WAF - 2 bugs since 0.9.6 - Optional fields accidentally now required

[ventz]

Hi there,

Summary of the problem:

It looks like the OPTIONAL 'data' field in the AWS WAF "SQL Injection Match", and "XSS Match" is required to have a value that's not empty, even when the field is not required.

Terraform Version

Terraform v0.9.6
and
Terraform v0.9.11

Affected Resource(s)

aws_waf_sql_injection_match_set
aws_waf_xss_match_set

Terraform Configuration Files

There are two that have the same issue (optional field now required):

resource "aws_waf_rule" "WAFSqlInjectionRule" {
    depends_on = ["aws_waf_sql_injection_match_set.WAFSqlInjectionDetection"]
    name = "SQL Injection Rule"
    metric_name = "SecurityAutomationsSqlInjectionRule"
    predicates {
        data_id = "${aws_waf_sql_injection_match_set.WAFSqlInjectionDetection.id}"
        negated = false
        type = "SqlInjectionMatch"
      }
}
    


resource "aws_waf_sql_injection_match_set" "WAFSqlInjectionDetection" {
    name = "SQL Injection Detection"

    sql_injection_match_tuples {
        text_transformation = "URL_DECODE"
        field_to_match {
          type = "QUERY_STRING"
        }
    }
    sql_injection_match_tuples {
        text_transformation = "HTML_ENTITY_DECODE"
        field_to_match {
          type = "QUERY_STRING"
        }
    }
    sql_injection_match_tuples {
        text_transformation = "URL_DECODE"
        field_to_match {
          type = "BODY"
        }
    }
    sql_injection_match_tuples {
        text_transformation = "HTML_ENTITY_DECODE"
        field_to_match {
          type = "BODY"
        }
    }
    sql_injection_match_tuples {
        text_transformation = "URL_DECODE"
        field_to_match {
          type = "URI"
        }
    }
    sql_injection_match_tuples {
        text_transformation = "HTML_ENTITY_DECODE"
        field_to_match {
          type = "URI"
        }
    }
}

The other problem with the XSS is:

resource "aws_waf_rule" "WAFXssRule" {
    depends_on = ["aws_waf_xss_match_set.WAFXssDetection"]
    name = "XSS Rule"
    metric_name = "SecurityAutomationsXssRule"
    predicates {
        data_id = "${aws_waf_xss_match_set.WAFXssDetection.id}"
        negated = false
        type = "XssMatch"
    }
}

resource "aws_waf_xss_match_set" "WAFXssDetection" {
    name = "XSS Detection Detection"
    xss_match_tuples {
        text_transformation = "URL_DECODE"
        field_to_match {
            type = "QUERY_STRING"
        }
    }
    xss_match_tuples {
        text_transformation = "HTML_ENTITY_DECODE"
        field_to_match {
            type = "QUERY_STRING"
        }
    }
    xss_match_tuples {
        text_transformation = "URL_DECODE"
        field_to_match {
            type = "BODY"
        }
    }
    xss_match_tuples {
        text_transformation = "HTML_ENTITY_DECODE"
        field_to_match {
            type = "BODY"
        }
    }
    xss_match_tuples {
        text_transformation = "URL_DECODE"
        field_to_match {
            type = "URI"
        }
    }
    xss_match_tuples {
        text_transformation = "HTML_ENTITY_DECODE"
        field_to_match {
            type = "URI"
        }
    }
}

Expected Behavior

It should work because PER Amazon's docs (and Terraforms) the "data" field is completely optional:

https://www.terraform.io/docs/providers/aws/r/waf_sql_injection_match_set.html#data

and

https://www.terraform.io/docs/providers/aws/r/waf_xss_match_set.html#data

Actual Behavior

It failed with:

* aws_waf_sql_injection_match_set.WAFSqlInjectionDetection: [ERROR] Error updating SqlInjectionMatchSet: [ERROR] Error updating SqlInjectionMatchSet: ValidationException: 6 validation errors detected: Value '' at 'updates.1.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.2.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.3.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.4.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.5.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.6.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1
	status code: 400, request id: 2a9a2e66-65db-11e7-84ae-b3e05f29fbe4
* aws_waf_xss_match_set.WAFXssDetection: 1 error(s) occurred:

and

* aws_waf_xss_match_set.WAFXssDetection: [ERROR] Error updating XssMatchSet: [ERROR] Error updating XssMatchSet: ValidationException: 6 validation errors detected: Value '' at 'updates.1.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.2.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.3.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.4.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.5.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updates.6.member.matchTuple.field.data' failed to satisfy constraint: Member must have length greater than or equal to 1
	status code: 400, request id: 2aba6099-65db-11e7-84ae-b3e05f29fbe4

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

If you add the optional "data" field with "SOME-JUNK-VALUE" it works. As long as it's not an empty string. Again, this should not be required.

References

N/A

[nicwise]

👍 for this.

[edify42]

I've found the objects are still created when you leave out the 'data' field.
To make it work, I statically copied each 'data_id' from the ID field of each match set from the state file. Copying the reference afterwards meant no changes to state. Manual and painful but it's a 'workaround'

[nicwise]

Thanks @edify42 - do you have a quick snippit of that? I was going to use data = "none" as per https://github.com/cerbo/aws-waf-security-automation/blob/master/wafsqlinjectiondetection.tf

[radeksimko]

Closing as duplicate of #966

Full explanation in #966 (comment)
Bugfix was shipped with version 0.1.2 of this provider.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!