[Bug]: Error reason: You have used none or multiple values for a field that requires exactly one value., field: RULE, parameter: Rule", Parameter: "Rule", Reason: "You have used none or multiple values for a field that requires exactly one value.

[steveharanexperian]

Terraform Core Version

1.1.7

AWS Provider Version

latest

Affected Resource(s)

For this TF:

resource "aws_wafv2_web_acl" "api_gateway" {
  name  = "${var.envname}-api-gateway-owasp"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  custom_response_body {
    content = jsonencode({"error" :"invalid input"})
    content_type = "APPLICATION_JSON"
    key = "InvalidInput"
  }

  rule {
    name     = "XSSBody"
    priority = 0

    override_action {
      count {}
    }

    statement {
      xss_match_statement {
        field_to_match {
            body {
                # oversizehandling = "CONTINUE"
            }
        }
        text_transformation {
            priority = 0
            type = "URL_DECODE"
        }
      }
    }

    action {
      block {
        custom_response {
            response_code = 400
            custom_response_body_key = "InvalidInput"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "XSSBody"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "XSSParam"
    priority = 1

    override_action {
      count {}
    }

    statement {
      xss_match_statement {
        field_to_match {
            query_string {}
        }
        text_transformation {
            priority = 0
            type = "URL_DECODE"
        }
      }
    }

    action {
      block {
        custom_response {
            response_code = 400
            custom_response_body_key = "InvalidInput"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "XSSParam"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "owasp-managed"
    priority = 2

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "owasp-ruleset-match"
      sampled_requests_enabled   = false
    }
  }

  rule {
    name     = "XSSUrl"
    priority = 3

    override_action {
      count {}
    }

    statement {
      xss_match_statement {
        field_to_match {
            uri_path {}
        }
        text_transformation {
            priority = 0
            type = "URL_DECODE"
        }
      }
    }

    action {
      block {
        custom_response {
            response_code = 400
            custom_response_body_key = "InvalidInput"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "XSSBody"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "api-gateway-waf"
    sampled_requests_enabled   = false
  }

}

resource "aws_wafv2_web_acl" "voi_ui" {
  name  = "${var.envname}-voi-ui-owasp"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "owasp-managed"
    priority = 1

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "owasp-ruleset-match"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "voi-ui-waf"
    sampled_requests_enabled   = false
  }
}

Expected Behavior

The plan and apply should work

Actual Behavior

The plan works, but the apply throws:

Error reason: You have used none or multiple values for a field that requires exactly one value., field: RULE, parameter: Rule", Parameter: "Rule", Reason: "You have used none or multiple values for a field that requires exactly one value.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_wafv2_web_acl" "api_gateway" {
  name  = "${var.envname}-api-gateway-owasp"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  custom_response_body {
    content = jsonencode({"error" :"invalid input"})
    content_type = "APPLICATION_JSON"
    key = "InvalidInput"
  }

  rule {
    name     = "XSSBody"
    priority = 0

    override_action {
      count {}
    }

    statement {
      xss_match_statement {
        field_to_match {
            body {
                # oversizehandling = "CONTINUE"
            }
        }
        text_transformation {
            priority = 0
            type = "URL_DECODE"
        }
      }
    }

    action {
      block {
        custom_response {
            response_code = 400
            custom_response_body_key = "InvalidInput"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "XSSBody"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "XSSParam"
    priority = 1

    override_action {
      count {}
    }

    statement {
      xss_match_statement {
        field_to_match {
            query_string {}
        }
        text_transformation {
            priority = 0
            type = "URL_DECODE"
        }
      }
    }

    action {
      block {
        custom_response {
            response_code = 400
            custom_response_body_key = "InvalidInput"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "XSSParam"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "owasp-managed"
    priority = 2

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "owasp-ruleset-match"
      sampled_requests_enabled   = false
    }
  }

  rule {
    name     = "XSSUrl"
    priority = 3

    override_action {
      count {}
    }

    statement {
      xss_match_statement {
        field_to_match {
            uri_path {}
        }
        text_transformation {
            priority = 0
            type = "URL_DECODE"
        }
      }
    }

    action {
      block {
        custom_response {
            response_code = 400
            custom_response_body_key = "InvalidInput"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "XSSBody"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "api-gateway-waf"
    sampled_requests_enabled   = false
  }

}

resource "aws_wafv2_web_acl" "voi_ui" {
  name  = "${var.envname}-voi-ui-owasp"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "owasp-managed"
    priority = 1

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "owasp-ruleset-match"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "voi-ui-waf"
    sampled_requests_enabled   = false
  }
}

Steps to Reproduce

.

Debug Output

Error reason: You have used none or multiple values for a field that requires exactly one value., field: RULE, parameter: Rule", Parameter: "Rule", Reason: "You have used none or multiple values for a field that requires exactly one value.

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[steveharanexperian]

I want multiple rules, but it doesn't seem to like it

[chrisduong]

Hi @steveharanexperian, could you look at this workaround https://github.com/hashicorp/terraform-provider-aws/issues/14094#issuecomment-655625254. I had tried it , and it works

[rebeccasimon]

Was having the same problem and used the workaround linked. Fixed the problem. Essentially you have to add an override_action block to each managed rule group block.

[CatInsideBoxUnderTheTable]

This bug applies to 'rule_group_reference_statement' as well

[ankon]

So, couldn't terraform-provider-aws check that for us, and flag a problem when there's neither an override_action nor a action defined? Or, maybe, compute a sane default of override_action { none {} }?

[jauharvp]

I understood the issue in this comment, however not in this case, @steveharanexperian mind to share if you solved the issue if so, sharing what went wrong with your tf code.

I face this same issue when I use or statement.