[Bug]: cannot create a 'aws_wafv2_web_acl' with AWSManagedRulesATPRuleSet configuration

[mahela-aws]

Terraform Core Version

v1.3.7

AWS Provider Version

v4.67.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

we should be able to create a aws_wafv2_web_acl with AWSManagedRulesATPRuleSet managed_rule_group_statement

Actual Behavior

it's throwing below error

Relevant Error/Panic Output Snippet

module.base-infrastructure.module.wafv2.aws_cloudwatch_log_group.wafv2: Creating...
module.base-infrastructure.module.wafv2.aws_cloudwatch_log_group.wafv2: Creation complete after 1s [id=aws-waf-logs-buynomics-development]
module.base-infrastructure.module.wafv2.aws_wafv2_web_acl.main: Creating...
╷
│ Error: creating WAFv2 WebACL (buynomics-development-webaclv2): WAFInvalidOperationException: Your request contains fields that belong to a feature you are not allowed to use.
│ 
│   with module.base-infrastructure.module.wafv2.aws_wafv2_web_acl.main,
│   on ../modules/wafv2/wafv2.tf line 6, in resource "aws_wafv2_web_acl" "main":
│    6: resource "aws_wafv2_web_acl" "main" {
│ 
╵

Terraform Configuration Files

resource "aws_wafv2_web_acl_association" "main" {
  resource_arn = var.custom_resource_arn
  web_acl_arn  = aws_wafv2_web_acl.main.arn
}

resource "aws_wafv2_web_acl" "main" {
  name        = "${lower(var.name)}-webaclv2"
  description = "WAFv2 AWSManagedRules for BNsuite"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

rule {
    name     = "KeycloakAuthRestrictions"
    priority = 8

    override_action {
      none {}
    }

    statement {
      rule_group_reference_statement {
        arn = aws_wafv2_rule_group.keycloak_auth_restrictions.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "${lower(var.custom_metric_name)}KeycloakAuthRestrictions"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AccountTakeOverPrevention"
    priority = 9

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesATPRuleSet"
        vendor_name = "AWS"

        managed_rule_group_configs {
          aws_managed_rules_atp_rule_set {
            login_path = var.bn_context == "review" ? "/admin-${var.bn_context}" : "/admin"

            request_inspection {
              password_field {
                identifier = "/password"
              }

              payload_type = "JSON"

              username_field {
                identifier = "/username"
              }
            }

            response_inspection {
              status_code {
                failure_codes = ["403"]
                success_codes = ["200"]
              }
            }
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "${lower(var.custom_metric_name)}AccountTakeOverPrevention"
      sampled_requests_enabled   = true
    }
  }

  tags = {
    Terraform = "True"
    Name      = "${lower(var.name)}-webaclv2"
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "${lower(var.custom_metric_name)}Default"
    sampled_requests_enabled   = true
  }
}

Steps to Reproduce

try to apply above code it will throw mentioned error

Debug Output

No response

Panic Output

module.base-infrastructure.module.wafv2.aws_cloudwatch_log_group.wafv2: Creating...
module.base-infrastructure.module.wafv2.aws_cloudwatch_log_group.wafv2: Creation complete after 1s [id=aws-waf-logs-buynomics-development]
module.base-infrastructure.module.wafv2.aws_wafv2_web_acl.main: Creating...
╷
│ Error: creating WAFv2 WebACL (buynomics-development-webaclv2): WAFInvalidOperationException: Your request contains fields that belong to a feature you are not allowed to use.
│ 
│   with module.base-infrastructure.module.wafv2.aws_wafv2_web_acl.main,
│   on ../modules/wafv2/wafv2.tf line 6, in resource "aws_wafv2_web_acl" "main":
│    6: resource "aws_wafv2_web_acl" "main" {
│ 
╵

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[katainaka0503]

I guess the reason we get this error is we can't use response_inspection in REGIONAL WAF settings.

We can use response_inspection only in CloudFront WAF settings

[justinretzolk]

Related #31739

[justinretzolk]

Fixed by #28594

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[justinretzolk]

Apologies -- I've just realized the PR I linked to was prior to this issue being opened. It does seem like there've been some changes to this resource since the issue was filed, however, so it may be worth testing again to verify whether the bug still exists.