Provider-AWS: Cannot deploy WAFv2WebACL with the latest version

[sheplu]

Expected Behavior

It should be deploying a WAFv2WebACL with rules as it was doing it with the previous minor version.

Actual Behavior

When I try to add a rule in an AWS WAFv2 (AWS WAFv2WebACL) configuration, this should work and not crash with the following error.

Error: 024-02-02T20:03:40.477] [ERROR] default - ╷
│ Error: Extraneous JSON object property
│ 
│   on cdk.tf.json line 747, in resource.aws_wafv2_web_acl.my-waf-name.rule[0].statement:
│  747:               "managedRuleGroupStatement": {
│ 
│ No argument or block type is named "managedRuleGroupStatement".
╵

Steps to Reproduce

1. Setup a default project with the latest AWS provider and cdktf ("@cdktf/provider-aws": "^19.3.0", "cdktf": "^0.20.3")
2. Instanciate a WAFv2WebACL configuration WITH a rule (non empty rule, at least one rule should exist)
3. Run / deploy and it will fails with the error listed just above

Versions

language: typescript cdktf-cli: 0.20.3 node: v20.11.0 cdktf: 0.20.3 constructs: 10.3.0 jsii: null terraform: 1.7.1 arch: x64 os: linux 6.2.0-1019-azure providers aws@~>5 (LOCAL) terraform provider version: 5.35.0 @cdktf/provider-aws (PREBUILT) terraform provider version: 5.34.0 prebuilt provider version: 19.3.0 cdktf version: ^0.20.0

Providers

I tried with the two way to use the provider

Provider Name	Provider Version	CDKTF	Constraint	Package Name	Package Version
aws	5.35.0		~>5
aws	5.34.0	^0.20.		@cdktf/provider-aws	19.3.0

Gist

No response

Possible Solutions

As this was working with the aws-provider@5.31.0, and as I am seeing a difference between 18.2 and 19.3 in the Wafv2WebAclRule I guess this could be the issue

// 19.3

    /**
    * statement block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#statement Wafv2WebAcl#statement}
    */
    readonly statement?: any;

// 18.2

    /**
    * statement block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#statement Wafv2WebAcl#statement}
    */
    readonly statement: Wafv2WebAclRuleStatement;

Full files below

// 19.3

export interface Wafv2WebAclRule {
    /**
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#name Wafv2WebAcl#name}
    */
    readonly name: string;
    /**
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#priority Wafv2WebAcl#priority}
    */
    readonly priority: number;
    /**
    * action block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#action Wafv2WebAcl#action}
    */
    readonly action?: Wafv2WebAclRuleAction;
    /**
    * captcha_config block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#captcha_config Wafv2WebAcl#captcha_config}
    */
    readonly captchaConfig?: Wafv2WebAclRuleCaptchaConfig;
    /**
    * override_action block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#override_action Wafv2WebAcl#override_action}
    */
    readonly overrideAction?: Wafv2WebAclRuleOverrideAction;
    /**
    * rule_label block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#rule_label Wafv2WebAcl#rule_label}
    */
    readonly ruleLabel?: Wafv2WebAclRuleRuleLabel[] | cdktf.IResolvable;
    /**
    * statement block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#statement Wafv2WebAcl#statement}
    */
    readonly statement?: any;
    /**
    * visibility_config block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.34.0/docs/resources/wafv2_web_acl#visibility_config Wafv2WebAcl#visibility_config}
    */
    readonly visibilityConfig: Wafv2WebAclRuleVisibilityConfig;
}

// 18.2

export interface Wafv2WebAclRule {
    /**
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#name Wafv2WebAcl#name}
    */
    readonly name: string;
    /**
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#priority Wafv2WebAcl#priority}
    */
    readonly priority: number;
    /**
    * action block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#action Wafv2WebAcl#action}
    */
    readonly action?: Wafv2WebAclRuleAction;
    /**
    * captcha_config block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#captcha_config Wafv2WebAcl#captcha_config}
    */
    readonly captchaConfig?: Wafv2WebAclRuleCaptchaConfig;
    /**
    * override_action block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#override_action Wafv2WebAcl#override_action}
    */
    readonly overrideAction?: Wafv2WebAclRuleOverrideAction;
    /**
    * rule_label block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#rule_label Wafv2WebAcl#rule_label}
    */
    readonly ruleLabel?: Wafv2WebAclRuleRuleLabel[] | cdktf.IResolvable;
    /**
    * statement block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#statement Wafv2WebAcl#statement}
    */
    readonly statement: Wafv2WebAclRuleStatement;
    /**
    * visibility_config block
    *
    * Docs at Terraform Registry: {@link https://registry.terraform.io/providers/hashicorp/aws/5.31.0/docs/resources/wafv2_web_acl#visibility_config Wafv2WebAcl#visibility_config}
    */
    readonly visibilityConfig: Wafv2WebAclRuleVisibilityConfig;
}

Workarounds

No response

Anything Else?

No response

References

No response

Help Wanted

• [X] I'm interested in contributing a fix myself

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[ansgarm]

Hi @sheplu 👋

This seems to be similar to #3458. There has been a small performance related change to that resource in CDKTF 0.20.1 (changelog, https://github.com/hashicorp/terraform-cdk/pull/3414) which removes generated types for some attributes of this resource.

In practice this means that managedRuleGroupStatement (and all nested attribute names) would need to be snake-cased to managed_rule_group_statement as there is no more generated class doing that camel-case to snake-case conversion.

My comment on that other issue has an example: https://github.com/hashicorp/terraform-cdk/issues/3458#issuecomment-1905657553

Sorry for the trouble this caused!

[sheplu]

Hi @ansgarm

Thanks for the answer, indeed this is the same issue! I don't know why I was not able to found it while searching. Is there any plan to change that behaviour and back to the previous one to not mix snake-case and camelCase? Also providing the good type as now this is a simple "any" ?

In any case the documentation will need to be updated as the example is now showing something wrong https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl?lang=typescript I guess this is fully automated but if needed I can PR the change in the doc (if you can point me to the right direction)

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.