search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.17k forks source link

[aws_wafv2_web_acl] Web ACL update-in-place fails #14035

Closed Tailzip closed 4 years ago

Tailzip commented 4 years ago

Community Note

Terraform Version

Terraform version : 0.12.20 AWS provider version : 2.68.0

Affected Resource(s)

Terraform Configuration Files

resource "aws_wafv2_web_acl" "waf_web_acl" {
  name        = "delete-me-demo"
  description = "to be deleted..."
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "rate-limit"
    priority = 0

    action {
      block {}
    }

    statement {
      rate_based_statement {
        limit              = 1000
        aggregate_key_type = "IP"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "rate-limit-delete-me-demo-metric-name"
      sampled_requests_enabled   = false
    }
  }

  tags = {
    foo = "bar"
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "delete-me-demo-metric-name"
    sampled_requests_enabled   = false
  }
}

Debug Output

https://gist.github.com/Tailzip/23feef7ef2d6c325da1812e631f62a9c

Expected Behavior

Web ACL is updated-in-place without error.

Actual Behavior

Web ACL isn't updated-in-place. terraform apply fails with the following error message :

Error: Error updating WAFv2 WebACL: WAFInvalidParameterException: Error reason: Your statement has multiple values set for a field that requires exactly one value., field: STATEMENT, parameter: Statement
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "11e05729-fdb9-44e2-bbdc-8677eb7302c8"
  },
  Field: "STATEMENT",
  Message_: "Error reason: Your statement has multiple values set for a field that requires exactly one value., field: STATEMENT, parameter: Statement",
  Parameter: "Statement",
  Reason: "Your statement has multiple values set for a field that requires exactly one value."
}

In the debug log attached, you can clearly see that the JSON body of the POST request to update the web ACL is missing data under the Statement key :

{
  "DefaultAction": {
    "Block": {}
  },
  ...
  "Rules": [
    {
      "Action": {
        "Block": {}
      },
      "Name": "rate-limit",
      "Priority": 0,
      "Statement": {},
      "VisibilityConfig": {
        "CloudWatchMetricsEnabled": false,
        "MetricName": "rate-limit-delete-me-demo-metric-name",
        "SampledRequestsEnabled": false
      }
    }
  ],
  ...
}

Steps to Reproduce

  1. terraform apply
  2. Update default_action block content from allow {} to block {}

  3. terraform plan shows :

    # aws_wafv2_web_acl.waf_web_acl will be updated in-place
~ resource "aws_wafv2_web_acl" "waf_web_acl" {
...
~ default_action {
- allow {}

+ block {}
}
...
}
  4. terraform apply fails...
ewbankkit commented 4 years ago

Similar:

whizz0 commented 4 years ago

I'm getting the same error while TF plan shows update only in AWS tags, nothing else. Using aws provider v. 2.70.0

anGie44 commented 4 years ago

A fix has been merged and will release with v3.2.0 of the Terraform AWS Provider, expected out later today.

ghost commented 4 years ago

This has been released in version 3.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!