Updates to rules inside wafv2 web acl forces recreation for all rules

[m-eitan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform version: 1.2.2
provider registry.terraform.io/hashicorp/aws v4.21.0

Affected Resource(s)

• aws_wafv2_web_acl

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_wafv2_web_acl" "example" {
  name        = "managed-rule-example"
  description = "Example of a managed rule."
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "rule-1"
    priority = 1

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  rule {
    name     = "rule-2"
    priority = 2

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

Expected Behavior

Terraform plan output will only show the affected rules, and not show all rules each time a change in a rule is introduced.

Actual Behavior

Terraform shows all the rules being recreated.

Steps to Reproduce

1. terraform apply
2. Comment out the entire "rule-2" dynamic block.
3. terraform apply
4. Notice that rule-1 is marked in the plan to be deleted and created.

References

Issue 13936 (linked below) seems to be the same problem but in that ticket it was fixed in version 3 of the provider, maybe changes between version 3 and 4 of the provider changed this behavior.

• [WAFv2] Resource aws_wafv2_web_acl is recreated on any changes to the rules #13936

[houdinisparks]

Facing the same problem as well, I am using dynamic blocks to conditionally create the rules and whenever I add / remove a rule, the rest of the rules seem to be recreated, screenshot below with a terraform plan (via terragrunt):

[ewbankkit]

This seems to be the same underlying problem as #23992 and friends.

[greyvugrin]

Experiencing this as well, linked issue says it should be resolved by:

a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later)

but am seeing with:

Terraform v1.6.5 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.40.0

and also after upgrading to:

Terraform v1.6.5 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.40.0

In my case it's with hardcoded rules, not dynamic. Happy to open a related issue if that's the protocol to follow. Thanks!

[lyricsboy]

We're having this problem too, which makes it very hard to understand if the WAF rules are actually changing when we review PRs with terraform plans posted to them with a large diff that indicates rules are being removed/recreated.

I don't know much about the implementation details, but I did look into the provider code a bit, and it appears that the WAF rules are being stored in memory as a Set, which is unordered:

https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/wafv2/web_acl.go#L289-L290

Looking at the API response for aws wafv2 get-web-acl it appears to return the rules in order of their Priority. However, even if I order my rule set by priority in the terraform code, it still shows a similar diff on plan.

Could this be fixed by using an ordered list data structure to store the rules in the provider implementation?

[djakielski]

I had also this problem without any code or aws changes

[slackboxster]

I'm encountering this with the following:

Terraform v1.10.1
on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.81.0

I have a mixture of custom and managed waf rules. In my most recent apply, I had 5 managed rules (already applied in the past), 1 custom rule (applied in past), and 1 new custom rule I was adding. The diff showed 4 of the 5 managed rules being removed and being added back, as well as my new rule.

[kneufeld-pbp]

We are having the same issue. We also tried ordering the rules by priority, but the plan shows a difference when we expect no changes.

Terraform v1.10.3
on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.82.2

[kneufeld-pbp]

Additional details: This issue appears specific to the managed_rule_group_statement blocks for Terraform v1.10.3 and provider registry.terraform.io/hashicorp/aws v5.82.2.

Initial deployment

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_wafv2_ip_set.fixture[0] will be created
  + resource "aws_wafv2_ip_set" "fixture" {
      + addresses          = [
          + "1.2.3.4/32",
          + "5.6.7.8/32",
        ]
      + arn                = (known after apply)
      + description        = "Example IP set"
      + id                 = (known after apply)
      + ip_address_version = "IPV4"
      + lock_token         = (known after apply)
      + name               = "terratest-kpn"
      + scope              = "REGIONAL"
      + tags               = {
          + "name" = "terratest-kpn"
        }
    }

  # aws_wafv2_regex_pattern_set.fixture[0] will be created
  + resource "aws_wafv2_regex_pattern_set" "fixture" {
      + arn         = (known after apply)
      + description = "Example regex pattern set"
      + id          = (known after apply)
      + lock_token  = (known after apply)
      + name        = "terratest-kpn"
      + scope       = "REGIONAL"
      + tags        = {
          + "name" = "terratest-kpn"
        }
      + regular_expression {
          + regex_string = "one"
        }
      + regular_expression {
          + regex_string = "two"
        }
    }

  # module.waf_regional[0].aws_wafv2_web_acl.default[0] will be created
  + resource "aws_wafv2_web_acl" "default" {
      + application_integration_url = (known after apply)
      + arn                         = (known after apply)
      + capacity                    = (known after apply)
      + description                 = "terratest-kpn"
      + id                          = (known after apply)
      + lock_token                  = (known after apply)
      + name                        = "terratest-kpn"
      + scope                       = (known after apply)
      + tags                        = {
          + "name" = "terratest-kpn"
        }
      + token_domains               = (known after apply)

      + custom_response_body (known after apply)

      + default_action {
          + allow (known after apply)
          + block (known after apply)
        }

      + rule (known after apply)

      + visibility_config {
          + cloudwatch_metrics_enabled = false
          + metric_name                = "terratest-kpn-main-metrics"
          + sampled_requests_enabled   = false
        }
    }

Plan: 3 to add, 0 to change, 0 to destroy.

PLAN after deployment

aws_wafv2_ip_set.fixture[0]: Refreshing state... [id=4e05f17b-cd3b-4fc1-bb23-01347e7c6ddc]
aws_wafv2_regex_pattern_set.fixture[0]: Refreshing state... [id=ae7b8f45-3003-4f7b-8c91-8d91b685bde4]
module.waf_regional[0].aws_wafv2_web_acl.default[0]: Refreshing state... [id=f8e08bfe-cdc7-4983-b59d-540bf6dd2f6a]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.waf_regional[0].aws_wafv2_web_acl.default[0] has changed
  ~ resource "aws_wafv2_web_acl" "default" {
        id                          = "f8e08bfe-cdc7-4983-b59d-540bf6dd2f6a"
        name                        = "terratest-kpn"
        tags                        = {
            "name" = "terratest-kpn"
        }
        # (8 unchanged attributes hidden)

      - rule {
          - name     = "AWSManagedRulesBotControlRuleSet" -> null
          - priority = 10 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesBotControlRuleSet" -> null
                  - vendor_name = "AWS" -> null
                    # (1 unchanged attribute hidden)

                  - managed_rule_group_configs {
                        # (2 unchanged attributes hidden)

                      - aws_managed_rules_bot_control_rule_set {
                          - enable_machine_learning = true -> null
                          - inspection_level        = "COMMON" -> null
                        }
                    }
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWSManagedRulesBotControlRuleSet" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      + rule {
          + name     = "AWSManagedRulesBotControlRuleSet"
          + priority = 10

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesBotControlRuleSet"
                  + vendor_name = "AWS"
                    # (1 unchanged attribute hidden)

                  + managed_rule_group_configs {
                        # (2 unchanged attributes hidden)

                      + aws_managed_rules_bot_control_rule_set {
                          + enable_machine_learning = false
                          + inspection_level        = "COMMON"
                        }
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesBotControlRuleSet"
              + sampled_requests_enabled   = true
            }
        }

        # (7 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.waf_regional[0].aws_wafv2_web_acl.default[0] will be updated in-place
  ~ resource "aws_wafv2_web_acl" "default" {
        id                          = "f8e08bfe-cdc7-4983-b59d-540bf6dd2f6a"
        name                        = "terratest-kpn"
        tags                        = {
            "name" = "terratest-kpn"
        }
        # (9 unchanged attributes hidden)

      - rule {
          - name     = "AWSManagedRulesBotControlRuleSet" -> null
          - priority = 10 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesBotControlRuleSet" -> null
                  - vendor_name = "AWS" -> null
                    # (1 unchanged attribute hidden)

                  - managed_rule_group_configs {
                        # (2 unchanged attributes hidden)

                      - aws_managed_rules_bot_control_rule_set {
                          - enable_machine_learning = false -> null
                          - inspection_level        = "COMMON" -> null
                        }
                    }
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWSManagedRulesBotControlRuleSet" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      - rule {
          - name     = "AWSManagedRulesCommonRuleSet" -> null
          - priority = 11 -> null

          - override_action {
              - count {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesCommonRuleSet" -> null
                  - vendor_name = "AWS" -> null
                    # (1 unchanged attribute hidden)
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWSManagedRulesCommonRuleSet-metric" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      - rule {
          - name     = "AWSManagedRulesKnownBadInputsRuleSet" -> null
          - priority = 12 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesKnownBadInputsRuleSet" -> null
                  - vendor_name = "AWS" -> null
                    # (1 unchanged attribute hidden)
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWSManagedRulesKnownBadInputsRuleSet" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      + rule {
          + name     = "AWSManagedRulesBotControlRuleSet"
          + priority = 10

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesBotControlRuleSet"
                  + vendor_name = "AWS"
                    # (1 unchanged attribute hidden)

                  + managed_rule_group_configs {
                        # (2 unchanged attributes hidden)

                      + aws_managed_rules_bot_control_rule_set {
                          + enable_machine_learning = true
                          + inspection_level        = "COMMON"
                        }
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesBotControlRuleSet"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesCommonRuleSet"
          + priority = 11

          + override_action {
              + count {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesCommonRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesCommonRuleSet-metric"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesKnownBadInputsRuleSet"
          + priority = 12

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesKnownBadInputsRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesKnownBadInputsRuleSet"
              + sampled_requests_enabled   = true
            }
        }

        # (5 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

If there is more than one managed rule, the PLAN always show terraform recreating the managed rules.

[donaldgray]

Any movement on this? Still seeing with

Terraform v1.11.2
on windows_amd64
+ provider registry.terraform.io/hashicorp/aws v5.94.1