Open AnrichVS opened 11 months ago
Voting for Prioritization
Volunteering to Work on This Issue
I can confirm the observation. It is very annoying since the WAF rules API seem to have inconsistent performance. Sometimes this drift costs us 10 seconds, sometimes up to 5 minutes, slowing our builds down for no reason.
I can confirm the observation. It is very annoying since the WAF rules API seem to have inconsistent performance. Sometimes this drift costs us 10 seconds, sometimes up to 5 minutes, slowing our builds down for no reason.
For now I'm ignoring changes to the ACL rules. I'm considering adding a flag (via environment variable) to not ignore the ACL rules, and then this flag can be passed if ACL rule changes actually need to be made.
Very irritating, but maybe worth considering to avoid unnecessary long builds. Disclaimer: if someone makes changes via AWS console / otherwise, these changes will of course not be reverted since they are ignored.
new Wafv2WebAcl(this, 'web-waf-acl', {
name: 'Web WAF ACL',
description: 'Web WAF ACL',
scope: 'REGIONAL',
defaultAction: {
allow: {},
},
visibilityConfig: {
cloudwatchMetricsEnabled: true,
metricName: 'WebAcl',
sampledRequestsEnabled: true,
},
rule: rules,
// TODO: this is a workaround to avoid stack drift, it should be removed once this is fixed: https://github.com/hashicorp/terraform-provider-aws/issues/33124
lifecycle: {
ignoreChanges: ['rule'],
},
});
This is happening for us, as well.
Nearly every time we run a plan
that includes an aws_wafv2_web_acl
resource, Terraform wants to remove some of the rules, and then re-add them, exactly the same as they were before. The removals show the values in the rules changing to null
, and the added rules are exactly the same -- name
, priority
, override_action
, etc. are all identical.
Example plan
is below (with IDs/AWS account numbers redacted):
~ resource "aws_wafv2_web_acl" "alb" {
id = "<REDACTED>"
name = "dev-waf"
tags = {
"environment" = "dev"
}
# (7 unchanged attributes hidden)
- rule {
- name = "AWSManagedRulesKnownBadInputsRuleSet" -> null
- priority = 400 -> null
- override_action {
- none {}
}
- statement {
- managed_rule_group_statement {
- name = "AWSManagedRulesKnownBadInputsRuleSet" -> null
- vendor_name = "AWS" -> null
}
}
- visibility_config {
- cloudwatch_metrics_enabled = true -> null
- metric_name = "dev-waf-AWSManagedRulesKnownBadInputsRuleSet-metric" -> null
- sampled_requests_enabled = true -> null
}
}
- rule {
- name = "AWSManagedRulesLinuxRuleSet" -> null
- priority = 500 -> null
- override_action {
- none {}
}
- statement {
- managed_rule_group_statement {
- name = "AWSManagedRulesLinuxRuleSet" -> null
- vendor_name = "AWS" -> null
}
}
- visibility_config {
- cloudwatch_metrics_enabled = true -> null
- metric_name = "dev-waf-AWSManagedRulesLinuxRuleSet-metric" -> null
- sampled_requests_enabled = true -> null
}
}
- rule {
- name = "AWSManagedRulesSQLiRuleSet" -> null
- priority = 600 -> null
- override_action {
- none {}
}
- statement {
- managed_rule_group_statement {
- name = "AWSManagedRulesSQLiRuleSet" -> null
- vendor_name = "AWS" -> null
- scope_down_statement {
- not_statement {
- statement {
- regex_pattern_set_reference_statement {
- arn = "arn:aws:wafv2:us-west-2:<REDACTED>:regional/regexpatternset/sandbox-relaxed-uri-paths/<REDACTED>" -> null
- field_to_match {
- uri_path {}
}
- text_transformation {
- priority = 0 -> null
- type = "LOWERCASE" -> null
}
}
}
}
}
}
}
- visibility_config {
- cloudwatch_metrics_enabled = true -> null
- metric_name = "dev-waf-AWSManagedRulesSQLiRuleSet-metric" -> null
- sampled_requests_enabled = true -> null
}
}
+ rule {
+ name = "AWSManagedRulesKnownBadInputsRuleSet"
+ priority = 400
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesKnownBadInputsRuleSet"
+ vendor_name = "AWS"
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "dev-waf-AWSManagedRulesKnownBadInputsRuleSet-metric"
+ sampled_requests_enabled = true
}
}
+ rule {
+ name = "AWSManagedRulesLinuxRuleSet"
+ priority = 500
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesLinuxRuleSet"
+ vendor_name = "AWS"
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "dev-waf-AWSManagedRulesLinuxRuleSet-metric"
+ sampled_requests_enabled = true
}
}
+ rule {
+ name = "AWSManagedRulesSQLiRuleSet"
+ priority = 600
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesSQLiRuleSet"
+ vendor_name = "AWS"
+ scope_down_statement {
+ not_statement {
+ statement {
+ regex_pattern_set_reference_statement {
+ arn = "arn:aws:wafv2:us-west-2:<REDACTED>:regional/regexpatternset/sandbox-relaxed-uri-paths/<REDACTED>"
+ field_to_match {
+ uri_path {}
}
+ text_transformation {
+ priority = 0
+ type = "LOWERCASE"
}
}
}
}
}
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "dev-waf-AWSManagedRulesSQLiRuleSet-metric"
+ sampled_requests_enabled = true
}
}
# (10 unchanged blocks hidden)
}
This has been plaguing us for several months now, and has not changed, even with the new AWS provider version of 5.19.0.
Just wanted to add a fresh comment here as we've been experiencing this issue for a while now too
Could you please prioritize this issue? I'm experiencing the same problem.
I am currently using HashiCorp AWS with version specifications "~> 5.25" and the installed version is v5.57.0. I am experiencing the same issue, which did not occur a few weeks ago. Recently, however, the API has been periodically unstable.
Terraform Core Version
1.5.5
AWS Provider Version
5.13.1
Affected Resource(s)
Expected Behavior
Applying a WAFv2 Web ACL without making any changes should not update certain rules.
Actual Behavior
Applying a WAFv2 Web ACL without making any changes always updates certain rules.
So far it seems that rules with a rate based statement, as well as a managed rule referencing the
AWSManagedRulesKnownBadInputsRuleSet
managed rule set is affected.Rules that references the
AWSManagedRulesBotControlRuleSet
andAWSManagedRulesCommonRuleSet
managed rule sets do not seem to be affected.Relevant Error/Panic Output Snippet
Terraform Configuration Files
tf-acl-state-drift-code.zip
The uploaded ZIP contains a CDKTF (typescript) project that can be used to re-produce the issue. Please see the "Steps to Reproduce".
Steps to Reproduce
tf-acl-state-drift-code.zip
archivenpm install
to install dependenciesnpm run synth
to synthesize the stack and produce thetf-acl-state-drift
stackNote: you can use the
CDKTF_AWS_REGION
andCDKTF_AWS_PROFILE
environment variables to set your desired deployment region, and which AWS credentials profile to use.You will see the stack is created:
You will see that TF will update the resource in place, even though no actual changes were made. Note the
-> null
"changes":Debug Output
tf-apply-logs.zip
The ZIP archive contains two debug log files:
tf-apply.log
- logs for the first time the stack is applied (i.e. the ACL is created for the first time)tf-apply-again.log
- logs for the second time the stack is applied (i.e. here you can see the state drift)Note specifically in
tf-apply-again.log
(line 6376):Also see from lines 6377 - 6403.
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
No