Rule TYPE argument not supported in wafregional_web_acl

[jjgrayston]

Terraform Version

0.11.7

Affected Resource(s)

Please list the resources as a list, for example:

• aws_wafregional_web_acl.
• aws_wafregional_rate_based_rule

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "aws_wafregional_web_acl" "wafregional_web_acl" {
  name        = "${terraform.workspace}-web-acl"
  metric_name = "${terraform.workspace}WebACL"

  default_action {
    type = "ALLOW"
  }
  rule {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_wafregional_rate_based_rule.wafregional_rate_based_rule_http_flood.id}"
    
  } 
}

resource "aws_wafregional_ipset" "wafregional_ipset_http_flood" {
  name = "${terraform.workspace}-waf-ipset-http-flood"
}

resource "aws_wafregional_rate_based_rule" "wafregional_rate_based_rule_http_flood" {
  depends_on  = ["aws_wafregional_ipset.wafregional_ipset_http_flood"]
  name        = "${terraform.workspace}-http-flood"
  metric_name = "${terraform.workspace}HttpFlood"
  rate_key    = "IP"
  rate_limit  = 2000

  predicate {
    data_id = "${aws_wafregional_ipset.wafregional_ipset_http_flood.id}"
    negated = false
    type    = "IPMatch"
  }
}

Debug Output

Error: Error applying plan:

1 error(s) occurred:

* aws_wafregional_web_acl.wafregional_web_acl: 1 error(s) occurred:

* aws_wafregional_web_acl.wafregional_web_acl: Error Updating WAF Regional ACL: Error Updating WAF Regional ACL: WAFNonexistentItemException: The referenced item does not exist.
        status code: 400, request id: 327429ce-41e5-11e8-9873-1f0e2bf6015b

Expected Behavior

wafregional_rate_based_rule should be attached to wafregional_web_acl

Actual Behavior

Error (above).

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

After a bit of digging, it seems the rule TYPE argument is not supported in wafregional_web_acl (although it IS supported is waf_web_acl). Without this argument, it is not possible to reference a RATE_BASED rule.

References

See https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_ActivatedRule.html:

TYPE: Although this field is optional, be aware that if you try to add a RATE_BASED rule to a web ACL without setting the type, the UpdateWebACL request will fail because the request tries to add a REGULAR rule with the specified ID, which does not exist.

[wrighbr]

+1

[bflad]

The aws_wafregional_web_acl resource support for rule type has been merged into master via #4978 and will release with version 1.25.0 of the AWS provider, likely middle of this week. Please note you must configure this new attribute for RATE_BASED rules.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!