[Bug]: AWS-AWSManagedRulesATPRuleSet managed_rule_group_configs

[kaykhan]

Terraform Core Version

1.3.6

AWS Provider Version

4.50.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

Expeect the rule group "AWS-AWSManagedRulesATPRuleSet" to be added to my existing WAF.

Actual Behavior

Error

Relevant Error/Panic Output Snippet

https://gist.github.com/kaykhan/4d7961c964fbce400aa476f1c3bfdae1

Terraform Configuration Files

resource "aws_cloudwatch_log_group" "loadbalancer_staging" {
  name              = "aws-waf-logs-loadbalancer-staging"
  retention_in_days = 30
  tags              = local.tags
}

resource "aws_wafv2_web_acl" "loadbalancer_staging" {
  name        = "loadbalancer-staging"
  description = "WAF for staging loadbalancer"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  tags = local.tags

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "loadbalancer-staging"
    sampled_requests_enabled   = true
  }

  rule {
    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
    priority = 0

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
      sampled_requests_enabled   = true
    }
  }
  rule {
    name     = "AWS-AWSManagedRulesAmazonIpReputationList"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWS-AWSManagedRulesCommonRuleSet"
    priority = 2

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "SizeRestrictions_QUERYSTRING"
        }

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "SizeRestrictions_BODY"
        }

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "CrossSiteScripting_BODY"
        }

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "GenericLFI_BODY"
        }

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "EC2MetaDataSSRF_BODY"
        }

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

 rule {
    name     = "AWS-AWSManagedRulesATPRuleSet"
    priority = 3

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesATPRuleSet"
        vendor_name = "AWS"

        managed_rule_group_configs {
          login_path     = "/api/auth/login"
          username_field  {
              identifier = "/username"
          }
          password_field {
              identifier = "/password"
          }
        }

      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      sampled_requests_enabled   = true
      metric_name                = "AWS-AWSManagedRulesATPRuleSet"
    }
  }

}

resource "aws_wafv2_web_acl_logging_configuration" "loaodbalancer_staging" {
  log_destination_configs = [aws_cloudwatch_log_group.loadbalancer_staging.arn]
  resource_arn            = aws_wafv2_web_acl.loadbalancer_staging.arn

  depends_on = [
    aws_wafv2_web_acl.loadbalancer_staging,
    aws_cloudwatch_log_group.loadbalancer_staging
  ]

}

Steps to Reproduce

terraform apply -var-file="prod.tfvars"

Debug Output

No response

Panic Output

https://gist.github.com/kaykhan/4d7961c964fbce400aa476f1c3bfdae1

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[bwells-scripps]

Just this morning we see this same issue when adding a rule to a aws_wafv2_web_acl. Terraform v1.3.7 with AWS provider v4.49.0 and v4.50.0

[kaykhan]

Just this morning we see this same issue when adding a rule to a aws_wafv2_web_acl. Terraform v1.3.7 with AWS provider v4.49.0 and v4.50.0

Let me know if you find a workaround or version that works.

[denniscaopalm]

Experiencing the same issue. Some notes:

• Attempting to attach AWS-AWSManagedRulesATPRuleSet to an existing WAF will result in panic error.
• Attempting to create a new aws_wafv2_web_acl with AWS-AWSManagedRulesATPRuleSet succeeds
• Attempting to change any aspect of a created aws_wafv2_web_acl object with AWS-AWSManagedRulesATPRuleSet attached also leads to panic

A workaround at this point would involve avoiding changing the resource but to destroy the resource, recreate the resource, and then making sure any resource that references the waf also gets updated.

[bwells-scripps]

I was able to work around the issue by removing all existing rules from the aws_wafv2_web_acl, running terraform apply, then adding all the rules that I want to the aws_wafv2_web_acl and applying again. So it works to remove all rules or add all rules to a WAF with no rules - but not add a new rule to a WAF with existing rules.

[kaykhan]

I was able to work around the issue by removing all existing rules from the aws_wafv2_web_acl, running terraform apply, then adding all the rules that I want to the aws_wafv2_web_acl and applying again. So it works to remove all rules or add all rules to a WAF with no rules - but not add a new rule to a WAF with existing rules.

thanks, I think it would be inconvenient for us if we had to remove all rules and readd all rules ( including the new one) each time, if i understand this work around correctly.

[fillz-noh]

In my environment,

    override_action {
      count {}
    }

then the apply will succeed.

If I change it to none {} , it panics.

[mshiyk]

Seeing the same issue.

In the versions.tf, anything above 4.30.0 causes WAF deployment issues with AWSManagedRulesKnownBadInputsRuleSet.

[github-actions[bot]]

This functionality has been released in v4.63.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.