wafV2 byte_match_statement not working ?

[CKozanecki]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

`Terraform v0.13.5

• provider registry.terraform.io/hashicorp/aws v3.16.0
• provider registry.terraform.io/hashicorp/template v2.2.0`

Affected Resource(s)

aws_wafv2_web_acl byte_match_statement

Terraform Configuration Files

resource "aws_wafv2_web_acl" "wafacl" {
  name        = var.waf_name
  description = "Waf ruleset for protection of ${var.waf_name}"
  scope       = "REGIONAL"
  tags        = merge(var.common_tags, map("Name", var.waf_name))

  default_action {
    block {}
  }

  rule {
    name = var.rule_name
    priority = 0
    action {
      count {}
    }
    statement {
      byte_match_statement {
        field_to_match {
          single_header {
            name = "x-api-key"
          }
        }
        search_string         = var.api_key_id
        positional_constraint = "EXACTLY"
        text_transformation {
          type = "NONE"
          priority = 0
        }
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.waf_name}-acl"
      sampled_requests_enabled   = true
    }
  }
}

Expected Behavior

I have set every property and still get the same behavior. In the display, I don't have override_action because it didn't make a difference if it was there or not. No matter what i try this keeps giving the same error, but I would expect it would create a new waf rule.

Actual Behavior

`Error: Required attribute is not set

on waf/main.tf line 1, in resource "aws_wafv2_web_acl" "wafacl": 1: resource "aws_wafv2_web_acl" "wafacl" {`

Steps to Reproduce

1. terraform apply

References

pulling my information from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl found a similar issue at https://github.com/hashicorp/terraform-provider-aws/issues/15576 that was closed by the author with no explanation of why

• 0000

[CKozanecki]

Would love some help figuring out what I am doing wrong on this if I am the cause.

[anGie44]

Hi @CKozanecki , thank you for raising this issue! making a quick initial pass here, I see that nested block field in default_action should be set with the config block syntax (ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#default-action) e.g.

default_action {
      block {}
}

hope this helps in the meantime!

[CKozanecki]

Thanks @anGie44, that was a copy paste issue from source control, but I already fixed that one. I will update with what is on my server

[anGie44]

sounds good! the other thing i'm noting in the example provided is that the resource needs a visibility_config in addition to the one inside of the rule block so something like

resource "aws_wafv2_web_acl" "wafacl" {
  # other config
  rule {
    visibility_config {
      ...
    }
  }
  visibility_config {
  ...
  }
}

tho could be a copy paste issue as well?

[CKozanecki]

Looks like that is the answer! There wasn't an example in the documentation for my type of statement, and I didnt notice that it requires one for the IAM and the RULE.

Thank you very much @anGie44 !

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!