The given value is not suitable for ...variables.tf:283,1-44: element types must all match for conversion to list.

[l3rady]

Describe the Bug

Lets say you are building up your ip_set rules like so:

ip_set_reference = [
  {
    name     = "rule-1"
    priority = 1
    action   = "block"

    statement = {
      arn = data.aws_wafv2_ip_set.marex_known_bad_ipv4_cidrs.arn
    }

    visibility_config = {
      cloudwatch_metrics_enabled = true
      metric_name                = "${local.waf_name}-rule-1-ip-set"
      sampled_requests_enabled   = true
    }
  },
  {
    name     = "rule-20"
    priority = 20
    action   = "allow"

    statement = {
      ip_set = {
        addresses          = var.config.ipv4_cidrs_allow
        description        = "IPv4 allow list for ${local.waf_name}"
        ip_address_version = "IPV4"
      }
    }

    visibility_config = {
      cloudwatch_metrics_enabled = true
      metric_name                = "${local.waf_name}-rule-20-ip-set"
      sampled_requests_enabled   = true
    }
  }
]

This ruleset produces an error because the statement map is structurally different and when placed in a list TF doesn't like it.

│ Error: Invalid value for input variable
│ 
│   on /home/scott/Infra/terraform-modules/terraform-aws-wafv2/main.tf line 18, in module "wafv2":
│   18:   ip_set_reference_statement_rules            = local.ip_set_reference
│ 
│ The given value is not suitable for module.terraform-aws-wafv2.module.wafv2.var.ip_set_reference_statement_rules declared at .terraform/modules/terraform-aws-wafv2.wafv2/variables.tf:283,1-44: element types must all match for conversion to list.
╵

Expected Behavior

I expect the module to create the rules and account for different statement maps.

Steps to Reproduce

See example above

Screenshots

No response

Environment

No response

Additional Context

No response

[l3rady]

A fix would be to flesh out the statement map with all possible layouts:

variable "ip_set_reference_statement_rules" {
  type = list(object({
    name     = string
    priority = number
    action   = string
    captcha_config = optional(object({
      immunity_time_property = object({
        immunity_time = number
      })
    }), null)
    rule_label = optional(list(string), null)
    statement = object({
      arn = optional(string, null)
      ip_set = optional(object({
        description        = optional(string, null)
        addresses          = list(string)
        ip_address_version = string
      }), null)
      ip_set_forwarded_ip_config = optional(object({
        fallback_behavior = string
        header_name       = string
        position          = string
      }), null)
    })
    visibility_config = optional(object({
      cloudwatch_metrics_enabled = optional(bool)
      metric_name                = string
      sampled_requests_enabled   = optional(bool)
    }), null)
  }))
  default     = null
  description = <<-DOC
    A rule statement used to detect web requests coming from particular IP addresses or address ranges.

    action:
      The action that AWS WAF should take on a web request when it matches the rule's statement.
    name:
      A friendly name of the rule.
    priority:
      If you define more than one Rule in a WebACL,
      AWS WAF evaluates each request against the rules in order based on the value of priority.
      AWS WAF processes rules with lower priority first.

    captcha_config:
     Specifies how AWS WAF should handle CAPTCHA evaluations.

     immunity_time_property:
       Defines custom immunity time.

       immunity_time:
       The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.

    rule_label:
       A List of labels to apply to web requests that match the rule match statement

    statement:
      arn:
        The ARN of the IP Set that this statement references.
      ip_set:
        Defines a new IP Set

        description:
          A friendly description of the IP Set
        addresses:
          Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses.
          All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation.
        ip_address_version:
          Specify `IPV4` or `IPV6`
      ip_set_forwarded_ip_config:
        fallback_behavior:
          The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
          Possible values: `MATCH`, `NO_MATCH`
        header_name:
          The name of the HTTP header to use for the IP address.
        position:
          The position in the header to search for the IP address.
          Possible values include: `FIRST`, `LAST`, or `ANY`.

    visibility_config:
      Defines and enables Amazon CloudWatch metrics and web request sample collection.

      cloudwatch_metrics_enabled:
        Whether the associated resource sends metrics to CloudWatch.
      metric_name:
        A friendly name of the CloudWatch metric.
      sampled_requests_enabled:
        Whether AWS WAF should store a sampling of the web requests that match the rules.
  DOC
}