[Enhancement]: Add support for Custom keys and Count all rate-limiting criteria in WAF

[lkoniecz]

Description

Rate limiting only supports 2 out of 4 possible aggregation criteria:
https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/wafv2_web_acl#aggregate_key_type

Affected Resource(s) and/or Data Source(s)

aws_wafv2_web_acl

Potential Terraform Configuration

No response

References

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-options.html

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[mldevpants]

We had a feature request with AWS for this, I stopped Nginx in favor of this feature, but I cannot do terraform for it.
The import works great BTW, but it cannot be applied since the provider does not recognize the CUSTOM_KEYS.

[cesarcelism]

We had a feature request with AWS for this, I stopped Nginx in favor of this feature, but I cannot do terraform for it. The import works great BTW, but it cannot be applied since the provider does not recognize the CUSTOM_KEYS.

Besides the aggregate_key_type, also it needs to be explicit which will be the aggregate key. The SDK provides RateBasedStatementCustomKey data type to achieve that.

[peter-hippo]

A workaround for now when creating a new resource is to do the WAF rule based upon "IP", terraform everything, then manually change to CUSTOM_KEYS + whatever settings, then updating the TF code to say "CUSTOM_KEYS" and there is no diff. It's not perfect but this way one can create the resource with TF and maintain the main lifecycle of it.

[matthewbae]

@peter-hippo how did you get around the errors when doing terraform plan? I see these errors:

Error: expected rule.1.statement.0.rate_based_statement.0.aggregate_key_type to be one of [IP FORWARDED_IP], got CUSTOM_KEYS

[sakaru]

@matthewbae Are you using the latest version of the aws provider? I had the same issue using 4.64.0. After a bump to 5.10.0 (then the latest version) it went away.

[matthewbae]

Thanks @sakaru. I'm on 4.30.0, so I'll give a bump to the latest version!

[luqmanMohammed]

Any ETA on the availability of this feature?

[github-actions]

This functionality has been released in v5.19.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.