Error when referencing AWS WAFv2 IP set ARN in WebACL rule

[Viswajenny]

Description

WAF web acl rule fails when created by aws_wafv2_web_acl resource. Works well from the aws console.

• Terraform Core Version: ~>1.6.0

• AWS Provider Version: >= 5.25.0

• Affected Resource(s): aws_wafv2_web_acl, aws_wafv2_ip_set

Expected Behavior

The WebACL rule that refers the AWS WAFv2 IP set ARN should be successfully created or updated and AWS resources (WebACL and IP set)should be provisioned in AWS with the terraform configuration, and manually creating the same resources in the AWS Management Console works without issues.

Actual Behavior

experiencing the below issue while referencing an AWS WAFv2 IP set ARN in a WebACL rule

Error: updating WAFv2 WebACL (XXXXXXX): WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement { RespMetadata: { StatusCode: 400, RequestID: "XXXXX" }, Field: "RULE", Message_: "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement", Parameter: "Statement", Reason: "A reference in your rule statement is not valid." }

Relevant Error/Panic Output Snippet

Terraform Configuration Files

Title: Error when referencing AWS WAFv2 IP set ARN in WebACL rule

Description: I am encountering an issue when referencing an AWS WAFv2 IP set ARN in a WebACL rule using Terraform. The ARN is valid, and the same configuration works when manually set up in the AWS Management Console, but it fails during Terraform apply.

Terraform Configuration:

resource "aws_wafv2_web_acl" "rate-limiter" {
  # ... other configurations

  rule {
    name     = "allow-from-yaxxa"
    priority = 3
    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.yaxxa_ip_set.arn
      }
    }
    # ... other configurations
  }

  # ... other configurations
}

resource "aws_wafv2_ip_set" "yaxxa_ip_set" {
  # ... other configurations
}

Steps to Reproduce

• Created a resource(aws_wafv2_ip_set) using the above code
• Referencing the ip_set arn in WebACL rule
• Run Terraform Apply
• Observe the above Issue

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @Viswajenny 👋 Thank you for taking the time to raise this! Are you able to supply debug logs (redacted as needed) in case whoever picks this up needs that information?

[Viswajenny]

Hi @justinretzolk, Thank you for responding back, please find the logs below.

run-4seB8VaxgWp41kar-apply-log.txt