Closed 88lexd closed 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
I have found I also have this issue when adding or removing managed rule sets in an existing ACL. A good indication that it's going to die with Error: Provider produced inconsistent final plan
seems to be that it will show rules that need to be both removed and re-added again even though those rules haven't changed.
The plan output below results from adding AWSManagedRulesAnonymousIpList
to an ACL that had AWSManagedRulesAmazonIpReputationList
, AWSManagedRulesATPRuleSet
and AWSManagedRulesBotControlRuleSet
.
Other observations I have made are;
Plan output after adding AWSManagedRulesAnonymousIpList
;
# aws_wafv2_web_acl.web_waf will be updated in-place
~ resource "aws_wafv2_web_acl" "web_waf" {
id = "028de6e7-0a08-4b34-b8af-e027794232eb"
name = "waf_test_web_waf"
tags = {
"Environment" = "waf-test"
"Project" = "waf"
}
# (6 unchanged attributes hidden)
- rule {
- name = "AWS-AWSManagedRulesATPRuleSet-waf-test" -> null
- priority = 35 -> null
- override_action {
- none {}
}
- statement {
- managed_rule_group_statement {
- name = "AWSManagedRulesATPRuleSet" -> null
- vendor_name = "AWS" -> null
- managed_rule_group_configs {
- login_path = "/Security/login" -> null
}
- managed_rule_group_configs {
- payload_type = "FORM_ENCODED" -> null
}
- managed_rule_group_configs {
- username_field {
- identifier = "Email" -> null
}
}
- managed_rule_group_configs {
- password_field {
- identifier = "Password" -> null
}
}
}
}
- visibility_config {
- cloudwatch_metrics_enabled = true -> null
- metric_name = "AWS-AWSManagedRulesATPRuleSet-waf-test" -> null
- sampled_requests_enabled = true -> null
}
}
+ rule {
+ name = "AWS-AWSManagedRulesATPRuleSet-waf-test"
+ priority = 35
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesATPRuleSet"
+ vendor_name = "AWS"
+ managed_rule_group_configs {
+ login_path = "/Security/login"
}
+ managed_rule_group_configs {
+ payload_type = "FORM_ENCODED"
}
+ managed_rule_group_configs {
+ username_field {
+ identifier = "Email"
}
}
+ managed_rule_group_configs {
+ password_field {
+ identifier = "Password"
}
}
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "AWS-AWSManagedRulesATPRuleSet-waf-test"
+ sampled_requests_enabled = true
}
}
- rule {
- name = "AWS-AWSManagedRulesAmazonIpReputationList-waf-test" -> null
- priority = 32 -> null
- override_action {
- none {}
}
- statement {
- managed_rule_group_statement {
- name = "AWSManagedRulesAmazonIpReputationList" -> null
- vendor_name = "AWS" -> null
}
}
- visibility_config {
- cloudwatch_metrics_enabled = true -> null
- metric_name = "AWS-AWSManagedRulesAmazonIpReputationList-waf-test" -> null
- sampled_requests_enabled = true -> null
}
}
+ rule {
+ name = "AWS-AWSManagedRulesAmazonIpReputationList-waf-test"
+ priority = 32
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesAmazonIpReputationList"
+ vendor_name = "AWS"
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "AWS-AWSManagedRulesAmazonIpReputationList-waf-test"
+ sampled_requests_enabled = true
}
}
+ rule {
+ name = "AWS-AWSManagedRulesAnonymousIpList-waf-test"
+ priority = 33
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesAnonymousIpList"
+ vendor_name = "AWS"
+ rule_action_override {
+ name = "HostingProviderIPList"
+ action_to_use {
+ count {
}
}
}
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "AWS-AWSManagedRulesAnonymousIpList-waf-test"
+ sampled_requests_enabled = true
}
}
- rule {
- name = "AWS-AWSManagedRulesBotControlRuleSet-waf-test" -> null
- priority = 36 -> null
- override_action {
- none {}
}
- statement {
- managed_rule_group_statement {
- name = "AWSManagedRulesBotControlRuleSet" -> null
- vendor_name = "AWS" -> null
- rule_action_override {
- name = "CategoryContentFetcher" -> null
- action_to_use {
- count {
}
}
}
- rule_action_override {
- name = "SignalAutomatedBrowser" -> null
- action_to_use {
- count {
}
}
}
- rule_action_override {
- name = "SignalNonBrowserUserAgent" -> null
- action_to_use {
- count {
}
}
}
}
}
- visibility_config {
- cloudwatch_metrics_enabled = true -> null
- metric_name = "AWS-AWSManagedRulesBotControlRuleSet-waf-test" -> null
- sampled_requests_enabled = true -> null
}
}
+ rule {
+ name = "AWS-AWSManagedRulesBotControlRuleSet-waf-test"
+ priority = 36
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesBotControlRuleSet"
+ vendor_name = "AWS"
+ rule_action_override {
+ name = "CategoryContentFetcher"
+ action_to_use {
+ count {
}
}
}
+ rule_action_override {
+ name = "SignalAutomatedBrowser"
+ action_to_use {
+ count {
}
}
}
+ rule_action_override {
+ name = "SignalNonBrowserUserAgent"
+ action_to_use {
+ count {
}
}
}
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "AWS-AWSManagedRulesBotControlRuleSet-waf-test"
+ sampled_requests_enabled = true
}
}
# (14 unchanged blocks hidden)
}
As above, when it show rules that need to be both removed and re-added again it seems to result in the same outcome;
β Error: Provider produced inconsistent final plan
β
β When expanding the plan for aws_wafv2_web_acl.web_waf to include new values learned so far during apply, provider
β "registry.terraform.io/hashicorp/aws" produced an invalid new value for .rule: planned set element
Version info:
There are several bugs opened that look related to this issue. I was in the same boat having to taint the existing resource to get it to apply. The comment in issue 28191 resolved it for me with AWS provider 4.5x. Hope it helps. Kudos to the author.
https://github.com/hashicorp/terraform-provider-aws/issues/28191#issuecomment-1398853194
Did this ever get resolved? I still can't create a dynamic block with "rule_action_override", and I'm using AWS Provider 4.58.0.
No :(
I got my issue resolved with a little help from a guy on Reddit. Here's a great example using a dynamic block with "rule_action_override". Thank you Trussworks. I'm using AWS Provider 5.4.0 and Terraform 1.50.
Check this out: https://github.com/trussworks/terraform-aws-wafv2/blob/main/main.tf#L47-L62
NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim).
I am still facing the same issue by using my test code above to reproduce this issue. I am using the aws provider v5.8.0
$ terraform version
Terraform v1.3.0
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.8.0
Unfortunately, I still cannot reproduce the bug. See exactly what I did below and let me know if I've missed something.
I believe this is fixed in Terraform v1.4+. Can you try on Terraform 1.4+?
Terraform v1.5.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.7.0
apply
this:
variable "rulesets" {
type = any
default = [
{
rule_name = "AWSManagedRulesKnownBadInputsRuleSet"
priority = 1
rules_override_to_count = ["Log4JRCE_QUERYSTRING"]
}
]
}
resource "aws_wafv2_web_acl" "test" {
scope = "REGIONAL"
name = "issue28672"
default_action {
allow {}
}
#######################
# Begin Rules
dynamic "rule" {
for_each = { for this in var.rulesets : this.rule_name => this }
content {
name = rule.key
priority = rule.value.priority
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = rule.key
vendor_name = "AWS"
dynamic "rule_action_override" {
for_each = [for rule_override in rule.value.rules_override_to_count : rule_override]
content {
name = rule_action_override.value
action_to_use {
count {}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = rule.key
sampled_requests_enabled = false
}
}
}
#######################
# End Rules
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "test-waf-metrics"
sampled_requests_enabled = true
}
}
Reapply same config without changes. No issues.
Apply this:
variable "rulesets" {
# Using "type any" here for simplicity to reproduce bug
type = any
default = [
{
rule_name = "AWSManagedRulesKnownBadInputsRuleSet"
priority = 1
rules_override_to_count = ["Log4JRCE_QUERYSTRING"]
},
{
rule_name = "AWSManagedRulesAmazonIpReputationList"
priority = 2
rules_override_to_count = ["AWSManagedIPReputationList", "AWSManagedReconnaissanceList"]
}
]
}
resource "aws_wafv2_web_acl" "test" {
scope = "REGIONAL"
name = "issue28672"
default_action {
allow {}
}
#######################
# Begin Rules
dynamic "rule" {
for_each = { for this in var.rulesets : this.rule_name => this }
content {
name = rule.key
priority = rule.value.priority
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = rule.key
vendor_name = "AWS"
dynamic "rule_action_override" {
for_each = [for rule_override in rule.value.rules_override_to_count : rule_override]
content {
name = rule_action_override.value
action_to_use {
count {}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = rule.key
sampled_requests_enabled = false
}
}
}
#######################
# End Rules
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "test-waf-metrics"
sampled_requests_enabled = true
}
}
Apply Step 3 config again. No issues.
Apply original Step 1 config again. No issues.
Reapply original Step 1 config again. No issues.
Interesting! Works for me using the following versions! will close this issue off thanks!
Terraform v1.5.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.8.0
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Related:
23390
23423
23936
23992
24386
27175
27273
27479
28191
29012
29304
30858
Terraform Core Version
1.3.0
AWS Provider Version
4.44.0
Affected Resource(s)
aws_wafv2_web_acl
Expected Behavior
Certain rule actions I want to set to count mode should work via my dynamic block
Actual Behavior
Terraform errors out and ends with "This is a bug in the provider, which should be reported in the provider's own issue tracker"
Relevant Error/Panic Output Snippet
Terraform Configuration Files
This is the short version of the Terraform code I have
Steps to Reproduce
When I uncomment the variable from my configuration file so the variable looks like this, then Terraform errors out
I notice the bug only happens if I am using "rules_override_to_count". Say for example if I have the following variables, I can add/remove as many rules as I want. As long as I am not using the
dynamic "rule_action_override"
block.Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None