Internal Exception while creating AWS FMS Policy for CloudFront

Question

I am getting below error while creating firewall manager policy for cloud front distribution. the documentation provide little details on how to deploy a Cloudfront distribution which is a Global resource.

I am getting below error while executing my code:

aws_fms_policy.xxxx: Creating...
╷
│ Error: error creating FMS Policy: InternalErrorException:
│
│   with aws_fms_policy.xxxx,
│   on r_wafruleset.tf line 1, in resource "aws_fms_policy" "xxxx":
│    1: resource "aws_fms_policy" "xxxx" {
│
╵
Releasing state lock. This may take a few moments...

main.tf looks like this with provider information:

provider "aws" {
  region = "ap-southeast-2"
  assume_role {
    role_arn = "arn:aws:iam::${var.account_id}:role/yyyy"
  }
}

provider "aws" {
  alias = "us_east_1"
  region = "us-east-1"
  
  assume_role {
    role_arn = "arn:aws:iam::${var.account_id}:role/yyyy"
  }
}

r_fms.tf looks like this:

resource "aws_fms_policy" "xxxx" {

  name                  = "xxxx"
  exclude_resource_tags = true
  resource_tags         = var.exclude_tags
  remediation_enabled   = true
  provider = aws.us_east_1

  include_map {
    account = ["123123123"]
  }

  resource_type = "AWS::CloudFront::Distribution"

  security_service_policy_data {
    type = "WAFV2"
    managed_service_data = jsonencode(
      {
        type = "WAFV2"
        defaultAction = {
          type = "ALLOW"
        }
        
        overrideCustomerWebACLAssociation = false
        postProcessRuleGroups             = []
        
        preProcessRuleGroups = [
          {
            excludeRules = []
            managedRuleGroupIdentifier = {
              vendorName           = "AWS"
              managedRuleGroupName = "AWSManagedRulesAmazonIpReputationList"
              version              = true
            }
            overrideAction = {
              type = "COUNT"
            }
            ruleGroupArn           = null
            ruleGroupType          = "ManagedRuleGroup"
            sampledRequestsEnabled = true
          },
          {
            excludeRules = []
            managedRuleGroupIdentifier = {
              managedRuleGroupName = "AWSManagedRulesWindowsRuleSet"
              vendorName           = "AWS"
              version              = null
            }
            overrideAction = {
              type = "COUNT"
            }
            ruleGroupArn           = null
            ruleGroupType          = "ManagedRuleGroup"
            sampledRequestsEnabled = true
          },
        ]
        sampledRequestsEnabledForDefaultActions = true
    })
  }
}

I have tried to follow the thread but still getting below error: https://github.com/hashicorp/terraform-provider-aws/issues/17821

Terraform Version:

Terraform v1.1.7
on windows_386
+ provider registry.terraform.io/hashicorp/aws v4.6.0

Answer 1

There is open issue in terraform aws provider.

Answer 2

A workaround for this issue is to remove: 'version' attribute;

AWS has recently introduced Versioning with WAF policies managed by Firewall Manager; which is causing this weird error. Though a permanent fix is InProgress (refer my earlier post) we can remove the attribute to avoid this error.

Another approach is to use the new attribute: versionEnabled=true in case you want versioning enabled.