search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.74k stars 9.1k forks source link

aws_wafv2_web_acl supports rate_based_statement, but aws_wafv2_rule_group does not #14326

Closed leecookson closed 4 years ago

leecookson commented 4 years ago

Community Note

Terraform CLI and Terraform AWS Provider Version

Terraform version : 0.12.26 AWS provider version : 2.70.0

Affected Resource(s)

Terraform Configuration Files

resource "aws_wafv2_rule_group" "rate_rule_group" {
  name     = "IPRateLimitWAFRuleGroup"
  scope    = "CLOUDFRONT"
  capacity = 5

  rule {
    name     = "IPRateLimitWAFRule"
    priority = 4

    action {
      count {}
    }

    statement {
      rate_based_statement {
        limit              = var.ip_rate_limit
        aggregate_key_type = "IP"
        }
      }
    }
  }
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

Terraform documentation indicates this statement type is not supported, so the result is expected relative to docs, but not to AWS functionality. Since AWS supports this, I expect it to be usable within aws_wafv2_rule_group.

https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-rule-group.html

Search for RateBasedStatement

Actual Behavior


  on ../../tf-waf-common/module/rate-limit-rule/module.tf line 57, in resource "aws_wafv2_rule_group" "rate_rule_group":
  15:       rate_based_statement {

Blocks of type "rate_based_statement" are not expected here.

Steps to Reproduce

  1. terraform validate

Important Factoids

N/A

References

anGie44 commented 4 years ago

Hi @leecookson, thank you for creating this issue! The PR linked above #14073 should address this discrepancy you are seeing in the rule_group resource (even though the PR only calls out the web_acl directly). A somewhat similar behavior https://github.com/terraform-providers/terraform-provider-aws/issues/14035 is reported on update of WebACLs such that the rate_based_statement is missing on update as well, though it is not reported at plan-time like you see here in the rule_group where the schema is missing this statement type.

anGie44 commented 4 years ago

hi again @leecookson 👋 When adding support for this statement, its seems to result in a similar response as aws/aws-cli#5015 so it might not be feasible through the provider's use of the AWS SDK (we're on v1.33.21) as expected (or even in the AWS console, the configuration does pass validation but when comes the time to click the Create Rule group button, the same error message appears. e.g. error from SDK:

stderr:

        Error: Error creating WAFv2 RuleGroup: WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RATE_BASED_STATEMENT, parameter: RateBasedStatement
        {
          RespMetadata: {
            StatusCode: 400,
            ...
          },
          Field: "RATE_BASED_STATEMENT",
          Message_: "Error reason: A reference in your rule statement is not valid., field: RATE_BASED_STATEMENT, parameter: RateBasedStatement",
          Parameter: "RateBasedStatement",
          Reason: "A reference in your rule statement is not valid."
        }

I'm going to create an Issue, if there isn't one already, in the aws-go-sdk project to see if they can confirm or know a workaround to what i'm seeing above.

For tracking: SDK Issue https://github.com/aws/aws-sdk-go/issues/3481

anGie44 commented 4 years ago

hi again @leecookson! with the answer we got back from aws/aws-sdk-go#3481, I'm going to close this as we're limited by the upstream service unfortunately, but if in the future support is added, feel free to revisit this one or re-open as needed.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!