[Bug]: Modifying aws_wafv2_web_acl removes DDoS auto mitigation

[luarx]

Terraform Core Version

v1.2.5

AWS Provider Version

4.56.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

When I modify a rule from aws_wafv2_web_acl using terraform apply, it should not remove the ShieldMitigationRuleGroup

Actual Behavior

When I modify a rule from aws_wafv2_web_acl using terraform apply, it does not indicate that it will remove the ShieldMitigationRuleGroup as before (#22869), but at the end it does it! :(

So I consider that this is not fixed yet...

I suspect that it is because it tries to re-order, rules in someway

Example of terraform apply output that has removed ShieldMitigationRuleGroup without indicating it:

  ~ resource "aws_wafv2_web_acl" "web_acl" {
        id          = "22dfeb14-1eab-41f0-b798-aaafcbff5b77"
        name        = "critical-rule"
        # (6 unchanged attributes hidden)

      - rule {
          - name     = "AWS-AWSManagedRulesAmazonIpReputationList" -> null
          - priority = 0 -> null

          - override_action {

              - none {}
            }

          - statement {

              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesAmazonIpReputationList" -> null
                  - vendor_name = "AWS" -> null

                  - scope_down_statement {

                      - not_statement {
                          - statement {

                              - ip_set_reference_statement {
                                  - arn = "arn:aws:wafv2:us-east-1:1111111111:global/ipset/trusted-companies/aaaaaaaa-cd4a-4f91-b484-8c0df559d215" -> null
                                }
                            }
                        }
                    }
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      + rule {
          + name     = "AWS-AWSManagedRulesAmazonIpReputationList"
          + priority = 0

          + override_action {

              + none {}
            }

          + statement {

              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesAmazonIpReputationList"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
              + sampled_requests_enabled   = true
            }
        }

        # (4 unchanged blocks hidden)
    }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Steps to Reproduce

1. Create a aws_wafv2_web_acl resource using Terraform
2. Add Shield L7 protection from the AWS Console (because terraform does not support it yet). It will a ShieldMitigationRuleGroup rule
3. Modify a Terraform managed rule of the aws_wafv2_web_acl resource
4. Execute terraform apply (it will not say that it will remove the Shield rule)
5. Check from the AWS Console that the Shield L7 rule has been removed :(

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[MrHash]

Updating WAF should not remove the ShieldMitigationGroup rule. Existing WAF rules need to be read and mitigation group rule merged into update.

[vini-mw]

i too am struggling with the very same issue.
there are no references of the ShieldMitigationGroup rule on the state change output yet applying rule modifications on the aws_wafv2_web_acl resource removes the shield group rule from it.

i got this using terraform version 1.5.4 and aws provider version 5.12.0.

[github-actions]

This functionality has been released in v5.15.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.