[Docs]: terraform cli reports`excluded_rule` block under `rule_group_reference_statement` is deprecated while the `aws_wafv2_web_acl` does not mention this.

[0xabdi]

Documentation Link

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html#rule_group_reference_statement

Description

terraform cli reports excluded_rule block under rule_group_reference_statement is deprecated while the terraform aws_wafv2_web_acl resource documentation does not mention this. It only specifies that this block is optional.

Warning: Argument is deprecated
...
with module.web_acl_example.aws_wafv2_web_acl.web_acl[0]
...
Use rule_action_override instead

References

https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroupReferenceStatement.html

Would you like to implement a fix?

Yes

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @0xabdi 👋 We apologize that we missed updating the documentation to indicate the deprecation, and really appreciate you calling it out. With the 5.0.0 release that went out today, this argument was removed entirely, so modifying the documentation won't have any effect at this point.

We'll start looking at processes to make sure this type of thing isn't missed again in the future. In the meantime, given that there's no further we can take in this case, we'll close this issue out.

[armenr]

I'm totally stuck on this - we ran an upgrade after reading through the release notes, and not knowing about this particular change/deprecation, and now our VPC + WAF related code is broken. I can't go back, and I can't figure out how to move forward.

Had this been documented, we'd have looked before leaping.

Old code looks like this:

resource "aws_wafv2_web_acl" "_" {
  name        = "${var.env_name}-waf-web-acl"
  description = "WAF Web ACL"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  dynamic "rule" {
    for_each = {for idx, query in var.waf_managed_rules: idx => query}
    content {
      name     = rule.value["rule"]
      priority = rule.key

      override_action {
        none {}
      }

      statement {
        managed_rule_group_statement {
          name        = rule.value["rule"]
          vendor_name = rule.value["vendor"]

          dynamic "excluded_rule" {
            for_each = rule.value["exclude"]
            content {
              name = excluded_rule.value
            }
          }
        }
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = rule.value["rule"]
        sampled_requests_enabled   = true
      }
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "${var.env_name}-waf"
    sampled_requests_enabled   = true
  }
}

...and I'm stuck as all heck. 🫠

[justinretzolk]

Hey @armenr 👋 Can you give me a better idea of how you're currently stuck? I'd like to try to help if I can, but need a bit more context so that I can know which direction to head in.

[armenr]

@justinretzolk - I sincerely appreciate your attention and effort - the Customer Obsession and Bias for Action are very much appreciated.

I should have either deleted or updated my comment. I figured out how to modify our code so that it behaves and works as expected. This is what I landed on:

resource "aws_wafv2_web_acl" "_" {
  name        = "${var.env_name}-waf-web-acl"
  description = "WAF Web ACL"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  dynamic "rule" {
    for_each = { for idx, query in var.waf_managed_rules : idx => query }
    content {
      name     = rule.value["rule"]
      priority = rule.key

      override_action {
        none {}
      }

      statement {
        managed_rule_group_statement {
          name        = rule.value["rule"]
          vendor_name = rule.value["vendor"]

          dynamic "rule_action_override" {
            for_each = rule.value["exclude"]
            content {
              name = rule_action_override.value  // change here
              action_to_use {
                count {}
              }
            }
          }
        }
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = rule.value["rule"]
        sampled_requests_enabled   = true
      }
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "${var.env_name}-waf"
    sampled_requests_enabled   = true
  }
}

[justinretzolk]

@armenr -- I appreciate the kind words and the follow up with a solution in case anyone else stumbles across this! Since you're in the clear as well, I'll go ahead and close this issue back out.

Note: If anyone else runs into this, and the information above doesn't help, please do open a new issues so that we can get eyes on it.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.