Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Potential bug with rule_json usage with deeply nested rules #40688

Open
ThrivingToks opened this issue Dec 24, 2024 · 1 comment
Open
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@ThrivingToks
Copy link

ThrivingToks commented Dec 24, 2024

Terraform Core Version

1.7.3

AWS Provider Version

5.8.2

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

AWS documentation for webacl_v2 resource suggests using rule_json for complex nested statements

Actual Behavior

Provider seems to fail with nested scope down statements that are valid in the AWS console. The use case involves complex rules with deep nesting (more than 3 levels), particularly with ManagedRuleGroups that have ScopeDownStatements, NotStatements, and multiple AndStatements/OrStatements.

2024-12-24T01:42:29.490-0600 [ERROR] provider.terraform-provider-aws_v5.82.2_x5: [ERROR] setting state: Invalid address to set: []string{"rule", "0", "statement", "0", "managed_rule_group_statement", "0", "scope_down_statement", "0", "not_statement", "0", "statement", "0", "or_statement", "0", "statement", "0", "and_statement"}
2024-12-24T01:42:29.493-0600 [ERROR] provider.terraform-provider-aws_v5.82.2_x5: Response contains error diagnostic: tf_proto_version=5.7 tf_req_id=6eeaab1e-a5e8-e0de-b010-7c364d872286 tf_resource_type=aws_wafv2_web_acl @module=sdk.proto diagnostic_detail="" diagnostic_summary="setting rule: Invalid address to set: []string{\"rule\", \"0\", \"statement\", \"0\", \"managed_rule_group_statement\", \"0\", \"scope_down_statement\", \"0\", \"not_statement\", \"0\", \"statement\", \"0\", \"or_statement\", \"0\", \"statement\", \"0\", \"and_statement\"}" tf_provider_addr=registry.terraform.io/hashicorp/aws diagnostic_severity=ERROR tf_rpc=ReadResource @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:58 timestamp=2024-12-24T01:42:29.493-0600
2024-12-24T01:42:29.500-0600 [ERROR] vertex "aws_wafv2_web_acl.main" error: setting rule: Invalid address to set: []string{"rule", "0", "statement", "0", "managed_rule_group_statement", "0", "scope_down_statement", "0", "not_statement", "0", "statement", "0", "or_statement", "0", "statement", "0", "and_statement"}
2024-12-24T01:42:29.500-0600 [ERROR] vertex "aws_wafv2_web_acl.main (expand)" error: setting rule: Invalid address to set: []string{"rule", "0", "statement", "0", "managed_rule_group_statement", "0", "scope_down_statement", "0", "not_statement", "0", "statement", "0", "or_statement", "0", "statement", "0", "and_statement"}

Relevant Error/Panic Output Snippet

│ Error: setting rule: Invalid address to set: []string{"rule", "0", "statement", "0", "managed_rule_group_statement", "0", "scope_down_statement", "0", "not_statement", "0", "statement", "0", "or_statement", "0", "statement", "0", "and_statement"}
│

Terraform Configuration Files

resource "aws_wafv2_web_acl" "main" {
  name        = "wafv2 code"
  description = "WAF Web ACL to protect the Web Application from malicious traffic"
  scope       = "CLOUDFRONT"

  default_action {
    allow {}
  }
  
  rule_json = jsonencode({
  "Name": "BotControl",
  "Priority": 1,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesBotControlRuleSet",
      "ScopeDownStatement": {
        "NotStatement": {
          "Statement": {
            "OrStatement": {
              "Statements": [
                {
                  "AndStatement": {
                    "Statements": [
                      {
                        "ByteMatchStatement": {
                          "SearchString": "Amazon CloudFront",
                          "FieldToMatch": {
                            "SingleHeader": {
                              "Name": "user-agent"
                            }
                          },
                          "TextTransformations": [
                            {
                              "Priority": 1,
                              "Type": "NONE"
                            }
                          ],
                          "PositionalConstraint": "EXACTLY"
                        }
                      },
                      {
                        "IPSetReferenceStatement": {
                          "ARN": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                        }
                      }
                    ]
                  }
                },
                {
                  "AndStatement": {
                    "Statements": [
                      {
                        "ByteMatchStatement": {
                          "SearchString": "randomsource",
                          "FieldToMatch": {
                            "SingleHeader": {
                              "Name": "reqsource"
                            }
                          },
                          "TextTransformations": [
                            {
                              "Priority": 1,
                              "Type": "LOWERCASE"
                            }
                          ],
                          "PositionalConstraint": "EXACTLY"
                        }
                      },
                      {
                        "ByteMatchStatement": {
                          "SearchString": "randomuser",
                          "FieldToMatch": {
                            "SingleHeader": {
                              "Name": "user-agent"
                            }
                          },
                          "TextTransformations": [
                            {
                              "Priority": 1,
                              "Type": "NONE"
                            }
                          ],
                          "PositionalConstraint": "CONTAINS"
                        }
                      },
                      {
                        "ByteMatchStatement": {
                          "SearchString": "randombot",
                          "FieldToMatch": {
                            "SingleHeader": {
                              "Name": "user-agent"
                            }
                          },
                          "TextTransformations": [
                            {
                              "Priority": 1,
                              "Type": "NONE"
                            }
                          ],
                          "PositionalConstraint": "CONTAINS"
                        }
                      }
                    ]
                  }
                }
              ]
            }
          }
        }
      },
      "ManagedRuleGroupConfigs": [
        {
          "AWSManagedRulesBotControlRuleSet": {
            "InspectionLevel": "TARGETED",
            "EnableMachineLearning": true
          }
        }
      ],
      "RuleActionOverrides": [
        {
          "Name": "SignalNonBrowserUserAgent",
          "ActionToUse": {
            "Count": {}
          }
        },
        {
          "Name": "TGT_VolumetricIpTokenAbsent",
          "ActionToUse": {
            "Count": {}
          }
        },
        {
          "Name": "CategoryHttpLibrary",
          "ActionToUse": {
            "Count": {}
          }
        }
      ]
    }
  },
  "OverrideAction": {
    "None": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "Botcontrolmetric"
  }
})

Steps to Reproduce

terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

@ThrivingToks ThrivingToks added the bug Addresses a defect in current functionality. label Dec 24, 2024
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/wafv2 Issues and PRs that pertain to the wafv2 service. needs-triage Waiting for first response or review from a maintainer. labels Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Development

No branches or pull requests

1 participant