hashicorp · YakDriver · Feb 22, 2023 · Feb 22, 2023 · Feb 22, 2023 · Feb 22, 2023
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_wafv2_web_acl: Prevent erroneous diffs and attempts to remove AWS-added rule when applying to CF distribution using AWS Shield to automatically mitigate DDoS
+```
@@ -220,7 +220,8 @@ func resourceWebACLRead(ctx context.Context, d *schema.ResourceData, meta interf
 	d.Set("description", webACL.Description)
 	d.Set("lock_token", output.LockToken)
 	d.Set("name", webACL.Name)
-	if err := d.Set("rule", flattenWebACLRules(webACL.Rules)); err != nil {
+	rules := filterWebACLRules(webACL.Rules, expandWebACLRules(d.Get("rule").(*schema.Set).List()))
+	if err := d.Set("rule", flattenWebACLRules(rules)); err != nil {
 		return diag.Errorf("setting rule: %s", err)
 	}
 	if err := d.Set("visibility_config", flattenVisibilityConfig(webACL.VisibilityConfig)); err != nil {
@@ -346,3 +347,30 @@ func FindWebACLByThreePartKey(ctx context.Context, conn *wafv2.WAFV2, id, name,
 
 	return output, nil
 }
+
+// filterWebACLRules removes the AWS-added Shield Advanced auto mitigation rule here
+// so that the provider will not report diff and/or attempt to remove the rule as it is
+// owned and managed by AWS.
+// See https://github.com/hashicorp/terraform-provider-aws/issues/22869
+// See https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-rg.html
+func filterWebACLRules(rules, configRules []*wafv2.Rule) []*wafv2.Rule {
+	var fr []*wafv2.Rule
+	pattern := `^ShieldMitigationRuleGroup_\d{12}_[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}_.*`
+	for _, r := range rules {
+		if regexp.MustCompile(pattern).MatchString(aws.StringValue(r.Name)) {
+			filter := true
+			for _, cr := range configRules {
+				if aws.StringValue(cr.Name) == aws.StringValue(r.Name) {
+					// exception to filtering -- it's in the config
+					filter = false
+				}
+			}
+
+			if filter {
+				continue
+			}
+		}
+		fr = append(fr, r)
+	}
+	return fr
+}
@@ -5,7 +5,9 @@ import (
 	"fmt"
 	"regexp"
 	"testing"
+	"time"
 
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/wafv2"
 	sdkacctest "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -1612,6 +1614,223 @@ func TestAccWAFV2WebACL_RuleGroupReference_basic(t *testing.T) {
 	})
 }
 
+// Ensure magically-added (i.e., AWS-added) rule for Shield with CF distribution DDoS auto
+// mitigation does not cause diff and provider doesn't attempt to remove.
+// See https://github.com/hashicorp/terraform-provider-aws/issues/22869
+func TestAccWAFV2WebACL_RuleGroupReference_shieldMitigation(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v wafv2.WebACL
+	webACLName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_wafv2_web_acl.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t); testAccPreCheckScopeRegional(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, wafv2.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckWebACLDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWebACLConfig_ruleGroupForShieldMitigation(webACLName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWebACLExists(ctx, resourceName, &v),
+					acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)),
+					resource.TestCheckResourceAttr(resourceName, "name", webACLName),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "0"),
+				),
+			},
+			{
+				// Currently, there is no way to use provider to enable automatic application layer
+				// DDoS mitigation with Shield for CF distribution. Doing so adds an out-of-band rule
+				// similar to the one added below.
+				PreConfig: func() {
+					conn := acctest.Provider.Meta().(*conns.AWSClient).WAFV2Conn()
+
+					input := &wafv2.ListWebACLsInput{
+						Scope: aws.String("REGIONAL"),
+					}
+
+					aclID := ""
+					lockToken := ""
+
+					err := webACLsPages(ctx, conn, input, func(page *wafv2.ListWebACLsOutput, lastPage bool) bool {
+						if page == nil {
+							return !lastPage
+						}
+
+						for _, acl := range page.WebACLs {
+							if aws.StringValue(acl.Name) == webACLName {
+								aclID = aws.StringValue(acl.Id)
+								lockToken = aws.StringValue(acl.LockToken)
+
+								return false
+							}
+						}
+
+						return !lastPage
+					})
+
+					if err != nil {
+						t.Fatalf("finding WebACL (%s): %s", webACLName, err)
+					}
+
+					if aclID == "" {
+						t.Fatalf("couldn't find WebACL (%s)", webACLName)
+					}
+
+					in := &wafv2.ListRuleGroupsInput{
+						Scope: aws.String("REGIONAL"),
+					}
+
+					rgARN := ""
+
+					err = ruleGroupPages(ctx, conn, in, func(page *wafv2.ListRuleGroupsOutput, lastPage bool) bool {
+						if page == nil {
+							return !lastPage
+						}
+
+						for _, rg := range page.RuleGroups {
+							if aws.StringValue(rg.Name) == fmt.Sprintf("rule-group-%s", webACLName) {
+								rgARN = aws.StringValue(rg.ARN)
+
+								return false
+							}
+						}
+
+						return !lastPage
+					})
+
+					if err != nil {
+						t.Fatalf("finding rule group (%s): %s", webACLName, err)
+					}
+
+					if rgARN == "" {
+						t.Fatalf("couldn't find Rule Group (%s)", webACLName)
+					}
+
+					_, err = conn.UpdateWebACLWithContext(ctx, &wafv2.UpdateWebACLInput{
+						DefaultAction: &wafv2.DefaultAction{
+							Allow: &wafv2.AllowAction{},
+						},
+						Id:        aws.String(aclID),
+						LockToken: aws.String(lockToken),
+						Name:      aws.String(webACLName),
+						Rules: []*wafv2.Rule{{
+							Name:     aws.String("ShieldMitigationRuleGroup_012345678901_5e665b1c-1641-4b7a-8db1-567871a18b2a_uniqueid"),
+							Priority: aws.Int64(11),
+							OverrideAction: &wafv2.OverrideAction{
+								None: &wafv2.NoneAction{},
+							},
+							Statement: &wafv2.Statement{
+								RuleGroupReferenceStatement: &wafv2.RuleGroupReferenceStatement{
+									ARN: aws.String(rgARN),
+								},
+							},
+							VisibilityConfig: &wafv2.VisibilityConfig{
+								CloudWatchMetricsEnabled: aws.Bool(true),
+								MetricName:               aws.String("ShieldMitigationRuleGroup_012345678901_5e665b1c-1641-4b7a-8db1-567871a18b2a_uniqueid"),
+								SampledRequestsEnabled:   aws.Bool(true),
+							},
+						}},
+						Scope: aws.String("REGIONAL"),
+						VisibilityConfig: &wafv2.VisibilityConfig{
+							CloudWatchMetricsEnabled: aws.Bool(true),
+							MetricName:               aws.String("friendly-metric-name"),
+							SampledRequestsEnabled:   aws.Bool(false),
+						},
+					})
+					if err != nil {
+						t.Fatalf("adding rule in PreConfig: %s", err)
+					}
+
+					time.Sleep(15 * time.Second) // mitigate possible eventual consistency lag
+
+					output, err := tfwafv2.FindWebACLByThreePartKey(ctx, conn, aclID, webACLName, "REGIONAL")
+					if err != nil {
+						t.Fatalf("finding WebACL (%s) in PreConfig: %s", webACLName, err)
+					}
+
+					if len(output.WebACL.Rules) < 1 {
+						t.Fatalf("out-of-band added rule (%s) not found, cannot test handling of rule", webACLName)
+					}
+				},
+				Config: testAccWebACLConfig_ruleGroupForShieldMitigation(webACLName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWebACLExists(ctx, resourceName, &v),
+					acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)),
+					resource.TestCheckResourceAttr(resourceName, "name", webACLName),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "0"),
+				),
+			},
+		},
+	})
+}
+
+func webACLsPages(ctx context.Context, conn *wafv2.WAFV2, input *wafv2.ListWebACLsInput, fn func(*wafv2.ListWebACLsOutput, bool) bool) error {
+	for {
+		output, err := conn.ListWebACLsWithContext(ctx, input)
+		if err != nil {
+			return err
+		}
+
+		lastPage := aws.StringValue(output.NextMarker) == ""
+		if !fn(output, lastPage) || lastPage {
+			break
+		}
+
+		input.NextMarker = output.NextMarker
+	}
+	return nil
+}
+
+func ruleGroupPages(ctx context.Context, conn *wafv2.WAFV2, input *wafv2.ListRuleGroupsInput, fn func(*wafv2.ListRuleGroupsOutput, bool) bool) error {
+	for {
+		output, err := conn.ListRuleGroupsWithContext(ctx, input)
+		if err != nil {
+			return err
+		}
+
+		lastPage := aws.StringValue(output.NextMarker) == ""
+		if !fn(output, lastPage) || lastPage {
+			break
+		}
+
+		input.NextMarker = output.NextMarker
+	}
+	return nil
+}
+
+// Ensure magically-added (i.e., AWS-added) rule for Shield with CF distribution DDoS auto
+// mitigation does not cause diff and provider doesn't attempt to remove.
+// See https://github.com/hashicorp/terraform-provider-aws/issues/22869
+func TestAccWAFV2WebACL_RuleGroupReference_manageShieldMitigationRule(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v wafv2.WebACL
+	webACLName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_wafv2_web_acl.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t); testAccPreCheckScopeRegional(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, wafv2.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckWebACLDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWebACLConfig_ruleGroupShieldMitigation(webACLName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWebACLExists(ctx, resourceName, &v),
+					acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/webacl/.+$`)),
+					resource.TestCheckResourceAttr(resourceName, "name", webACLName),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+				),
+			},
+			{
+				Config:   testAccWebACLConfig_ruleGroupShieldMitigation(webACLName),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
 func TestAccWAFV2WebACL_Custom_requestHandling(t *testing.T) {
 	ctx := acctest.Context(t)
 	var v wafv2.WebACL
@@ -4028,3 +4247,88 @@ func testAccWebACLImportStateIdFunc(resourceName string) resource.ImportStateIdF
 		return fmt.Sprintf("%s/%s/%s", rs.Primary.ID, rs.Primary.Attributes["name"], rs.Primary.Attributes["scope"]), nil
 	}
 }
+
+func testAccWebACLConfig_ruleGroupShieldMitigation(name string) string {
+	return fmt.Sprintf(`
+resource "aws_wafv2_rule_group" "test" {
+  capacity = 10
+  name     = "rule-group-%[1]s"
+  scope    = "REGIONAL"
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "friendly-metric-name"
+    sampled_requests_enabled   = false
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_wafv2_web_acl" "test" {
+  name  = %[1]q
+  scope = "REGIONAL"
+
+  default_action {
+    block {}
+  }
+
+  rule {
+    name     = "ShieldMitigationRuleGroup_${data.aws_caller_identity.current.account_id}_5e665b1c-1641-4b7a-8db1-567871a18b2a_uniqueid"
+    priority = 11
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      rule_group_reference_statement {
+        arn = aws_wafv2_rule_group.test.arn
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "ShieldMitigationRuleGroup_${data.aws_caller_identity.current.account_id}_5e665b1c-1641-4b7a-8db1-567871a18b2a_uniqueid"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "friendly-metric-name"
+    sampled_requests_enabled   = false
+  }
+}
+`, name)
+}
+
+func testAccWebACLConfig_ruleGroupForShieldMitigation(name string) string {
+	return fmt.Sprintf(`
+resource "aws_wafv2_rule_group" "test" {
+  capacity = 10
+  name     = "rule-group-%[1]s"
+  scope    = "REGIONAL"
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "friendly-metric-name"
+    sampled_requests_enabled   = false
+  }
+}
+
+resource "aws_wafv2_web_acl" "test" {
+  name  = %[1]q
+  scope = "REGIONAL"
+
+  default_action {
+    block {}
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "friendly-metric-name"
+    sampled_requests_enabled   = false
+  }
+}
+`, name)
+}
@@ -304,7 +304,7 @@ The `default_action` block supports the following arguments:
 Each `rule` supports the following arguments:
 
 * `action` - (Optional) Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See [`action`](#action) below for details.
-* `name` - (Required) Friendly name of the rule.
+* `name` - (Required) Friendly name of the rule. **NOTE:** The provider assumes that rules with names matching this pattern, `^ShieldMitigationRuleGroup_<account-id>_<web-acl-guid>_.*`, are AWS-added for [automatic application layer DDoS mitigation activities](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-rg.html). Such rules will be ignored by the provider unless you explicitly include them in your configuration (for example, by using the AWS CLI to discover their properties and creating matching configuration). However, since these rules are owned and managed by AWS, you may get permission errors.
 * `override_action` - (Optional) Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `rule_group_reference_statement` and `managed_rule_group_statement`. See [`override_action`](#override_action) below for details.
 * `priority` - (Required) If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first.
 * `rule_label` - (Optional) Labels to apply to web requests that match the rule match statement. See [`rule_label`](#rule_label) below for details.