[Bug]: aws_networkfirewall_rule_group add/remove description to existing resource error

[mike-morris-emis]

Terraform Core Version

v4.40.0

AWS Provider Version

v4.40.0

Affected Resource(s)

aws_networkfirewall_rule_group

Expected Behavior

add or remove description to an existing aws_networkfirewall_rule_group

Actual Behavior

error within terraform when applying, plan passes

 Error: error updating NetworkFirewall Rule Group (arn:aws:network-firewall:eu-west-2:***:stateful-rulegroup/example): InvalidRequestException: Exactly one of Rules or RuleGroup must be set

Relevant Error/Panic Output Snippet

Plan: 0 to add, 1 to change, 0 to destroy.
aws_networkfirewall_rule_group.example: Modifying... [id=arn:aws:network-firewall:eu-west-2:***:stateful-rulegroup/example]
╷
│ Error: error updating NetworkFirewall Rule Group (arn:aws:network-firewall:eu-west-2:***:stateful-rulegroup/example): InvalidRequestException: Exactly one of Rules or RuleGroup must be set
│ 
│   with aws_networkfirewall_rule_group.example,
│   on network-firewall.tf line 509, in resource "aws_networkfirewall_rule_group" "example":
│  509: resource "aws_networkfirewall_rule_group" "example" {
│

Terraform Configuration Files

before, existing resource created

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  // description = "permits all traffic from source"
  name = "example"
  type = "STATEFUL"
  rule_group {
    rules_source {
      stateful_rule {
        action = "DROP"
        header {
          protocol         = "IP"
          source           = "99.88.0.0/24"
          destination      = "Any"
          source_port      = "Any"
          destination_port = "Any"
          direction        = "ANY"
        }
        rule_option {
          keyword = "sid:31"
        }
      }

    }
    stateful_rule_options {
      rule_order = "STRICT_ORDER"
    }
  }
  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

add description argument and apply

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  description = "permits all traffic from source"
  name = "example"
  type = "STATEFUL"
  rule_group {
    rules_source {
      stateful_rule {
        action = "DROP"
        header {
          protocol         = "IP"
          source           = "99.88.0.0/24"
          destination      = "Any"
          source_port      = "Any"
          destination_port = "Any"
          direction        = "ANY"
        }
        rule_option {
          keyword = "sid:31"
        }
      }

    }
    stateful_rule_options {
      rule_order = "STRICT_ORDER"
    }
  }
  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
    }
}

Steps to Reproduce

adding a description

1. create aws_networkfirewall_rulegroup, without a description via tf
2. add a description argument to tf iac
3. terraform plan success
4. terraform apply, error

removing a description

1. create aws_networkfirewall_rulegroup, with a description via tf
2. delete the description argument in tf iac
3. terraform plan success
4. terraform apply, error

Debug Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_networkfirewall_rule_group.example will be updated in-place
  ~ resource "aws_networkfirewall_rule_group" "example" {
      + description  = "permits all traffic from source"
        id           = "arn:aws:network-firewall:eu-west-2:***:stateful-rulegroup/example"
        name         = "example"
        tags         = {
            "Tag1" = "Value1"
            "Tag2" = "Value2"
        }
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
aws_networkfirewall_rule_group.example: Modifying... [id=arn:aws:network-firewall:eu-west-2:***:stateful-rulegroup/example]
╷
│ Error: error updating NetworkFirewall Rule Group (arn:aws:network-firewall:eu-west-2:***:stateful-rulegroup/example): InvalidRequestException: Exactly one of Rules or RuleGroup must be set
│ 
│   with aws_networkfirewall_rule_group.example,
│   on network-firewall.tf line 509, in resource "aws_networkfirewall_rule_group" "example":
│  509: resource "aws_networkfirewall_rule_group" "example" {
│ 
╵
Releasing state lock. This may take a few moments...
Error: Process completed with exit code 1.

Panic Output

No response

Important Factoids

if we manually add the description via the aws console then when terraform plan is run it is happy and says 0 changes

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[Koren-Shoshan-Via]

Also has the same issue.