search

umotif-public / terraform-aws-waf-webaclv2

Terraform module to configure WAF V2 Web ACL with managed rules for Application Load Balancer
https://registry.terraform.io/modules/umotif-public/waf-webaclv2/aws
Other
137 stars 124 forks source link

4.6.0-4.6.1 broken rate-based statement #105

Closed ahrys-serve closed 1 year ago

ahrys-serve commented 1 year ago

What is the current behavior?

module "waf-regional" {
  source  = "umotif-public/waf-webaclv2/aws"
  count   = var.waf_regional_enable ? 1 : 0
  version = "4.6.1" # Fixed to 4.5.0 due the bug with rate-limit in 4.6.x
  description = "${local.env_name_and_namespace} Default Web Application Firewall for ALB"
  name_prefix = "${local.env_name_and_namespace}-Regional-WAFv2"
  scope = "REGIONAL"
  create_alb_association = false
  allow_default_action = true # set to allow if not specified

  rules = [
    {
      name     = "Rate-Limit"
      priority = 3
      rate_based_statement = {
        limit              = 500
        aggregate_key_type = "IP"
      }

      visibility_config = {
        cloudwatch_metrics_enabled = true
        metric_name                = "RateLimit"
        sampled_requests_enabled   = true
      }
      action = "block"
    }
  ]
│ Error: Invalid index
│ 
│   on .terraform/modules/waf-regional/main.tf line 2533, in resource "aws_wafv2_web_acl" "main":
│ 2533:               for_each = contains(keys(rate_based_statement.value), "scope_down_statement") && rate_based_statement.value["scope_down_statement"] != null ? [lookup(rate_based_statement.value, "scope_down_statement", {})] : []
│     ├────────────────
│     │ rate_based_statement.value is object with 2 attributes
│ 
│ The given key does not identify an element in this collection value.
╵

Error points here -> && rate_based_statement.value["scope_down_statement"]

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem. The example above is enough to reproduce.

What is the expected behavior? Terraform plan should pass.

Software versions? Terraform v1.5.0 on darwin_arm64

nrglv commented 1 year ago

same problem

tropnikovvl commented 1 year ago

This works for me

      rate_based_statement = {
        limit              = 1000
        aggregate_key_type = "IP"
        scope_down_statement = null
      }