[Bug]: Potential bug with rule_json usage with deeply nested rules #40688
Open
Description
Terraform Core Version
1.7.3
AWS Provider Version
5.8.2
Affected Resource(s)
aws_wafv2_web_acl
Expected Behavior
AWS documentation for webacl_v2 resource suggests using rule_json for complex nested statements
Actual Behavior
Provider seems to fail with nested scope down statements that are valid in the AWS console. The use case involves complex rules with deep nesting (more than 3 levels), particularly with ManagedRuleGroups that have ScopeDownStatements, NotStatements, and multiple AndStatements/OrStatements.
2024-12-24T01:42:29.490-0600 [ERROR] provider.terraform-provider-aws_v5.82.2_x5: [ERROR] setting state: Invalid address to set: []string{"rule", "0", "statement", "0", "managed_rule_group_statement", "0", "scope_down_statement", "0", "not_statement", "0", "statement", "0", "or_statement", "0", "statement", "0", "and_statement"}
2024-12-24T01:42:29.493-0600 [ERROR] provider.terraform-provider-aws_v5.82.2_x5: Response contains error diagnostic: tf_proto_version=5.7 tf_req_id=6eeaab1e-a5e8-e0de-b010-7c364d872286 tf_resource_type=aws_wafv2_web_acl @module=sdk.proto diagnostic_detail="" diagnostic_summary="setting rule: Invalid address to set: []string{\"rule\", \"0\", \"statement\", \"0\", \"managed_rule_group_statement\", \"0\", \"scope_down_statement\", \"0\", \"not_statement\", \"0\", \"statement\", \"0\", \"or_statement\", \"0\", \"statement\", \"0\", \"and_statement\"}" tf_provider_addr=registry.terraform.io/hashicorp/aws diagnostic_severity=ERROR tf_rpc=ReadResource @caller=github.com/hashicorp/terraform-plugin-go@v0.25.0/tfprotov5/internal/diag/diagnostics.go:58 timestamp=2024-12-24T01:42:29.493-0600
2024-12-24T01:42:29.500-0600 [ERROR] vertex "aws_wafv2_web_acl.main" error: setting rule: Invalid address to set: []string{"rule", "0", "statement", "0", "managed_rule_group_statement", "0", "scope_down_statement", "0", "not_statement", "0", "statement", "0", "or_statement", "0", "statement", "0", "and_statement"}
2024-12-24T01:42:29.500-0600 [ERROR] vertex "aws_wafv2_web_acl.main (expand)" error: setting rule: Invalid address to set: []string{"rule", "0", "statement", "0", "managed_rule_group_statement", "0", "scope_down_statement", "0", "not_statement", "0", "statement", "0", "or_statement", "0", "statement", "0", "and_statement"}
Relevant Error/Panic Output Snippet
│ Error: setting rule: Invalid address to set: []string{"rule", "0", "statement", "0", "managed_rule_group_statement", "0", "scope_down_statement", "0", "not_statement", "0", "statement", "0", "or_statement", "0", "statement", "0", "and_statement"}
│Terraform Configuration Files
resource "aws_wafv2_web_acl" "main" {
name = "wafv2 code"
description = "WAF Web ACL to protect the Web Application from malicious traffic"
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule_json = jsonencode({
"Name": "BotControl",
"Priority": 1,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesBotControlRuleSet",
"ScopeDownStatement": {
"NotStatement": {
"Statement": {
"OrStatement": {
"Statements": [
{
"AndStatement": {
"Statements": [
{
"ByteMatchStatement": {
"SearchString": "Amazon CloudFront",
"FieldToMatch": {
"SingleHeader": {
"Name": "user-agent"
}
},
"TextTransformations": [
{
"Priority": 1,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
},
{
"IPSetReferenceStatement": {
"ARN": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
]
}
},
{
"AndStatement": {
"Statements": [
{
"ByteMatchStatement": {
"SearchString": "randomsource",
"FieldToMatch": {
"SingleHeader": {
"Name": "reqsource"
}
},
"TextTransformations": [
{
"Priority": 1,
"Type": "LOWERCASE"
}
],
"PositionalConstraint": "EXACTLY"
}
},
{
"ByteMatchStatement": {
"SearchString": "randomuser",
"FieldToMatch": {
"SingleHeader": {
"Name": "user-agent"
}
},
"TextTransformations": [
{
"Priority": 1,
"Type": "NONE"
}
],
"PositionalConstraint": "CONTAINS"
}
},
{
"ByteMatchStatement": {
"SearchString": "randombot",
"FieldToMatch": {
"SingleHeader": {
"Name": "user-agent"
}
},
"TextTransformations": [
{
"Priority": 1,
"Type": "NONE"
}
],
"PositionalConstraint": "CONTAINS"
}
}
]
}
}
]
}
}
}
},
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesBotControlRuleSet": {
"InspectionLevel": "TARGETED",
"EnableMachineLearning": true
}
}
],
"RuleActionOverrides": [
{
"Name": "SignalNonBrowserUserAgent",
"ActionToUse": {
"Count": {}
}
},
{
"Name": "TGT_VolumetricIpTokenAbsent",
"ActionToUse": {
"Count": {}
}
},
{
"Name": "CategoryHttpLibrary",
"ActionToUse": {
"Count": {}
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Botcontrolmetric"
}
})
Steps to Reproduce
terraform plan
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None