Cannot remove rules from aws_waf_web_acl

[BookOfGreg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.aws v1.15.0

Affected Resource(s)

• aws_waf_web_acl
• aws_waf_rule

Terraform Configuration Files

Before

resource "aws_waf_web_acl" "global_waf_acl" {
  name        = "GlobalWAF"
  metric_name = "GlobalWAF"

  default_action { type = "ALLOW" }

  rules {
    action { type = "BLOCK" }
    priority = 1
    rule_id  = "${aws_waf_rate_based_rule.brute_force_rule.id}"
    type     = "RATE_BASED"
  }

  rules {
    action { type = "BLOCK" }
    priority = 2
    rule_id  = "${aws_waf_rule.auto_block_list_rule.id}"
    type     = "REGULAR"
  }
}

First attempt

resource "aws_waf_web_acl" "global_waf_acl" {
  name        = "GlobalWAF"
  metric_name = "GlobalWAF"

  default_action { type = "ALLOW" }

  rules {
    action { type = "BLOCK" }
    priority = 1
    rule_id  = "${aws_waf_rate_based_rule.brute_force_rule.id}"
    type     = "RATE_BASED"
  }

  rules {
    action { type = "BLOCK" }
    priority = 2
    rule_id  = "${aws_waf_rule.new_rule.id}"
    type     = "REGULAR"
  }

  rules {
    action { type = "BLOCK" }
    priority = 3
    rule_id  = "${aws_waf_rule.auto_block_list_rule.id}"
    type     = "REGULAR"
  }
}

* aws_waf_web_acl.global_waf_acl: Error Updating WAF ACL: Error Updating WAF ACL: ValidationException: Cannot allow rule <ID> with priority 2. Another rule already has this priority.

Second attempt

resource "aws_waf_web_acl" "global_waf_acl" {
  name        = "GlobalWAF"
  metric_name = "GlobalWAF"

  default_action { type = "ALLOW" }

  rules {
    action { type = "BLOCK" }
    priority = 1
    rule_id  = "${aws_waf_rate_based_rule.brute_force_rule.id}"
    type     = "RATE_BASED"
  }
}

aws_waf_web_acl.global_waf_acl: Modifications complete after 1s
All rules are still attached to WAF in AWS Console

Expected Behavior

I should be able to update rule priorities.

I should also be able to remove rules and have them removed from the WAF

Actual Behavior

Priority conflict.
Rules still present.

Steps to Reproduce

See above HCL

[bflad]

The fix for this has been merged into master and will release with version 1.30.0 of the AWS provider, likely on Wednesday. 👍

[bflad]

This has been released in version 1.30.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!