diff --git a/examples/wafv2-ip-rules/main.tf b/examples/wafv2-ip-rules/main.tf
index bc5104c..2bc741d 100644
--- a/examples/wafv2-ip-rules/main.tf
+++ b/examples/wafv2-ip-rules/main.tf
@@ -178,12 +178,32 @@ module "waf" {
       }
     },
     {
-      name     = "block-ip-set"
+      name     = "allow-custom-ip-set-with-XFF-header"
       priority = "5"
+      action   = "count"
+
+      ip_set_reference_statement = {
+        arn = aws_wafv2_ip_set.custom_ip_set.arn
+      }
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = false
+        sampled_requests_enabled   = false
+      }
+    },
+    {
+      name     = "block-ip-set"
+      priority = "6"
       action   = "block"
 
       ip_set_reference_statement = {
         arn = aws_wafv2_ip_set.block_ip_set.arn
+
+        ip_set_forwarded_ip_config = {
+            fallback_behavior = "NO_MATCH"
+            header_name       = "X-Forwarded-For"
+            position          = "ANY"
+          }
       }
 
       forwarded_ip_config = {
diff --git a/main.tf b/main.tf
index 9db6ce8..f1ff23e 100644
--- a/main.tf
+++ b/main.tf
@@ -1018,11 +1018,11 @@ resource "aws_wafv2_web_acl" "main" {
           content {
             arn = lookup(ip_set_reference_statement.value, "arn")
             dynamic "ip_set_forwarded_ip_config" {
-              for_each = length(lookup(ip_set_reference_statement.value, "forwarded_ip_config", {})) == 0 ? [] : [lookup(ip_set_reference_statement.value, "forwarded_ip_config", {})]
+              for_each = length(lookup(ip_set_reference_statement.value, "ip_set_forwarded_ip_config", {})) == 0 ? [] : [lookup(ip_set_reference_statement.value, "ip_set_forwarded_ip_config", {})]
               content {
-                fallback_behavior = lookup(forwarded_ip_config.value, "fallback_behavior")
-                header_name       = lookup(forwarded_ip_config.value, "header_name")
-                position          = lookup(forwarded_ip_config.value, "position")
+                fallback_behavior = lookup(ip_set_forwarded_ip_config.value, "fallback_behavior")
+                header_name       = lookup(ip_set_forwarded_ip_config.value, "header_name")
+                position          = lookup(ip_set_forwarded_ip_config.value, "position")
               }
             }
           }
@@ -1130,7 +1130,7 @@ resource "aws_wafv2_web_acl" "main" {
             aggregate_key_type = lookup(rate_based_statement.value, "aggregate_key_type", "IP")
 
             dynamic "forwarded_ip_config" {
-              for_each = length(lookup(rule.value, "forwarded_ip_config", {})) == 0 ? [] : [lookup(rule.value, "forwarded_ip_config", {})]
+              for_each = length(lookup(rate_based_statement.value, "forwarded_ip_config", {})) == 0 ? [] : [lookup(rate_based_statement.value, "forwarded_ip_config", {})]
               content {
                 fallback_behavior = lookup(forwarded_ip_config.value, "fallback_behavior")
                 header_name       = lookup(forwarded_ip_config.value, "header_name")