Adding rate based rule to regional WAF

[mkohn]

Hi there,

Terraform Version

terraform -v
Terraform v0.11.7
+ provider.aws v1.14.0

Affected Resource(s)

• aws_wafregional_web_acl
• aws_wafregional_rate_based_rule

Terraform Configuration Files

resource "aws_wafregional_web_acl" "regional_acl" {
  name        = "${var.tag_application} ${var.environment} WAF ACL"
  metric_name = "${var.tag_application}${var.environment}WAFACL"

  default_action {
    type = "ALLOW"
  }
  rule = [
    {
      action {
        type = "${var.action_blacklist}"
      }

      priority = 1
      rule_id  = "${aws_wafregional_rate_based_rule.rate_limiting.id}"
   }
]
}

resource "aws_wafregional_ipset" "rate_limiting" {
  name = "Rate Limiting ${var.tag_application} ${var.environment}"
}

resource "aws_wafregional_rate_based_rule" "rate_limiting" {
  name        = "Rate Limiting ${var.tag_application} ${var.environment}"
  metric_name = "RateLimiting${var.tag_application}${var.environment}"

  rate_key   = "IP"
  rate_limit = "${var.waf_ratelimit}"

  predicate {
    data_id = "${aws_wafregional_ipset.rate_limiting.id}"
    negated = false
    type    = "IPMatch"
  }
}

Debug Output

~/scratch/temp  terraform init
Initializing modules...
- module.WAF
  Getting source "../../git/m-waf/"

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "aws" (1.14.0)...
terr
Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
 mkohn@eleanor  ~/scratch/temp  terraform -v
Terraform v0.11.7
+ provider.aws v1.14.0

* module.WAF.aws_wafregional_web_acl.regional_acl: 1 error(s) occurred:

* aws_wafregional_web_acl.regional_acl: Error Updating WAF Regional ACL: Error Updating WAF Regional ACL: WAFInvalidOperationException: Operation is invalid for this entity.
	status code: 400, request id: 27cfb65c-3d97-11e8-b5a6-d7d2dd5acce8

Expected Behavior

Attach WAF Regional Rate based rule to the WAF Regional ACL

Important Factoids

What I think is that terraform does not support rate base rules getting added to regional_acl for WAF. the global WAF has this parameter: https://www.terraform.io/docs/providers/aws/r/waf_web_acl.html#type-1 where when you look on this page, https://www.terraform.io/docs/providers/aws/r/wafregional_web_acl.html its missing that section.

Can someone help me validate my theory?

[thereverendtom]

You are correct - I ran into the same issue. Terraform does not support adding rate based rules to regional_acl at this time.

[mkohn]

So basically if I'm understanding this, you can create the regional rate based rule but not add it to the ACL. Can I request an enhancement?

[thereverendtom]

Yep - that's what I'm seeing. I created this ticket related to my issue: #4079. It looks like waf_regional support was just added, as was support for rate based rules with regular waf. So, my guess is the two just haven't caught up and an enhancement is required.

[mkohn]

Cool, my searches missed that item. Guess I will just wait. Thanks

[bflad]

The aws_wafregional_web_acl resource support for rule type has been merged into master via #4978 and will release with version 1.25.0 of the AWS provider, likely middle of this week. Please note you must configure this new attribute for RATE_BASED rules.

[bflad]

This has been released in version 1.25.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!