[Bug]: aws_wafv2_web_acl rules are deleted even when ignore_changes is set

[iret-m-murakami]

Terraform Core Version

1.5.7

AWS Provider Version

5.65.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

Rule and rule groups added outside Terraform are retained

Actual Behavior

Rules were deleted

Relevant Error/Panic Output Snippet

No error is produced

Terraform Configuration Files

terraform {
  required_version = "~> 1.5.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_wafv2_web_acl" "webacl" {
  lifecycle {
    ignore_changes = [rule]
  }
  name  = "test-waf"
  scope = "REGIONAL"

  default_action {
    allow {}
  }
  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "test-waf"
    sampled_requests_enabled   = true
  }
}

Steps to Reproduce

1. Create Web ACL with no rule using the Terraform configuration file Note that rule is in the ignore_changes list

2. Add rule and/or rule group to the Web ACL via AWS console Type of rules (rule/rule group/managed rule group) doesn't matter. e.g. AWSManagedRulesCommonRuleSet

3. Change other attribute of Web ACL via AWS console e.g. change sampled requests from true -> false

4. Execute terraform appy -refresh-only This is unnecessary to reproduce the issue, but just to make sure state refresh is performed

aws_wafv2_web_acl.webacl: Refreshing state... [id=d9d57833-2e71-46ec-8077-8e257a917abd]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # aws_wafv2_web_acl.webacl has changed
  ~ resource "aws_wafv2_web_acl" "webacl" {
      ~ capacity                    = 0 -> 700
        id                          = "d9d57833-2e71-46ec-8077-8e257a917abd"
      ~ lock_token                  = "662c9eac-ed16-4d36-8dcf-2875acd10f99" -> "eabdbaf7-10c5-4779-9583-4f7ad3106b28"
        name                        = "test-waf"
      + tags                        = {}
      + token_domains               = []
        # (6 unchanged attributes hidden)

      ~ visibility_config {
          ~ sampled_requests_enabled   = true -> false
            # (2 unchanged attributes hidden)
        }

        # (1 unchanged block hidden)
    }

5. Apply again with terraform apply

   
   aws_wafv2_web_acl.webacl: Refreshing state... [id=d9d57833-2e71-46ec-8077-8e257a917abd]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place

Terraform will perform the following actions:

aws_wafv2_web_acl.webacl will be updated in-place

~ resource "aws_wafv2_web_acl" "webacl" { id = "d9d57833-2e71-46ec-8077-8e257a917abd" name = "test-waf" tags = {}

(9 unchanged attributes hidden)

  ~ visibility_config {
      ~ sampled_requests_enabled   = false -> true
        # (2 unchanged attributes hidden)
    }

    # (1 unchanged block hidden)
}

Plan: 0 to add, 1 to change, 0 to destroy.

No changes to the rules are shown.

7. Check Web ACL rules
All the rules/rule groups are deregistered from the Web ACL.

---
Another way to reproduce:
1. Import an existing Web ACL with rules
2. Update the Web ACL with terraform apply

---
Same issue was observed with newer version.
Terraform Core Version: 1.9.2
AWS Provider Version: 5.66.0

### Debug Output

_No response_

### Panic Output

_No response_

### Important Factoids

_No response_

### References

_No response_

### Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @iret-m-murakami 👋 Thank you for taking the time to raise this! I can see why you would expect the aws_wafv2_web_acl resource to behave in the way that you're describing, but that's not quite how the ignore_changes meta-argument works. With ignore_changes in place, Terraform will ignore any changes that it detects to the given argument(s) when detecting drift, but that doesn't necessarily guarantee that those values won't be modified at all.

Looking at the supplied plan output, Terraform isn't reporting a drift for rule, but is detecting drift on visibility_config.sampled_requests_enabled, which Terraform is attempting to correct. The reference for the upstream API that's used has the following note:

This operation completely replaces the mutable specifications that you already have for the web ACL with the ones that you provide to this call.

Because of how the upstream API operates, the value set for rule must be included in the UpdateWebACL call. In your case, that value is unset, which is causing the rule(s) to be removed.

There's a couple of ways to get around this. The first would be to define any expected rules in rule block(s), adhering more strictly to Terraform's declarative nature. If this isn't possible for some reason, and the ignore_changes route must be taken, you'll need to ensure that no other values are attempted to be updated, given the note from the upstream API above. From my personal perspective, that direction severely limits the utility of managing the Web ACL with Terraform, but I recognize that a confluence of the upstream API's limitations and potential organizational limitations might force you into taking that path.

If the upstream API were to change such that the above note was no longer relevant, we'd be happy to look into this again. As it stands, however, this appears to be working as expected. With that in mind, since there's no action for the AWS Provider team to take at this time, I'm going to close this issue. If you encounter any other unexpected behavior, please do let us know!

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.