Terraform Linter reports error with WAFv2 rule_action_override but matches documentation

[cwoollard]

Extension Version

v2.30.2

VS Code Version

Version: 1.90.2 (Universal) Commit: 5437499feb04f7a586f677b155b039bc2b3669eb Date: 2024-06-18T22:37:41.291Z Electron: 29.4.0 ElectronBuildId: 9728852 Chromium: 122.0.6261.156 Node.js: 20.9.0 V8: 12.2.281.27-electron.0 OS: Darwin arm64 23.5.0

Operating System

macOS Sonoma 14.5

Terraform Version

Terraform v1.9.0 on darwin_arm64

Steps to Reproduce

resource "aws_wafv2_web_acl" "api_waf" {
  name        = "test-waf"
  description = "Test WAF Ruleset"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 7

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"

        rule_action_override {
          action_to_use {
            count {}
          }
          name = "SizeRestrictions_QUERYSTRING"
        }

        rule_action_override {
          action_to_use {
            count {}
          }
          name = "NoUserAgent_HEADER"
        }

        rule_action_override {
          action_to_use {
            count {}
          }
          name = "SizeRestrictions_BODY"
        }

        rule_action_override {
          action_to_use {
            count {}
          }
          name = "CrossSiteScripting_BODY"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "test-waf-AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "test-waf"
    sampled_requests_enabled   = true
  }

}

Expected Behavior

The code matches the current documentation. Why is the linter reporting an issue?

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html

Actual Behavior

If you run Terraform validate from the command line, there is no issue. If you apply the code, there is no issue.

Why is the linter reporting this error?

Unexpected block: Blocks of type "rule_action_override" are not expected hereTerraform No quick fixes available

Terraform Configuration

No response

Project Structure

No response

Gist

No response

Anything Else?

No response

Workarounds

No response

References

No response

Help Wanted

• [ ] I'm interested in contributing a fix myself

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[dbanck]

Hi @cwoollard! I'm not able to reproduce the bug with the extension version you mentioned.

The extended validation feature uses provider schemas to determine which blocks and attributes are expected in a given context. We have two sources of provider schemas: 1) bundled with the extension 2) obtained from Terraform CLI. The bundled schema contains the `rule_action_override' blocks, so I can't reproduce the error.

Can you please check if you have a local installation of the aws provider and if so, which version? We always prefer a local installation as it is usually closer to the required version of the provider.

[cwoollard]

Terraform v1.9.0 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.53.0

I have also tried upgrading to the latest, and that still gives me the issue.

terraform version
Terraform v1.9.0 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.55.0

[cwoollard]

Here is a screenshot of the issue.

[dbanck]

Thanks for checking! That's odd.

Can you hover over the resource and check the reported version?

[cwoollard]

It says 4.35. I guess it is picking up another version from somewhere.

Do you know where it might be pulling that from?

[cwoollard]

Question. Does anyone know how this plugin works out which provider to use? I suspect it is deciding based on something in a higher directory in the tree. Yet it doesn't seem to be clear exactly how and where it has made that decision.