Unable to destroy aws_waf_web_acl resource when it contains a rule group

[erikpaasonen]

Terraform Version

Terraform v0.11.5

• provider.aws v1.13.0

Affected Resource(s)

• aws_waf_web_acl

Terraform Configuration Files

resource "aws_waf_rule" "example" {
  name        = "example"
  metric_name = "example"
}

resource "aws_waf_rule_group" "example" {
  name        = "example"
  metric_name = "example"

  activated_rule {
    action {
      type = "COUNT"
    }

    priority = 50
    rule_id  = "${aws_waf_rule.example.id}"
  }
}

resource "aws_waf_web_acl" "waf_acl" {
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rules {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_waf_rule_group.example.id}"
    type     = "REGULAR"
  }
}

Debug Output

https://gist.github.com/erikpaasonen/b75e45552cd1df07e8987464ad1aaa5e

Panic Output

N/A

Expected Behavior

Terraform should cleanly destroy the WebACL resource.

Actual Behavior

Get the above error message, and the WebACL is still present in the AWS Console.

Steps to Reproduce

1. Run terraform apply against a .tf file with the above code.
2. Run terraform destroy

Important Factoids

Our team is using a null_resource solution to script the attachment of an external rule group to a Terraform-managed aws_waf_web_acl resource after Terraform completes. Unfortunately, now that we have a need to destroy (recreate) the Terraform resource, we're getting blocked by this bug. I didn't have to include the null_resource complexity because this error is reproducible exclusively using Terraform resources now.

Also tried this with the new waf-regional resources, but it produced a Terraform crash. Will file that as a separate bug report and link to this one.

References

#4052

[erikpaasonen]

Actual error message (I should've quoted in the Actual Behavior section, sorry):

1 error(s) occurred:

* aws_waf_web_acl.waf_acl (destroy): 1 error(s) occurred:

* aws_waf_web_acl.waf_acl: Error Removing WAF ACL Rules: Error Updating WAF ACL: WAFInvalidOperationException: Operation is invalid for this entity.
	status code: 400, request id: 2243cafa-38ee-11e8-8c12-d76d41a98b3c

[bflad]

This should be fixed with #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 👍

# Implementation is similar for aws_wafregional_web_acl resource
resource "aws_waf_web_acl" "example" {
 # ... other configuration ...
  rules {
    # ... other configuration ...
    override_action {
       type = "NONE"
    }
    type = "GROUP"
    rule_id = "${aws_waf_rule_group.example.id}"
  }
}

[bflad]

This has been released in version 1.27.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!