Terraform-provider-aws: WAF aws_waf_rule resource does not allow underscores in metric_name

+1. This is very useful, can we get someone to look over this?

The aws_waf_rule resource (but interestingly not the aws_wafregional_rule) resource validates the metric_name attribute with validateWafMetricName():

https://github.com/terraform-providers/terraform-provider-aws/blob/768341474a743c3db30610c6b434fed598d98cd8/aws/validators.go#L1781-L1789

The applicable API references are:

• WAF "classic"
  > A friendly name or description for the metrics for this Rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain whitespace or metric names reserved for AWS WAF, including "All" and "Default_Action." You can't change the name of the metric after you create the Rule.
• WAF regional
  > A friendly name or description for the metrics for this Rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain whitespace or metric names reserved for AWS WAF, including "All" and "Default_Action." You can't change the name of the metric after you create the Rule.

I think that the AWS Console is defaulting to the new WAF v2 API:

MetricName
A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example "All" and "Default_Action." You can't change a MetricName after you create a VisibilityConfig.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 255.

Pattern: ^[\w#:.-/]+$

Required: Yes

https://github.com/terraform-providers/terraform-provider-aws/issues/11176 tracks implementing the WAFv2 Web ACL resource.

@ewbankkit thanks for the feedback but it doesn't seem to match what I see:

Error: Only alphanumeric characters allowed in "metric_name": "filter_countries"

  on waf_regional/groups.tf line 1, in resource "aws_wafregional_rule_group" "filter_countries":
   1: resource "aws_wafregional_rule_group" "filter_countries" {

aws_wafregional_rule_group does appear to still check for it for example while aws_waf_rule is fine with underscores.

@ewbankkit I opened a PR that fixes this the way you described it above. Could you please take a look and let me know if there's any other work on this? Cheers

@scalp42 It's all rather inconsistent right now.
For WAF resources with a metric_name attribute:

• aws_waf_rate_based_rule - ValidateFunc: validateWafMetricName
• aws_waf_rule - ValidateFunc: validateWafMetricName
• aws_waf_rule_group - ValidateFunc: validateWafMetricName
• aws_waf_web_acl - ValidateFunc: validateWafMetricName
• aws_wafregional_rate_based_rule - ValidateFunc: validateWafMetricName
• aws_wafregional_rule - ValidateFunc: nil
• aws_wafregional_rule_group - ValidateFunc: validateWafMetricName
• aws_wafregional_web_acl - ValidateFunc: nil

@scalp42 If I try creating an aws_wafregional_rate_based_rule resource with metric_name = "filter_country_vietnam", incorporating the change from @Y-Tian, then the API returns an exception:

Error creating WAF Regional Rate Based Rule (): WAFDisallowedNameException: The specified name is not permitted.

You should be able to click on _Switch to AWS WAF Classic_ in the AWS WAF section of the WAF & Shield console to verify that in classic mode underscores aren't allowed in metrics names.
Please upvote the linked WAF v2 issue 😄.

Gotcha, this is pretty confusing. Thanks for taking the time @ewbankkit we'll focus on #11176 then.

@scalp42 Can you please close this issue if you're happy with continuing any discussion in #11176?
Thanks.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!