[Bug]: aws_wafv2_web_acl_logging_configuration filter ordering is undefined

[randomjunk]

Terraform Core Version

0.13.7

AWS Provider Version

5.7.0

Affected Resource(s)

resource aws_wafv2_web_acl_logging_configuration -> logging_filter -> filter

Expected Behavior

Listing multiple filter blocks should apply the filters in order.

To quote the AWS Console:

If a request matches a filter condition, stop filtering and take the corresponding filter action. AWS WAF applies filters in the order shown, starting from the top.

So order is important. But the filter block has been defined as a schema.TypeSet which means the ordering is ignored/lost.

https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/wafv2/web_acl_logging_configuration.go#L65L66

Actual Behavior

The filters are applied in "random" order.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cloudwatch_log_group" "waf_app_logs" {
  provider = aws.us
  name     = "aws-waf-logs-app"

  retention_in_days = 30
}

resource "aws_wafv2_web_acl_logging_configuration" "waf_app_logs" {
  provider     = aws.us
  resource_arn = aws_wafv2_web_acl.waf_app.arn

  log_destination_configs = [aws_cloudwatch_log_group.waf_app_logs.arn]

  logging_filter {
    default_behavior = "KEEP"

    filter {
      behavior    = "KEEP"
      requirement = "MEETS_ANY"

      // Keep things flagged by the BotControl managed rule group
      condition {
        label_name_condition {
          label_name = "awswaf:managed:aws:bot-control:signal:known_bot_data_center"
        }
      }
    }

    // Drop anything let through with ALLOW
    filter {
      behavior    = "DROP"
      requirement = "MEETS_ALL"

      condition {
        action_condition {
          action = "ALLOW"
        }
      }
    }
  }

  redacted_fields {
    query_string {}
  }
  redacted_fields {
    single_header {
      name = "authorization"
    }
  }
}

Steps to Reproduce

1. Define a aws_wafv2_web_acl_logging_configuration with more than one filter
2. Apply/plan. Note that the order may not be the same
3. Go into AWS console and explicitly reorder the rules
4. Do terraform plan and note how it doesn't see any changes

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.