[WAFv2] aws_wafv2_web_acl capacity attribute's value is not updated correctly

[uyggnodoow]

Description

Hello 👋

It's not clear if this is actually an issue with Terraform, here are the issues I've encountered.

• Terraform Core Version : 1.7.5
• AWS Provider Version : 5.72.1
• Affected Resource(s) : webACL

---

We removed a few rules through the WAF deployment using terraform.

Before deployment, the WebACL's WCUs is 2630, but the rule removal should reduce the WCUs by 1000 or so.

I actually deployed it, and it looks fine in the AWS management console: (2630 - > 1645)

However, in the CLI, it looks like this

Plan: 0 to add, 1 to change, 0 to destroy.

Changes to Outputs:
  ~ aws_wafv2_capacity                         = 2630 -> 2645

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_wafv2_web_acl.this: Modifying... [id=]
aws_wafv2_web_acl.this: Modifications complete after 4s [id=]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Outputs:

aws_wafv2_arn = ""
aws_wafv2_capacity = 2645

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @uyggnodoow 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to review this, can you provide a sample Terraform configuration that can be used to reproduce this and/or debug logging (redacted as needed)?

[uyggnodoow]

Hey @justinretzolk

Thanks for response. The Terraform modules I'm using are listed below. You can refer to the examples folder to configure your rules.

• https://registry.terraform.io/modules/aws-ss/wafv2/aws/latest

[justinretzolk]

Thanks for that information @uyggnodoow. One more question before I remove the needs-triage label and let the team or community prioritize this as we're able to: if you run terraform apply again, is the value updated to the correct value?

[uyggnodoow]

Hello, @justinretzolk

I apologize for the delay in responding.

It does not show 'No Changes' even though there is no change in the policy. It shows the change in 'aws_wafv2_capacity'.

# terragrunt plan
...

aws_wafv2_web_acl.this: Refreshing state... [id=67db98df-342f-42c5-9395-5d6fee941e7a]
aws_wafv2_web_acl_logging_configuration.this[0]: Refreshing state... [id=arn:aws:wafv2:ap-northeast-2::regional/webacl//67db98df-342f-42c5-9395-5d6fee941e7a]

Changes to Outputs:
  ~ aws_wafv2_capacity                         = 2630 -> 1630

You can apply this plan to save these new output values to the Terraform
state, without changing any real infrastructure.

# terragrunt apply
...
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

aws_wafv2_arn = "arn:aws:wafv2:ap-northeast-2::regional/webacl//67db98df-342f-42c5-9395-5d6fee941e7a"
aws_wafv2_capacity = 1630