Closed 0xabdi closed 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @0xabdi 👋 We apologize that we missed updating the documentation to indicate the deprecation, and really appreciate you calling it out. With the 5.0.0
release that went out today, this argument was removed entirely, so modifying the documentation won't have any effect at this point.
We'll start looking at processes to make sure this type of thing isn't missed again in the future. In the meantime, given that there's no further we can take in this case, we'll close this issue out.
I'm totally stuck on this - we ran an upgrade after reading through the release notes, and not knowing about this particular change/deprecation, and now our VPC + WAF related code is broken. I can't go back, and I can't figure out how to move forward.
Had this been documented, we'd have looked before leaping.
Old code looks like this:
resource "aws_wafv2_web_acl" "_" {
name = "${var.env_name}-waf-web-acl"
description = "WAF Web ACL"
scope = "REGIONAL"
default_action {
allow {}
}
dynamic "rule" {
for_each = {for idx, query in var.waf_managed_rules: idx => query}
content {
name = rule.value["rule"]
priority = rule.key
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = rule.value["rule"]
vendor_name = rule.value["vendor"]
dynamic "excluded_rule" {
for_each = rule.value["exclude"]
content {
name = excluded_rule.value
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = rule.value["rule"]
sampled_requests_enabled = true
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${var.env_name}-waf"
sampled_requests_enabled = true
}
}
...and I'm stuck as all heck. 🫠
Hey @armenr 👋 Can you give me a better idea of how you're currently stuck? I'd like to try to help if I can, but need a bit more context so that I can know which direction to head in.
@justinretzolk - I sincerely appreciate your attention and effort - the Customer Obsession and Bias for Action are very much appreciated.
I should have either deleted or updated my comment. I figured out how to modify our code so that it behaves and works as expected. This is what I landed on:
resource "aws_wafv2_web_acl" "_" {
name = "${var.env_name}-waf-web-acl"
description = "WAF Web ACL"
scope = "REGIONAL"
default_action {
allow {}
}
dynamic "rule" {
for_each = { for idx, query in var.waf_managed_rules : idx => query }
content {
name = rule.value["rule"]
priority = rule.key
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = rule.value["rule"]
vendor_name = rule.value["vendor"]
dynamic "rule_action_override" {
for_each = rule.value["exclude"]
content {
name = rule_action_override.value // change here
action_to_use {
count {}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = rule.value["rule"]
sampled_requests_enabled = true
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${var.env_name}-waf"
sampled_requests_enabled = true
}
}
@armenr -- I appreciate the kind words and the follow up with a solution in case anyone else stumbles across this! Since you're in the clear as well, I'll go ahead and close this issue back out.
Note: If anyone else runs into this, and the information above doesn't help, please do open a new issues so that we can get eyes on it.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Documentation Link
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html#rule_group_reference_statement
Description
terraform cli reports
excluded_rule
block underrule_group_reference_statement
is deprecated while the terraformaws_wafv2_web_acl
resource documentation does not mention this. It only specifies that this block is optional.References
https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroupReferenceStatement.html
Would you like to implement a fix?
Yes