[WAFv2] Changing the aws_wafv2_rule_group capacity results in WAFDuplicateItemException

[wenindoubt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

• Terraform v1.0.10
• hashicorp/aws v3.63.0

Affected Resource(s)

• aws_wafv2_rule_group

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_wafv2_rule_group" "embargoed_restrictions" {
  name  = "embargoed_ips_and_countries"
  scope = "CLOUDFRONT"
  capacity = 10

  rule {
    name     = "embargoed_ips"
    priority = 100

    action {
      block {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.embargoed_ips.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "embargoed_ips"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "embargoed_countries"
    priority = 200

    action {
      block {}
    }

    statement {
      geo_match_statement {
        country_codes = toset(var.embargoed_countries)
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "embargoed_countries"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "embargoed_restrictions"
    sampled_requests_enabled   = true
  }
}

Debug Output

https://gist.github.com/wenindoubt/af67b4d3f041dae5d4c27b87e45abe6d

Panic Output

Expected Behavior

My aws_wafv2_rule_group was originally deployed with a capacity of 5. After changing the capacity to 2, I expect aws_wafv2_rule_group to be updated in-place to 2.

Actual Behavior

Terraform will perform the following actions:

  # aws_wafv2_rule_group.embargoed_restrictions must be replaced
+/- resource "aws_wafv2_rule_group" "embargoed_restrictions" {
      ~ arn        = "arn:aws:wafv2:us-east-1:865412956762:global/rulegroup/embargoed_ips_and_countries/436fc723-75d1-4a55-9dbb-a1c00ba0f522" -> (known after apply)
      ~ capacity   = 10 -> 2 # forces replacement
      ~ id         = "436fc723-75d1-4a55-9dbb-a1c00ba0f522" -> (known after apply)
      ~ lock_token = "4e64d77d-6af7-4329-9e0a-e3815e24ad62" -> (known after apply)
        name       = "embargoed_ips_and_countries"
      - tags       = {} -> null
      ~ tags_all   = {} -> (known after apply)
        # (1 unchanged attribute hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_wafv2_web_acl.embargoed_restrictions will be updated in-place
  ~ resource "aws_wafv2_web_acl" "embargoed_restrictions" {
        id         = "3aad4a8a-c91b-4d24-93db-2b5ed7bb07e5"
        name       = "embargoed_restrictions"
        tags       = {}
        # (5 unchanged attributes hidden)

      - rule {
          - name     = "embargoed_restrictions" -> null
          - priority = 100 -> null

          - override_action {
              - count {}
            }

          - statement {

              - rule_group_reference_statement {
                  - arn = "arn:aws:wafv2:us-east-1:865412956762:global/rulegroup/embargoed_ips_and_countries/436fc723-75d1-4a55-9dbb-a1c00ba0f522" -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "embargoed_restrictions" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      + rule {
          + name     = "embargoed_restrictions"
          + priority = 100

          + override_action {
              + count {}
            }

          + statement {

              + rule_group_reference_statement {
                  + arn = (known after apply)
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "embargoed_restrictions"
              + sampled_requests_enabled   = true
            }
        }

        # (2 unchanged blocks hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Do you want to perform these actions in workspace "dev"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_wafv2_rule_group.embargoed_restrictions: Creating...
╷
│ Error: Error creating WAFv2 RuleGroup: WAFDuplicateItemException: AWS WAF couldn’t perform the operation because some resource in your request is a duplicate of an existing one.
│
│   with aws_wafv2_rule_group.embargoed_restrictions,
│   on main.tf line 15, in resource "aws_wafv2_rule_group" "embargoed_restrictions":
│   15: resource "aws_wafv2_rule_group" "embargoed_restrictions" {
│
╵
Releasing state lock. This may take a few moments...

Steps to Reproduce

1. terraform apply with the capacity as 5
2. Change capacity to anything else; e.g. 2
3. terraform apply again
4. Error! WAFDuplicateItemException

Important Factoids

References

• 0000

[shraddha-sq]

Hello, checking in here is there a workaround for this issue ?

[wenindoubt]

Hello, checking in here is there a workaround for this issue?

Thankfully, I haven't had to change my WAF since it got deployed. So technically, no workaround from me.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.