aws_waf_web_acl: data parameter in field_to_match block is case sensitive & it shows changes in second terraform apply when lowercase value is not applied

[chennagouda14]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.12.31 AWS Provider v3.70.0

Affected Resource(s)

• aws_waf_web_acl

Details

• The parameter data in field_to_match block is used to specify header value. • It has been observed that the data parameter is case sensitive when the value is applied through terraform, and after first terraform apply AWS tries to convert it into lowercase format if the applied value is not in lowercase. If second terraform apply is executed, then a change will be detected if the applied value for data parameter is not in lowercase. • On AWS console, header value is applied by selecting values from the dropdown list & finally it is represented in lowercase. • From AWS CLI & API, data parameter has been configured as case insensitive.

Terraform Configuration Files

When data parameter in field_to_match block is not specified with lowercase value

resource "aws_waf_web_acl" "test" {
  name        = "waf-web-acl-01"
  metric_name = "wafmetric"

  default_action {
    type = "ALLOW"
  }

  logging_configuration {
    log_destination = "arn:aws:firehose:us-east-1:XXXX:deliverystream/aws-waf-logs-kinesis-firehose-stream-01"

    redacted_fields {
      field_to_match {
        data = "User-Agent"
        type = "HEADER"
      }
    }
  }
}

Expected Behavior

First terraform apply should be successful, & second terraform apply should not detect any change even if the applied value is not in lowercase for data parameter, as it is case insensitive.

Actual Behavior

First terraform apply is successfully done. As shown in below screenshot, data parameter is applied with value User-Agent which is not in lowercase, terraform has applied the same value in first terraform apply but actually the value is applied in lowercase on AWS console.

Second Terraform apply output:

If second terraform apply is executed, then a change will be detected if the input value provided to data parameter is not in lowercase, as shown in above output. Therefore, data parameter is case sensitive in terraform. Ideally It should be case insensitive which will avoid the changes happening in second terraform apply.

Steps to Reproduce

1. terraform apply
2. terraform apply (without any modifications made to the configuration)

Important Factoids

References

• Terraform reference https://registry.terraform.io/providers/hashicorp/aws/3.70.0/docs/resources/waf_web_acl • AWS CLI command 'put-logging-configuration’ reference https://docs.aws.amazon.com/cli/latest/reference/waf/put-logging-configuration.html • AWS API reference for ‘FieldToMatch block’ https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_FieldToMatch.html

[chennagouda14]

@justinretzolk Any updates on this issue?

[justinretzolk]

Hey @chennagouda14 👋 Thank you for taking the time to raise this! Unfortunately, I'm not able to provide an estimate on when this will be looked into due to the potential of shifting priorities (we prioritize work by count of ":+1:" reactions, as well as a few other things). For more information on how we prioritize, check out out prioritization guide.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.