", │ Parameter: "Statement", │ Reason: "You have used none or multiple values for a field that requires exactly one value." │ } │ │ with aws_wafv2_rule_group.test-rg-cdk, │ on cdk.tf .json line 69, in resource.aws _wafv2_rule_group.test-rg-cdk: │ 69: }

---

Expected Behavior

The rule statement should be present.

Actual Behavior

statement is blank, making the deploy fail.

Steps to Reproduce

Use cdktf python , main.py definition -

---

#!/usr/bin/env python
from pickle import NONE
import profile
from typing import Sequence
from constructs import Construct
from cdktf import App, TerraformStack, TerraformOutput, Token, Fn
from imports.aws.provider import AwsProvider
from imports.aws import fms_policy, wafv2_rule_group
import json

class MyStack(TerraformStack):
    def __init__(self, scope: Construct, id: str):
        super().__init__(scope, id)

        # Creating wafv2_rule_group
        AwsProvider(self, "AWS", region="xxx", profile='xxx')

        wrg=wafv2_rule_group.Wafv2RuleGroup(self, 
        id_='test-rg-cdk',
        visibility_config={
            "sampled_requests_enabled": True,
            "cloudwatch_metrics_enabled": True,
            "metric_name": "test-metric"
        },
        description="Test rg from cdk",
        capacity=80,
        name='test-cdk',
        scope='REGIONAL',
        rule=[
            {
                "name": "body_size_constraint",
                "priority": 0,
                "statement": {
                    "size_constraint_statement": {
                        "field_to_match": {
                            "body": {}
                        },
                        "comparison_operator": "GT",
                        "size": 8192,
                        "text_transformation": [
                            {
                            "priority": 0,
                            "type": "NONE"
                            }
                        ]
                    }
                },
                "action": {
                    "count": {}
                },
                "visibilityConfig": {
                    "sampledRequestsEnabled": True,
                    "cloudwatchMetricsEnabled": True,
                    "metricName": "body_size_constraint"
                }
            }
        ],
        tags={
            "name":"waf-fms-policy-cdk",
            "Managedby":"CDK Terraform"
        })

app = App()
MyStack(app, "coupa-waf-cdk")

app.synth()

---

Run cdktf deploy

Refer the below cdk.tf.json output file -- showing blank statement line-39-

{
  "//": {
    "metadata": {
      "backend": "local",
      "stackName": "waf-cdk",
      "version": "0.13.3"
    },
    "outputs": {
    }
  },
  "provider": {
    "aws": [
      {
        "profile": "xx",
        "region": "xxx"
      }
    ]
  },
  "resource": {
    "aws_wafv2_rule_group": {
      "test-rg-cdk": {
        "//": {
          "metadata": {
            "path": "waf-cdk/test-rg-cdk",
            "uniqueId": "test-rg-cdk"
          }
        },
        "capacity": 80,
        "description": "Test rg from cdk",
        "name": "test-cdk",
        "rule": [
          {
            "action": {
              "count": {
              }
            },
            "name": "body_size_constraint",
            "priority": 0,
            "statement": {
            },
            "visibility_config": {
              "cloudwatch_metrics_enabled": true,
              "metric_name": "body_size_constraint",
              "sampled_requests_enabled": true
            }
          }
        ],
        "scope": "REGIONAL",
        "tags": {
          "Managedby": "CDK Terraform",
          "name": "waf-fms-policy-cdk"
        },
        "visibility_config": {
          "cloudwatch_metrics_enabled": true,
          "metric_name": "test-metric",
          "sampled_requests_enabled": true
        }
      }
    }
  },
  "terraform": {
    "backend": {
      "local": {
        "path": "/xxxx/terraform.coupa-waf-cdk.tfstate"
      }
    },
    "required_providers": {
      "aws": {
        "source": "aws",
        "version": "4.46.0"
      }
    }
  }
}

[DanielMSchmidt]

Thanks for reporting this bug! I could reproduce it in 0.15. I could get around it by using an escape hatch:

wrg.add_override('rule.0.statement', {
            "size_constraint_statement": {
                "field_to_match": {
                    "body": {}
                },
                "comparison_operator": "GT",
                "size": 8192,
                "text_transformation": [
                    {
                        "priority": 0,
                        "type": "NONE"
                    }
                ]
            }
        })