luarx commented 10 months ago

Terraform Core Version

1.2.5

AWS Provider Version

4.56.0, 5.14.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

I want to modified a rate-limit rule value from 1500 to 1600 of a aws_wafv2_web_acl that is already created. When I apply it, it has to modify the rate-limit rule.

Note: Terraform says that it has to modify also the rule "AWS-AWSManagedRulesAmazonIpReputationList" , but it has not any change from my side, so it is weird, I suppose that is because of internal reasons...

Actual Behavior

It breaks showing a critical error output located in the section Debug Output

Relevant Error/Panic Output Snippet

Located in the section Debug Output

Terraform Configuration Files

resource "aws_wafv2_web_acl" "manolo" {
    provider = aws.us_east_1_region # Cloudfront scope needs this
    description   = "WAF ACL to protect manolo"
    name          = "manolo"
    scope         = "CLOUDFRONT"

    custom_response_body {
        content      = jsonencode(
            {
                error = "Rate limiting"
            }
        )
        content_type = "APPLICATION_JSON"
        key          = "LimitRequestsPer5min-blocked-reason"
    }

    default_action {
        allow {
        }
    }
    rule {
        name     = "LimitRequestsPer5min"
        priority = 1

        action {

            block {
                custom_response {
                    custom_response_body_key = "LimitRequestsPer5min-blocked-reason"
                    response_code            = 429
                }
            }
        }

        statement {

            rate_based_statement {
                aggregate_key_type = "IP"
                limit              = 1500
            }
        }

        visibility_config {
            cloudwatch_metrics_enabled = true
            metric_name                = "LimitRequestsPer5min"
            sampled_requests_enabled   = true
        }
    }
    rule {
        name     = "AWS-AWSManagedRulesAmazonIpReputationList"
        priority = 0

        override_action {

            none {}
        }

        statement {

            managed_rule_group_statement {
                name        = "AWSManagedRulesAmazonIpReputationList"
                vendor_name = "AWS"

                rule_action_override {
                    name = "AWSManagedIPDDoSList"

                    action_to_use {

                        block {
                        }
                    }
                }
            }
        }

        visibility_config {
            cloudwatch_metrics_enabled = true
            metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
            sampled_requests_enabled   = true
        }
    }

    visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "manolo"
        sampled_requests_enabled   = true
    }
}

Steps to Reproduce

Create the previous terraform resource (terraform apply)

Modify the resource setting a different rate-limit value and apply (terraform apply). I changed 1500 -> 1600 as this:

resource "aws_wafv2_web_acl" "manolo" {
provider = aws.us_east_1_region # Cloudfront scope needs this
description   = "WAF ACL to protect manolo"
name          = "manolo"
scope         = "CLOUDFRONT"

custom_response_body {
    content      = jsonencode(
        {
            error = "Rate limiting"
        }
    )
    content_type = "APPLICATION_JSON"
    key          = "LimitRequestsPer5min-blocked-reason"
}

default_action {
    allow {
    }
}
rule {
    name     = "LimitRequestsPer5min"
    priority = 1

    action {

        block {
            custom_response {
                custom_response_body_key = "LimitRequestsPer5min-blocked-reason"
                response_code            = 429
            }
        }
    }

    statement {

        rate_based_statement {
            aggregate_key_type = "IP"
            limit              = 1600
        }
    }

    visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "LimitRequestsPer5min"
        sampled_requests_enabled   = true
    }
}
rule {
    name     = "AWS-AWSManagedRulesAmazonIpReputationList"
    priority = 0

    override_action {

        none {}
    }

    statement {

        managed_rule_group_statement {
            name        = "AWSManagedRulesAmazonIpReputationList"
            vendor_name = "AWS"

            rule_action_override {
                name = "AWSManagedIPDDoSList"

                action_to_use {

                    block {
                    }
                }
            }
        }
    }

    visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
        sampled_requests_enabled   = true
    }
}

visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "manolo"
    sampled_requests_enabled   = true
}
}

The previous modification shows this terraform plan:

# aws_wafv2_web_acl.manolo will be updated in-place
~ resource "aws_wafv2_web_acl" "manolo" {
    id            = "ecf683d9-cf4a-47ef-af4c-eeb5f253f3d9"
    name          = "manolo"
    tags          = {}
    # (7 unchanged attributes hidden)

  - rule {
      - name     = "LimitRequestsPer5min" -> null
      - priority = 1 -> null

      - action {

          - block {
              - custom_response {
                  - custom_response_body_key = "LimitRequestsPer5min-blocked-reason" -> null
                  - response_code            = 429 -> null
                }
            }
        }

      - statement {

          - rate_based_statement {
              - aggregate_key_type = "IP" -> null
              - limit              = 1500 -> null
            }
        }

      - visibility_config {
          - cloudwatch_metrics_enabled = true -> null
          - metric_name                = "LimitRequestsPer5min" -> null
          - sampled_requests_enabled   = true -> null
        }
    }
  + rule {
      + name     = "LimitRequestsPer5min"
      + priority = 1

      + action {

          + block {
              + custom_response {
                  + custom_response_body_key = "LimitRequestsPer5min-blocked-reason"
                  + response_code            = 429
                }
            }
        }

      + statement {

          + rate_based_statement {
              + aggregate_key_type = "IP"
              + limit              = 1600
            }
        }

      + visibility_config {
          + cloudwatch_metrics_enabled = true
          + metric_name                = "LimitRequestsPer5min"
          + sampled_requests_enabled   = true
        }
    }
  - rule {
      - name     = "AWS-AWSManagedRulesAmazonIpReputationList" -> null
      - priority = 0 -> null

      - override_action {

          - none {}
        }

      - statement {

          - managed_rule_group_statement {
              - name        = "AWSManagedRulesAmazonIpReputationList" -> null
              - vendor_name = "AWS" -> null

              - rule_action_override {
                  - name = "AWSManagedIPDDoSList" -> null

                  - action_to_use {

                      - block {
                        }
                    }
                }
            }
        }

      - visibility_config {
          - cloudwatch_metrics_enabled = true -> null
          - metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList" -> null
          - sampled_requests_enabled   = true -> null
        }
    }
  + rule {
      + name     = "AWS-AWSManagedRulesAmazonIpReputationList"
      + priority = 0

      + override_action {

          + none {}
        }

      + statement {

          + managed_rule_group_statement {
              + name        = "AWSManagedRulesAmazonIpReputationList"
              + vendor_name = "AWS"

              + rule_action_override {
                  + name = "AWSManagedIPDDoSList"

                  + action_to_use {

                      + block {
                        }
                    }
                }
            }
        }

      + visibility_config {
          + cloudwatch_metrics_enabled = true
          + metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
          + sampled_requests_enabled   = true
        }
    }

    # (3 unchanged blocks hidden)
}

After accepting the previous plan saying yes, IT BREAKS (see part of the output in the following section)

Debug Output

It is not complete because Github has a length limit:

cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "positional_constraint":cty.String, "search_string":cty.String,
│ "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "geo_match_statement":cty.List(cty.Object(map[string]cty.Type{"country_codes":cty.List(cty.String),
│ "forwarded_ip_config":cty.List(cty.Object(map[string]cty.Type{"fallback_behavior":cty.String, "header_name":cty.String}))})),
│ "ip_set_reference_statement":cty.List(cty.Object(map[string]cty.Type{"arn":cty.String, "ip_set_forwarded_ip_config":cty.List(cty.Object(map[string]cty.Type{"fallback_behavior":cty.String,
│ "header_name":cty.String, "position":cty.String}))})), "label_match_statement":cty.List(cty.Object(map[string]cty.Type{"key":cty.String, "scope":cty.String})),
│ "regex_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "regex_string":cty.String, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "regex_pattern_set_reference_statement":cty.List(cty.Object(map[string]cty.Type{"arn":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "size_constraint_statement":cty.List(cty.Object(map[string]cty.Type{"comparison_operator":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "size":cty.Number, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "sqli_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "xss_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))}))}))})),
│ "or_statement":cty.List(cty.Object(map[string]cty.Type{"statement":cty.List(cty.Object(map[string]cty.Type{"byte_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "positional_constraint":cty.String, "search_string":cty.String,
│ "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "geo_match_statement":cty.List(cty.Object(map[string]cty.Type{"country_codes":cty.List(cty.String),
│ "forwarded_ip_config":cty.List(cty.Object(map[string]cty.Type{"fallback_behavior":cty.String, "header_name":cty.String}))})),
│ "ip_set_reference_statement":cty.List(cty.Object(map[string]cty.Type{"arn":cty.String, "ip_set_forwarded_ip_config":cty.List(cty.Object(map[string]cty.Type{"fallback_behavior":cty.String,
│ "header_name":cty.String, "position":cty.String}))})), "label_match_statement":cty.List(cty.Object(map[string]cty.Type{"key":cty.String, "scope":cty.String})),
│ "regex_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "regex_string":cty.String, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "regex_pattern_set_reference_statement":cty.List(cty.Object(map[string]cty.Type{"arn":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "size_constraint_statement":cty.List(cty.Object(map[string]cty.Type{"comparison_operator":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "size":cty.Number, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "sqli_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "xss_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))}))}))})),
│ "regex_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "regex_string":cty.String, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "regex_pattern_set_reference_statement":cty.List(cty.Object(map[string]cty.Type{"arn":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "size_constraint_statement":cty.List(cty.Object(map[string]cty.Type{"comparison_operator":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "size":cty.Number, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "sqli_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "xss_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))}))}))})),
│ "regex_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "regex_string":cty.String, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "regex_pattern_set_reference_statement":cty.List(cty.Object(map[string]cty.Type{"arn":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "size_constraint_statement":cty.List(cty.Object(map[string]cty.Type{"comparison_operator":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "size":cty.Number, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "sqli_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "xss_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))}))}))})),
│ "regex_match_statement":cty.ListValEmpty(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "regex_string":cty.String, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "regex_pattern_set_reference_statement":cty.ListValEmpty(cty.Object(map[string]cty.Type{"arn":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "rule_group_reference_statement":cty.ListValEmpty(cty.Object(map[string]cty.Type{"arn":cty.String,
│ "rule_action_override":cty.List(cty.Object(map[string]cty.Type{"action_to_use":cty.List(cty.Object(map[string]cty.Type{"allow":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})), "block":cty.List(cty.Object(map[string]cty.Type{"custom_response":cty.List(cty.Object(map[string]cty.Type{"custom_response_body_key":cty.String,
│ "response_code":cty.Number, "response_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})),
│ "captcha":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "challenge":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "count":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))}))})), "name":cty.String}))})), "size_constraint_statement":cty.ListValEmpty(cty.Object(map[string]cty.Type{"comparison_operator":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject), "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "size":cty.Number, "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "sqli_match_statement":cty.ListValEmpty(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))})),
│ "xss_match_statement":cty.ListValEmpty(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject), "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String, "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String, "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject), "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))}))})}),
│ "visibility_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"cloudwatch_metrics_enabled":cty.True,
│ "metric_name":cty.StringVal("AWS-AWSManagedRulesAmazonIpReputationList"), "sampled_requests_enabled":cty.True})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
Releasing state lock. This may take a few moments...

Panic Output

In the Debug Output section

Important Factoids

I have seen this error todoy for the first time. I have been modified that waf_resource sometime ago without upgrading the version and it was working as expected. After seeing that error ouput, I decided to upgrade my Terraform AWS provider from 4.56.0 -> 5.14.0, just in case it could fix this issue, but SAME RESULT, it breaks.
I have deleted, created the resource again and modified it, and SAME RESULT, it breaks.

I suspect if the problem could be from the AWS side as I received an email today where they say:

We want to inform you about an update for automatic application layer mitigation rule group support in WAF WebACL for Shield Advanced customers.

Before August 30, 2023, Shield Advanced customers who enabled automatic application layer mitigation for their resources such as CloudFront and ALB saw the Shield mitigation rule group removed when a WAF webACL was updated using Infrastructure-as-code tools such as CloudFormation, CDK and Terraform. Some customers created a workaround to add the Shield Mitigation rule group in their WAF webACL configuration to work around the issue and make sure this rule was part of their configuration.

Starting today, if you use AWS CloudFormation to manage your web ACLs, do not add the 'Shield Advanced rule group' rule [1] to your web ACL template [2]. When you update a web ACL that is being used with your automatic mitigation protections, AWS WAF automatically manages the rule group rule in the web ACL.

References

No response

Would you like to implement a fix?

No

github-actions[bot] commented 10 months ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

justinretzolk commented 10 months ago

Hey @luarx 👋 Thank you for taking the time to raise this! Can you supply a sample Terraform configuration that can be used to reproduce this issue?

luarx commented 10 months ago

Hi @justinretzolk ! Thanks for answering 🙏 I have added more information to the issue so that it is easier to follow and to reproduce!

The resource that I have shared has been created from scratch and modified in the same way that I have explained, to check that it is reproducible, and it breaks :( Hope that this error is not affecting a lot of people.

Let me know if you need more details!

ItaiCovver commented 10 months ago

This error is happening to me too! Oddly enough there is no error in our CI flow which runs on standard ubuntu-latest github actions runner (amd64) but fails locally on my M1 Laptop

captainfalcon23 commented 9 months ago

Hi @justinretzolk , I also encountered this issue today. The only addition I made was adding the "ip_set_forwarded_ip_config" block to an existing dynamic block.

Old "dynamic" block - works fine:

  dynamic "rule" {
    for_each = (var.bypass_ipv4_cidr_list != null) ? ["bypass_rule"] : []

    content {
      name     = local.bypass_v4_rule_name
      priority = local.bypass_v4_rule_priority

      statement {
        ip_set_reference_statement {
          arn = aws_wafv2_ip_set.bypass_ipv4_ip_set["bypass_set"].arn
        }
      }

      action {
        allow {}
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "${var.name}_${local.bypass_v4_rule_name}"
        sampled_requests_enabled   = true
      }
    }
  }

"New" dynamic block, throws error:

  dynamic "rule" {
    for_each = (var.bypass_ipv4_cidr_list != null) ? ["bypass_rule"] : []

    content {
      name     = local.bypass_v4_rule_name
      priority = local.bypass_v4_rule_priority

      statement {
        ip_set_reference_statement {
          arn = aws_wafv2_ip_set.bypass_ipv4_ip_set["bypass_set"].arn
              ip_set_forwarded_ip_config {
              fallback_behavior = "MATCH"
              header_name       = "X-Forwarded-For"
              position          = "FIRST"
             }
        }
      }

      action {
        allow {}
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "${var.name}_${local.bypass_v4_rule_name}"
        sampled_requests_enabled   = true
      }
    }
  }

The error:

 Error: Provider produced inconsistent final plan
│
│ When expanding the plan for module.environment.module.waf_v2_external.aws_wafv2_web_acl.web_acl to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .rule

│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

luarx commented 9 months ago

Are there have any updates? 👀

thomasisaacsibille commented 9 months ago

We got the same issue

jslatterycnvrtr commented 9 months ago

I had a similar issue with terraform v1.3.0 and aws provider v5.19.0. Upgrading my terraform version to 1.6.0 resolved for me.

tormodmacleod commented 7 months ago

I had a similar issue with terraform v1.3.0 and aws provider v5.19.0. Upgrading my terraform version to 1.6.0 resolved for me.

this also resolved my issue :slightly_smiling_face: thanks for the suggestion @jslatterycnvrtr

luarx commented 5 months ago

Upgrading my terraform version to 1.6.0 resolved for me

This also helped me, so I would consider it is the right answer and close the issue, thanks a lot @jslatterycnvrtr! 🙌

github-actions[bot] commented 4 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-aws

[Bug]: AWS WAF resource PANIC ERROR when updating a rule #33238