Updates to rules inside wafv2 web acl forces recreation for all rules

[m-eitan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform version: 1.2.2
provider registry.terraform.io/hashicorp/aws v4.21.0

Affected Resource(s)

• aws_wafv2_web_acl

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_wafv2_web_acl" "example" {
  name        = "managed-rule-example"
  description = "Example of a managed rule."
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "rule-1"
    priority = 1

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  rule {
    name     = "rule-2"
    priority = 2

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

Expected Behavior

Terraform plan output will only show the affected rules, and not show all rules each time a change in a rule is introduced.

Actual Behavior

Terraform shows all the rules being recreated.

Steps to Reproduce

1. terraform apply
2. Comment out the entire "rule-2" dynamic block.
3. terraform apply
4. Notice that rule-1 is marked in the plan to be deleted and created.

References

Issue 13936 (linked below) seems to be the same problem but in that ticket it was fixed in version 3 of the provider, maybe changes between version 3 and 4 of the provider changed this behavior.

• [WAFv2] Resource aws_wafv2_web_acl is recreated on any changes to the rules #13936

[houdinisparks]

Facing the same problem as well, I am using dynamic blocks to conditionally create the rules and whenever I add / remove a rule, the rest of the rules seem to be recreated, screenshot below with a terraform plan (via terragrunt):

[ewbankkit]

This seems to be the same underlying problem as #23992 and friends.

[greyvugrin]

Experiencing this as well, linked issue says it should be resolved by:

a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later)

but am seeing with:

Terraform v1.6.5 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.40.0

and also after upgrading to:

Terraform v1.6.5 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.40.0

In my case it's with hardcoded rules, not dynamic. Happy to open a related issue if that's the protocol to follow. Thanks!

[lyricsboy]

We're having this problem too, which makes it very hard to understand if the WAF rules are actually changing when we review PRs with terraform plans posted to them with a large diff that indicates rules are being removed/recreated.

I don't know much about the implementation details, but I did look into the provider code a bit, and it appears that the WAF rules are being stored in memory as a Set, which is unordered:

https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/wafv2/web_acl.go#L289-L290

Looking at the API response for aws wafv2 get-web-acl it appears to return the rules in order of their Priority. However, even if I order my rule set by priority in the terraform code, it still shows a similar diff on plan.

Could this be fixed by using an ordered list data structure to store the rules in the provider implementation?

[djakielski]

I had also this problem without any code or aws changes

[slackboxster]

I'm encountering this with the following:

Terraform v1.10.1
on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.81.0

I have a mixture of custom and managed waf rules. In my most recent apply, I had 5 managed rules (already applied in the past), 1 custom rule (applied in past), and 1 new custom rule I was adding. The diff showed 4 of the 5 managed rules being removed and being added back, as well as my new rule.

[kneufeld-pbp]

We are having the same issue. We also tried ordering the rules by priority, but the plan shows a difference when we expect no changes.

Terraform v1.10.3
on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.82.2