"Invalid or unknown key" when deploying AWS WAFv2 ACL rule

[FilipPyrek]

Describe what happened

Hi folks,

I'm setting up AWS WAF v2 which I previously deployed via AWS CDK.

I'm getting error:

'WebAcl' has a problem: Invalid or unknown key. Examine values at 'WebAcl.rules'.

I found out it's caused by this rule:

const cognitoRule = {
  name: 'CognitoSignInRateLimit',
  priority: 2,
  action: { ... },
  visibilityConfig: { ... },
  statement: {
    rateBasedStatement: {
      ...
      scopeDownStatement: {
        andStatement: {
          statements: [
            {..}
            {
              notStatement: {
                statements: [
                  {
                    orStatement: {
                      statements: [
                        { ... },
                        { ... }
                      ]
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    }
  }
} satisfies aws.types.input.wafv2.WebAclRule

When I change it like this:

const cognitoRule = {
  name: 'CognitoSignInRateLimit',
  priority: 2,
  action: { ... },
  visibilityConfig: { ... },
  statement: {
    rateBasedStatement: {
      ...
      scopeDownStatement: {
        andStatement: {
          statements: [
            {..}
            {
              notStatement: {
                statements: [ {} ] // 👈 Changed here
              }
            }
          ]
        }
      }
    }
  }
} satisfies aws.types.input.wafv2.WebAclRule

Then the error disappears.

Any clue? Is it some bug in Pulumi/Terraform? Because the code seems to be valid both according to TypeScript types and AWS docs.

Sample program

import * as aws from '@pulumi/aws'

const whitelist = new aws.wafv2.IpSet('Whitelist', {
  name: 'my-whitelist',
  ipAddressVersion: 'IPV4',
  scope: 'REGIONAL',
  addresses: []
})

const cognitoRule: aws.types.input.wafv2.WebAclRule = {
  name: 'CognitoSignInRateLimit',
  priority: 2,
  action: {
    block: {}
  },
  visibilityConfig: {
    sampledRequestsEnabled: true,
    cloudwatchMetricsEnabled: true,
    metricName: 'CognitoSignInRateLimit'
  },
  statement: {
    rateBasedStatement: {
      aggregateKeyType: 'IP',
      limit: 100,
      scopeDownStatement: {
        andStatement: {
          statements: [
            {
              regexMatchStatement: {
                regexString:
                  'AWSCognitoIdentityProviderService.InitiateAuth|AWSCognitoIdentityProviderService.RespondToAuthChallenge|AWSCognitoIdentityProviderService.ForgotPassword|AWSCognitoIdentityProviderService.ConfirmForgotPassword|AWSCognitoIdentityProviderService.SignUp|AWSCognitoIdentityProviderService.ConfirmSignUp|AWSCognitoIdentityProviderService.ResendConfirmationCode',
                fieldToMatch: {
                  singleHeader: { name: 'x-amz-target' }
                },
                textTransformations: [{ priority: 0, type: 'NONE' }]
              }
            },
            {
              notStatement: {
                statements: [
                  {
                    // The issue comes from this section👇 
                    orStatement: {
                      statements: [
                        {
                          ipSetReferenceStatement: {
                            arn: whitelist.arn
                          }
                        },
                        {
                          byteMatchStatement: {
                            searchString: 'some-value',
                            fieldToMatch: {
                              singleHeader: {
                                name: 'some-header'
                              }
                            },
                            textTransformations: [
                              {
                                priority: 0,
                                type: 'NONE'
                              }
                            ],
                            positionalConstraint: 'EXACTLY'
                          }
                        }
                      ]
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    }
  }
}

new aws.wafv2.WebAcl('WebAcl', {
  scope: 'REGIONAL',
  name: 'my-waf',
  defaultAction: {
    allow: {}
  },
  visibilityConfig: {
    cloudwatchMetricsEnabled: true,
    metricName: 'my-waf',
    sampledRequestsEnabled: false
  },
  rules: [cognitoRule]
})

Log output

Diagnostics:
  aws:wafv2:WebAcl (WebAcl):
    error: aws:wafv2/webAcl:WebAcl resource 'WebAcl' has a problem: Invalid or unknown key. Examine values at 'WebAcl.rules'.

Affected Resource(s)

aws.wafv2.WebAcl

Output of pulumi about

CLI          
Version      3.142.0
Go Version   go1.23.3
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  aws     6.61.0
resource  aws     6.56.0
language  nodejs  unknown

Host     
OS       darwin
Version  15.1.1
Arch     arm64

This project is written in nodejs: executable='/Users/xxxxx/.nvm/versions/node/v20.11.0/bin/node' version='v20.11.0'

Pulumi locates its logs in /var/folders/0c/m2l8t31d55xdhxj3cx63h62r0000gr/T/ by default
warning: Failed to get information about the Pulumi program's dependencies: could not find /Users/xxxxx/projects/package.json. Please include this in your report and run pulumi about --transitive" to get a list of used packages
warning: Could not access the backend: read ".pulumi/meta.yaml": blob (key ".pulumi/meta.yaml") (code=Unknown): NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Additional context

Original Slack thread: https://pulumi-community.slack.com/archives/CJ909TL6P/p1733156609936739

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[flostadler]

Hey @FilipPyrek, thanks for the great repro! I was able to reproduce it right away.

The problem here is that WebAclRule only allows three levels of nesting. I'm sorry that this is not immediately obvious in the docs, it's currently only mentioned in the description of the ruleJson input property. You can use ruleJson as a workaround, it allows arbitrary nesting but does not have type safety.

I'll take an action to update the docs with this info and also see if we can improve the types here so that they reflect this limitation.

Additionally I'm gonna investigate if we can emit a better error message in this case. Pointing to 'WebAcl.rules' does not help in understanding the problem.

[FilipPyrek]

Hi @flostadler thanks for such a quick response. 🙇‍♂

Where the limit comes from? Pulumi? Terraform? AWS?

Because as I mentioned, it works for us well, when deployed via AWS CDK.

Also the Pulumi's TypeScript types (inputs.wafv2.WebAclRule) don's show any error when having the nested levels as I provided in the repro.

So I assume it's Terraform provider's issue?

[flostadler]

Yes, you're right @FilipPyrek, it's a limitation that we inherit from the upstream terraform provider. This is also why the types do not show this limitation (which is painful, I fully agree).

Alternatively you could use the wafv2 resources from the AWS native provider: https://www.pulumi.com/registry/packages/aws-native/api-docs/wafv2. Those are modeled better than their counterparts from pulumi-aws.