Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_wafv2_web_acl - Error: Provider produced inconsistent final plan #23992

Closed
manfro3 opened this issue Apr 1, 2022 · 25 comments
Closed

aws_wafv2_web_acl - Error: Provider produced inconsistent final plan #23992

manfro3 opened this issue Apr 1, 2022 · 25 comments
Assignees
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@manfro3
Copy link

manfro3 commented Apr 1, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Related:

Terraform CLI and Terraform AWS Provider Version

Terraform version 1.1.7
provider registry.terraform.io/hashicorp/aws v4.8.0

Affected Resource(s)

  • aws_wafv2_web_acl

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_wafv2_ip_set" "ip_whitelist" {
  name = "IP-whitelist"
  provider  = aws.virginia
  scope = "CLOUDFRONT"
  ip_address_version = "IPV4"
  addresses = var.stage == "prod" || var.stage == "cons" ? ["xxx.xxx.xxx.xxx/32"] : ["0.0.0.0/1", "128.0.0.0/1"]
}

resource "aws_wafv2_web_acl" "whitelist_waf_acls" {
  name = "Whitelist-WAF-ACLs"
  provider = aws.virginia
  scope = "CLOUDFRONT"

  default_action {
    block {}
  }

  rule {
    name = "Whitelist-WAF-ACLs-rule"
    priority = 0

    action {
      allow {}
    }

    statement {
      ip_set_reference_statement { 
        arn = aws_wafv2_ip_set.ip_whitelist.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name = "Whitelist-WAF-ACLs-rule"
      sampled_requests_enabled = true
    }
  }

  rule {
    name     = "AWSManagedRulesBotControlRuleSet"
    priority = 1

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesBotControlRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAdminProtectionRuleSet"
    priority = 2

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAmazonIpReputationList"
    priority = 3

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAnonymousIpList"
    priority = 4

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 5

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesKnownBadInputsRuleSet"
    priority = 6

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesSQLiRuleSet"
    priority = 7

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name = "Whitelist-WAF-ACLs-metric"
    sampled_requests_enabled = true
  }

  tags = {
    Name = "whitelist_waf_acls"
  }

  depends_on = [aws_wafv2_ip_set.ip_whitelist]
}

Debug Output

Panic Output

Expected Behavior

I am trying to make a update to the config, this particular change is for removing tags

Terraform will perform the following actions:

  # aws_wafv2_web_acl.whitelist_waf_acls will be updated in-place
  ~ resource "aws_wafv2_web_acl" "whitelist_waf_acls" {

        id         = "xxxxxx-xxxxxx-xxxxx-xxxxxx"

        name       = "Whitelist-WAF-ACLs"

      ~ tags       = {
          - "Application" = "xxxx" -> null
          - "Cost Center" = "xxxx" -> null
          - "Environment" = "dev" -> null
          - "Owner"       = "xxxxx@xxx.xx" -> null
          - "Project"     = "xxxxx" -> null
          - "TeamName"    = "xxxxx" -> null
          - "Entity" = "xxx" -> null
            # (1 unchanged element hidden)
        }
      ~ tags_all   = {
          - "Application" = "xxxx" -> null
          - "Cost Center" = "xxx" -> null
          - "Environment" = "dev" -> null
          - "Owner"       = "xxxx@xx.xx" -> null
          - "Project"     = "xxxx" -> null
          - "TeamName"    = "xxxx" -> null
          - "Entity" = "xxx" -> null
            # (1 unchanged element hidden)
        }

Actual Behavior

It does not deploy, it throws the error;

When expanding the plan for aws_wafv2_web_acl.whitelist_waf_acls to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .rule: planned set element

cty.ObjectVal(map[string]cty.Value{"action":cty.ListValEmpty(cty.Object(map[string]cty.Type{"allow":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})), "block":cty.List(cty.Object(map[string]cty.Type{"custom_response":cty.List(cty.Object(map[string]cty.Type{"custom_response_body_key":cty.String, "response_code":cty.Number,
.
.
.
"text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))}))})}), "visibility_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"cloudwatch_metrics_enabled":cty.True, "metric_name":cty.StringVal("Whitelist-WAF-ACLs-menaged-rule"), "sampled_requests_enabled":cty.True})})}) does not correlate with any element in actual.

 This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service. labels Apr 1, 2022
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Apr 4, 2022
@b-dean
Copy link
Contributor

b-dean commented Apr 5, 2022

I also was removing tags, I had moved some to the default tags for the provider

provider "aws" {
  region = "us-east-1"
  default_tags {
    tags = {
      stack   = terraform.workspace
      purpose = "example"    
    }
  }
}

I found that if I do only that, it fails with the error you mentioned. But if I also make some other arbitrary change to the web acl rules, such as changing a rule priority slightly, then it does not fail.

@rabidscorpio
Copy link

I'm getting this exact error when I change the description instead of the tags so this doesn't seem to be limited to updating tags.

@aholthagerty
Copy link

Running into this issue on multiple environments. Current workaround for me is to just not modify any tags, which is only a short-term solution. Ideally, it looks like this just needs fixed.

@gurpalw
Copy link

gurpalw commented Jul 26, 2022

this is happening to me on the latest 4.23.0 aws provider version.

@chroju
Copy link
Contributor

chroju commented Aug 5, 2022

Same issue here. I have tried to update default_tags, but Terraform has panicked with the same error message When expanding the plan for aws_wafv2_web_acl.XXX to include new values... .

This may be related to #23423 and #24386 . I work around the error by using ignore_changes , referring to the following link.

ref: #24386 (comment)

@Rumbles
Copy link

Rumbles commented Aug 11, 2022

Every time we apply, we update a timestamp tag which is in the provider defaults tags, if there are changes to the WAF rules, we can apply without issues, but if the only change is a tag being updated we get this panic. I noticed this after upgrading from this provider from v3 to v4, we haven't changed the use of aws_wafv2_web_acl but now we get a HUGE error message (30+ pages of unhelpful error text) when ever we try to apply our resource without any changes (other than a minor tag update)

@aholthagerty
Copy link

Bumping this to keep the bots at bay.

@unclok
Copy link

unclok commented Sep 7, 2022

As a workaround, I've just changed priority of rules, so let terraform also modify rules with tags.
I hope this problem will be fixed soon.

@jmeickle
Copy link

Also impacted by this with v4.29.0, in this case "only" changing the default action from "block" to "allow":

Terraform will perform the following actions:

  # module.cloudfront_wafv2.aws_wafv2_web_acl.main will be updated in-place
  ~ resource "aws_wafv2_web_acl" "main" {
        id          = "3a01400a-0c69-443a-a1b2-629a3156587c"
        name        = "frontend-production-cloudfront-app-waf"
        tags        = {}
        # (6 unchanged attributes hidden)

      ~ default_action {
          + allow {
            }

          - block {
            }
        }


        # (10 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

@stevenwilliamson
Copy link

To add I am hitting this same error on almost every change. Using provider "hashicorp/aws v4.50.0"

My workaround is to change the priority of all of the rules and then the change will apply which is awkward as the number of rules increases.

Anecdotally i only started to see this issue after migrating from exclude to rule_action_override blocks for the managed rule group statement.

@amitsamal94
Copy link

when can this be fixed?

@adrian-is-on-github
Copy link

adrian-is-on-github commented Feb 8, 2023

Came here to post that changing one of the waf rule priorities manually, then running plan/apply succeeded for me as a workaround (AWS Provider v4.52.0).

(Edit: AWS Provider 4.52.0)

@Rumbles
Copy link

Rumbles commented Feb 8, 2023

Came here to post that changing one of the waf rule priorities manually, then running plan/apply succeeded for me as a workaround (AWS Provider v2.52.0 ).

Yes the nature of the issue is if there are NO changes and you apply you get this error, if there are any changes that are required, there is no issue

But making manual changes so that an automated process does not error isn't ideal

@adrian-is-on-github
Copy link

Agreed - not ideal. In my case we have 19 similar environments with only two encountering this error.

@bemillenium
Copy link

bemillenium commented Feb 14, 2023

I also face this issue when I try to add more rule by using the dynamic block

Error: Provider produced inconsistent final plan
│
│ When expanding the plan for module.waf_alb.aws_wafv2_web_acl.this to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for .rule: planned set element
│ cty.ObjectVal(map[string]cty.Value{"action":cty.ListValEmpty(cty.Object(map[string]cty.Type{"allow":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "block":cty.List(cty.Object(map[string]cty.Type{"custom_response":cty.List(cty.Object(map[string]cty.Type{"custom_response_body_key":cty.String,
│ "response_code":cty.Number, "response_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})),
│ "captcha":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "challenge":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "count":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,```

@hypsrizzari
Copy link

To add I am hitting this same error on almost every change. Using provider "hashicorp/aws v4.50.0"

My workaround is to change the priority of all of the rules and then the change will apply which is awkward as the number of rules increases.

Anecdotally i only started to see this issue after migrating from exclude to rule_action_override blocks for the managed rule group statement.

@stevenwilliamson

I had the same issue. See this comment which worked for me. Hope it helps. Kudos to the author.

#28191 (comment)

@apagliara
Copy link
Contributor

Upgrading terraform to 1.4.x fixed this for me

@Rumbles
Copy link

Rumbles commented Mar 28, 2023 via email

@Rumbles
Copy link

Rumbles commented Apr 4, 2023

Looks like I was wrong, the errors in the pipeline last week must have been from something else. I was able to apply the same resource with no changes without a stack trace being generated. But it looks like it's because it is applying changes to the waf each time, regardless of whether there are real changes. But regardless, the stack traces have stopped for now.

@YakDriver
Copy link
Member

YakDriver commented Jul 13, 2023

NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim).

For more details see #23992 (comment) and #28672 (comment).

I had no problems (no errors or inconsistent final plans) with these configurations. I applied Config 1 (tags + default tags), then Config 2 (exact same except it removes tags, removes default tags), then Config 1 again. (Region must be us-east-1.)

Using:

  • Terraform v1.5.2
  • AWS Provider v5.7.0

Config 1

provider "aws" {
  default_tags {
    tags = {
      fine_night = "tonight"
      fine_day   = "tomorrow"
    }
  }
}

resource "aws_wafv2_ip_set" "test" {
  name               = "wafv23992test"
  scope              = "CLOUDFRONT"
  ip_address_version = "IPV4"
  addresses          = ["1.2.3.4/32", "5.6.7.8/32"]
}

resource "aws_wafv2_web_acl" "test" {
  name  = "wafv23992test"
  scope = "CLOUDFRONT"

  default_action {
    block {}
  }

  rule {
    name     = "Whitelist-WAF-ACLs-rule"
    priority = 0

    action {
      allow {}
    }

    statement {
      ip_set_reference_statement { 
        arn = aws_wafv2_ip_set.test.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesBotControlRuleSet"
    priority = 1

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesBotControlRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAdminProtectionRuleSet"
    priority = 2

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAmazonIpReputationList"
    priority = 3

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAnonymousIpList"
    priority = 4

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 5

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesKnownBadInputsRuleSet"
    priority = 6

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesSQLiRuleSet"
    priority = 7

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name = "Whitelist-WAF-ACLs-metric"
    sampled_requests_enabled = true
  }

  tags = {
    Name        = "wafv23992test"
    Application = "wafv23992test"
    Cost        = "wafv23992test"
    Environment = "wafv23992test"
    Owner       = "wafv23992test"
    Project     = "wafv23992test"
    TeamName    = "wafv23992test"
    Entity      = "wafv23992test"
  }

  depends_on = [aws_wafv2_ip_set.test]
}

Config 2

resource "aws_wafv2_ip_set" "test" {
  name               = "wafv23992test"
  scope              = "CLOUDFRONT"
  ip_address_version = "IPV4"
  addresses          = ["1.2.3.4/32", "5.6.7.8/32"]
}

resource "aws_wafv2_web_acl" "test" {
  name  = "wafv23992test"
  scope = "CLOUDFRONT"

  default_action {
    block {}
  }

  rule {
    name     = "Whitelist-WAF-ACLs-rule"
    priority = 0

    action {
      allow {}
    }

    statement {
      ip_set_reference_statement { 
        arn = aws_wafv2_ip_set.test.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesBotControlRuleSet"
    priority = 1

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesBotControlRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAdminProtectionRuleSet"
    priority = 2

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAmazonIpReputationList"
    priority = 3

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAnonymousIpList"
    priority = 4

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 5

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesKnownBadInputsRuleSet"
    priority = 6

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesSQLiRuleSet"
    priority = 7

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-WAF-ACLs-menaged-rule"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "Whitelist-WAF-ACLs-metric"
    sampled_requests_enabled   = true
  }

  depends_on = [aws_wafv2_ip_set.test]
}

@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 13, 2023
@88lexd
Copy link

88lexd commented Jul 14, 2023

Using my sample code and how to reproduce is still occurring, see issue: #28672

I am also using using AWS provider v5.8.0

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 14, 2023
@YakDriver
Copy link
Member

@88lexd Thank you for feedback. See my response here.

Based on a combination of changes in Terraform core and the AWS provider, we believe these issues have been resolved. But, the fix requires that you upgrade to Terraform v1.4+ and the AWS provider v5.7.0+.

@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 17, 2023
@justinretzolk
Copy link
Member

Hi all 👋 As was mentioned above, this issue appears to be fixed when using a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later). If you experience additional unexpected behaviors with versions that meet these parameters, please open a new issue so that we can investigate further.

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 20, 2023
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Development

No branches or pull requests