Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_wafv2_web_acl error setting aws_managed_rules_bot_control_rule_set #28808

Closed
jmsantorum opened this issue Jan 10, 2023 · 6 comments · Fixed by #28810
Closed

[Bug]: aws_wafv2_web_acl error setting aws_managed_rules_bot_control_rule_set #28808

jmsantorum opened this issue Jan 10, 2023 · 6 comments · Fixed by #28810
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Milestone
v4.52.0

Comments

@jmsantorum
Copy link
Contributor

Terraform Core Version

1.1.7

AWS Provider Version

4.49.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

Be able to create an ACL defining the aws_managed_rules_bot_control_rule_set section

Actual Behavior

Terraform throws an error saying that the config is not present

Relevant Error/Panic Output Snippet

Terraform will perform the following actions:

  # aws_wafv2_web_acl.this will be updated in-place
  ~ resource "aws_wafv2_web_acl" "this" {
        id         = "XXX"
        name       = "XXX"
        # (5 unchanged attributes hidden)


        + rule {
          + name     = "AWS-AWSManagedRulesBotControlRuleSet"
          + priority = 0

          + override_action {

              + none {}
            }

          + statement {

              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesBotControlRuleSet"
                  + vendor_name = "AWS"

                  + managed_rule_group_configs {
                      + aws_managed_rules_bot_control_rule_set {
                          + inspection_level = "TARGETED"
                        }
                    }

                  + rule_action_override {
                      + name = "CategoryContentFetcher"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "CategoryHttpLibrary"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "CategoryMonitoring"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "SignalKnownBotDataCenter"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "SignalNonBrowserUserAgent"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "TGT_VolumetricIpTokenAbsent"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "TGT_VolumetricSession"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "TGT_SignalAutomatedBrowser"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                  + rule_action_override {
                      + name = "TGT_SignalBrowserInconsistency"

                      + action_to_use {

                          + count {
                            }
                        }
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWS-AWSManagedRulesBotControlRuleSet"
              + sampled_requests_enabled   = true
            }
        }
     
        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_wafv2_web_acl.this: Modifying... [id=XXX]
╷
│ Error: updating WAFv2 WebACL (XXX): WAFInvalidParameterException: Error reason: EXACTLY_ONE_CONDITION_REQUIRED, field: MANAGED_RULE_GROUP_CONFIG, parameter: ManagedRuleGroupConfig
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "XXX"
│   },
│   Field: "MANAGED_RULE_GROUP_CONFIG",
│   Message_: "Error reason: EXACTLY_ONE_CONDITION_REQUIRED, field: MANAGED_RULE_GROUP_CONFIG, parameter: ManagedRuleGroupConfig",
│   Parameter: "ManagedRuleGroupConfig",
│   Reason: "You have used none or multiple values for a field that requires exactly one value."
│ }
│
│   with aws_wafv2_web_acl.this,
│   on waf.tf line 24, in resource "aws_wafv2_web_acl" "this":
│   24: resource "aws_wafv2_web_acl" "this" {

Terraform Configuration Files

This is the short version of the Terraform code I have

terraform {
  required_version = "1.1.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {
  region = "eu-west-1"
}

resource "aws_wafv2_web_acl" "cloudfront_acl" {
  name  = "cloudfront-acl"
  scope = "CLOUDFRONT"

  default_action {
    allow {}
  }

  rule {
    name     = "AWS-AWSManagedRulesBotControlRuleSet"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesBotControlRuleSet"
        vendor_name = "AWS"

        managed_rule_group_configs {
          aws_managed_rules_bot_control_rule_set {
            inspection_level = "TARGETED" # <== The issue is here
          }
        }

        rule_action_override {
          name = "CategoryContentFetcher"

          action_to_use {
            count {}
          }
        }

        rule_action_override {
          name = "TGT_SignalBrowserInconsistency"

          action_to_use {
            count {}
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesBotControlRuleSet"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "cloudfront"
    sampled_requests_enabled   = true
  }
}

Steps to Reproduce

When I apply the shared config the error arises, but If I remove the managed_rule_group_configs section it works.

Looking through the code it seems there is a typo that makes the request to not be well-formed.

terraform-provider-aws/internal/service/wafv2/flex.go

Line 1008 in f7cf135

if v, ok := m["aws_managed_rules_bot_rule_set"].([]interface{}); ok && len(v) > 0 {

I think instead of aws_managed_rules_bot_rule_set it should be aws_managed_rules_bot_control_rule_set as it is here

terraform-provider-aws/internal/service/wafv2/flex.go

Line 2026 in f7cf135

m["aws_managed_rules_bot_control_rule_set"] = flattenManagedRulesBotControlRuleSet(config.AWSManagedRulesBotControlRuleSet)

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

Yes
@jmsantorum jmsantorum added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Jan 10, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Jan 10, 2023
jmsantorum added a commit to jmsantorum/terraform-provider-aws that referenced this issue Jan 10, 2023
@jmsantorum
fix(wafv2): fix issue hashicorp#28808
ec45f1b
@jmsantorum jmsantorum mentioned this issue Jan 10, 2023
Merged
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Jan 11, 2023
@amitsamal94
Copy link

amitsamal94 commented Jan 13, 2023
edited
Loading

+1, facing the same issue. When can this be fixed ?

@javiln8
Copy link
Contributor

javiln8 commented Jan 20, 2023

+1, the PR that originally added this configuration did not test the use-case for adding the bot control feature 😭

johnsonaj added a commit that referenced this issue Jan 24, 2023
@johnsonaj
Merge pull request #28810 from jmsantorum/master
1d0cd27 
fix(wafv2): fix issue creating aws_wafv2_web_acl #28808
@github-actions github-actions bot added this to the v4.52.0 milestone Jan 24, 2023
@github-actions
Copy link

This functionality has been released in v4.52.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@justinas-b
Copy link

error is still present though :/

...

Initializing provider plugins...
- Installing hashicorp/aws v4.52.0...
- Installed hashicorp/aws v4.52.0 (self-signed, key ID 34365D9472D7468F)

...

Error: updating WAFv2 WebACL (c63007a4-1df7-464f-a1e9-641bb0497496): WAFInvalidParameterException: Error reason: EXACTLY_ONE_CONDITION_REQUIRED, field: FIELD_TO_MATCH, parameter: FieldToMatch
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "cccf7fb9-9e47-409c-ad5b-03bc47f70b47"
  },
  Field: "FIELD_TO_MATCH",
  Message_: "Error reason: EXACTLY_ONE_CONDITION_REQUIRED, field: FIELD_TO_MATCH, parameter: FieldToMatch",
  Parameter: "FieldToMatch",
  Reason: "You have used none or multiple values for a field that requires exactly one value."
}

@wagensveld wagensveld mentioned this issue Jan 30, 2023
Closed
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
v4.52.0
Development

Successfully merging a pull request may close this issue.

fix(wafv2): fix issue creating aws_wafv2_web_acl #28808 jmsantorum/terraform-provider-aws
5 participants
@jmsantorum @justinas-b @amitsamal94 @justinretzolk @javiln8