aws_wafv2_web_acl AWSManagedRulesCommonRuleSet keeps on detecting changes after apply

[xtiannano]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.7 tried it both on aws v3.58.0 and aws v3.73.0 but still issue persists.

Affected Resource(s)

• aws_wafv2_web_acl

Terraform Configuration Files

+ rule {
         + name     = "aws-managed-rules-common-rules"
         + priority = 1

          + override_action {
              + count {}
            }
          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesCommonRuleSet"
                  + vendor_name = "AWS"

                  + excluded_rule {
                      + name = "CrossSiteScripting_BODY"
                    }
                  + excluded_rule {
                      + name = "CrossSiteScripting_COOKIE"
                    }
                  + excluded_rule {
                      + name = "CrossSiteScripting_QUERYARGUMENTS"
                    }
                  + excluded_rule {
                      + name = "CrossSiteScripting_URIPATH"
                    }
                  + excluded_rule {
                      + name = "EC2MetaDataSSRF_BODY"
                    }
                  + excluded_rule {
                      + name = "EC2MetaDataSSRF_COOKIE"
                    }
                  + excluded_rule {
                      + name = "EC2MetaDataSSRF_QUERYARGUMENTS"
                    }
                  + excluded_rule {
                      + name = "EC2MetaDataSSRF_URIPATH"
                    }
                  + excluded_rule {
                      + name = "GenericLFI_BODY"
                    }
                  + excluded_rule {
                      + name = "GenericLFI_QUERYARGUMENTS"
                    }
                  + excluded_rule {
                      + name = "GenericLFI_URIPATH"
                    }
                  + excluded_rule {
                      + name = "GenericRFI_BODY"
                    }
                  + excluded_rule {
                      + name = "GenericRFI_QUERYARGUMENTS"
                    }
                  + excluded_rule {
                      + name = "GenericRFI_URIPATH"
                    }
                  + excluded_rule {
                      + name = "GenericRFI_BODY"
                    }
                  + excluded_rule {
                      + name = "NoUserAgent_HEADER"
                    }
                  + excluded_rule {
                      + name = "RestrictedExtensions_QUERYARGUMENTS"
                    }
                  + excluded_rule {
                      + name = "RestrictedExtensions_URIPATH"
                    }
                  + excluded_rule {
                      + name = "SizeRestrictions_Cookie_HEADER"
                    }
                  + excluded_rule {
                      + name = "SizeRestrictions_QUERYSTRING"
                    }
                  + excluded_rule {
                      + name = "SizeRestrictions_URIPATH"
                    }
                  + excluded_rule {
                      + name = "UserAgent_BadBots_HEADER"
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "aws-managed-rules-common-rules"
              + sampled_requests_enabled   = true
            }
        }
      - rule {
          - name     = "aws-managed-rules-common-rules" -> null
          - priority = 1 -> null

          - override_action {
              - count {}
            }

          - statement {

              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesCommonRuleSet" -> null
                  - vendor_name = "AWS" -> null

                  - excluded_rule {
                      - name = "CrossSiteScripting_BODY" -> null
                    }
                  - excluded_rule {
                      - name = "CrossSiteScripting_COOKIE" -> null
                    }
                  - excluded_rule {
                      - name = "CrossSiteScripting_QUERYARGUMENTS" -> null
                    }
                  - excluded_rule {
                      - name = "CrossSiteScripting_URIPATH" -> null
                    }
                  - excluded_rule {
                      - name = "EC2MetaDataSSRF_BODY" -> null
                    }
                  - excluded_rule {
                      - name = "EC2MetaDataSSRF_COOKIE" -> null
                    }
                  - excluded_rule {
                      - name = "EC2MetaDataSSRF_QUERYARGUMENTS" -> null
                    }
                  - excluded_rule {
                      - name = "EC2MetaDataSSRF_URIPATH" -> null
                    }
                  - excluded_rule {
                      - name = "GenericLFI_BODY" -> null
                    }
                  - excluded_rule {
                      - name = "GenericLFI_QUERYARGUMENTS" -> null
                    }
                  - excluded_rule {
                      - name = "GenericLFI_URIPATH" -> null
                    }
                  - excluded_rule {
                      - name = "GenericRFI_BODY" -> null
                    }
                  - excluded_rule {
                      - name = "GenericRFI_QUERYARGUMENTS" -> null
                    }
                  - excluded_rule {
                      - name = "GenericRFI_URIPATH" -> null
                    }
                  - excluded_rule {
                      - name = "NoUserAgent_HEADER" -> null
                    }
                  - excluded_rule {
                      - name = "RestrictedExtensions_QUERYARGUMENTS" -> null
                    }
                  - excluded_rule {
                      - name = "RestrictedExtensions_URIPATH" -> null
                    }
                  - excluded_rule {
                      - name = "SizeRestrictions_Cookie_HEADER" -> null
                    }
                  - excluded_rule {
                      - name = "SizeRestrictions_QUERYSTRING" -> null
                    }
                  - excluded_rule {
                      - name = "SizeRestrictions_URIPATH" -> null
                    }
                  - excluded_rule {
                      - name = "UserAgent_BadBots_HEADER" -> null
                    }
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "aws-managed-rules-common-rules" -> null
              - sampled_requests_enabled   = true -> null
            }
        }

Expected Behavior

After applying it initially, a plan shouldn't be provided

Actual Behavior

After applying, a plan is provided to destroy and create the same rules again

Steps to Reproduce

1. Create a resource aws_wafv2_web_acl , and define a rule to use a managed_rule_group_statement : AWSManagedRulesCommonRuleSet
2. Create another resource, aws_wafv2_web_acl_association, referencing an existing AWS ALB to associate,
3. Run terraform apply

[justinretzolk]

Hey @xtiannano 👋 Thank you for taking the time to raise this. So that we have all of the information we need in order to look into this, can you update the issue description to include the Terraform configuration itself (in addition to the diff that you already included -- thanks for that!) so that we can see how you're defining the resource(s)?

[xtiannano]

@justinretzolk thanks for taking the initiative to start triaging this and after careful checking on the rules, it was just due to a duplicate rule below that was causing the diff on the plan and after removing the duplicate, It doesn't detect anymore changes. Apologies for raising this and I shall go ahead and close this issue `- excluded_rule {

• name = "GenericRFI_URIPATH" -> null }`

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.