[Bug]: AWS aws_wafv2_web_acl rule and_statement syntax in terraform

[mcksatish]

Terraform Core Version

v1.8.4

AWS Provider Version

v5.55.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

WAF rules should have been created

Actual Behavior

Error occurring when running terraform plan.

Relevant Error/Panic Output Snippet

Terraform can determine which modules and providers need to be installed.
╷
│ Error: Missing key/value separator
│ 
│ On waf.tf line 249: Expected an equals sign ("=") to mark the beginning of
│ the attribute value.
╵

Error: Process completed with exit code 1.

Terraform Configuration Files

rule {
    name     = "my-block-post-requests-content-type-application-json"
    priority = 7

    action {
      block {}
    }

    statement {
      and_statement {
        statements = [
          {
            byte_match_statement = {
              field_to_match {
                method {}
              }
              positional_constraint = CONTAINS
              search_string         = POST
              text_transformation {
                priority = 0
                type     = NONE
              }
            }
          },
          {
            not_statement {
              statement {
                byte_match_statement {
                  search_string = "application/json"
                  field_to_match {
                    single_header {
                      name = "content-type"
                    }
                  }
                  positional_constraint = CONTAINS
                  search_string         = POST
                  text_transformation {
                    priority = 0
                    type     = NONE
                  }
                }
              }
            }
          }
        ]
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.solution}-${var.environment}-block-post-requests-content-type-application-json"
      sampled_requests_enabled   = true
    }
  }

Steps to Reproduce

I want to create a WAF rule to block any POST request that does not have Content-Type: application/json. Please create any aws_wafv2_web_acl resource and try to create rule using rule configuration code that I have given above. The challenge here is Hashicorp's documentation for this resource does not contain full example of defining a WAF rule with and_statement - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#and_statement-block

I have done all changes as per terraform validate but still it gives error.

I have raised same issue in Stack overflow - https://stackoverflow.com/questions/78666296/aws-aws-wafv2-web-acl-rule-and-statement-syntax-in-terraform

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @mcksatish 👋 Thank you for taking the time to raise this! We use Issues in this repository to track feature enhancements and bugs in the AWS Provider. To maintain that, we ask that broader questions are raised using one of the Community Resources, such as the AWS Provider forum. With that in mind, I'm going to close this issue, but do have one suggestion before I do.

Without a complete example configuration, I unfortunately can't run terraform validate to check this, but the documentation for the and_statement block mentions:

A logical rule statement used to combine other rule statements with AND logic. You provide more than one statement within the and_statement.

With that in mind, your example configuration should read:

resource "aws_wafv2_web_acl" "example" {
  # ...omitted for brevity...
  statement {
    and_statement {
      statement {
          byte_match_statement {
            field_to_match {
              method {}
            }
            positional_constraint = "CONTAINS"
            search_string         = "POST"
            text_transformation {
              priority = 0
              type     = "NONE"
            }
          }
        }

      statement {
          not_statement {
            statement {
              byte_match_statement {
                search_string = "application/json"
                field_to_match {
                  single_header {
                    name = "content-type"
                  }
                }
                positional_constraint = "CONTAINS"
                search_string         = "POST"
                text_transformation {
                  priority = 0
                  type     = "NONE"
                }
              }
            }
          }
        }
      }
    }
}

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.