search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.81k stars 9.16k forks source link

[WAFv2] resource/wafv2_rule_group: recreated on any changes to the rules #14071

Closed anGie44 closed 4 years ago

anGie44 commented 4 years ago

Community Note

Relates #13936

Terraform Version

Terraform v0.12.26
provider.aws v2.67.0

Affected Resource(s)

aws_wafv2_rule_group

Terraform Configuration Files

resource "aws_wafv2_rule_group" "example" {
  capacity    = 50
  name        = "tf-acc-test-123"
  description = "tf-acc-test-123"
  scope       = "REGIONAL"

  rule {
    name     = "rule-2"
    priority = 10

    action {
      block {}
    }

    statement {
      size_constraint_statement {
        comparison_operator = "LT"
        size                = 50

        field_to_match {
          query_string {}
        }

        text_transformation {
          priority = 5
          type     = "NONE"
        }

        text_transformation {
          priority = 2
          type     = "CMD_LINE"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

Expected Behavior

I expected the resource aws_wafv2_rule_group to just be updated and not recreated when I changed the priority of a rule for example.

Actual Behavior

When making any changes to the rules, the resource aws_wafv2_rule_group is recreated.

 - rule { # forces replacement
          - name     = "rule-2" -> null
          - priority = 10 -> null

          - action {

              - block {}
            }

          - statement {

              - size_constraint_statement {
                  - comparison_operator = "LT" -> null
                  - size                = 50 -> null

                  - field_to_match {

                      - query_string {}
                    }

                  - text_transformation {
                      - priority = 2 -> null
                      - type     = "CMD_LINE" -> null
                    }
                  - text_transformation {
                      - priority = 5 -> null
                      - type     = "NONE" -> null
                    }
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = false -> null
              - metric_name                = "friendly-rule-metric-name" -> null
              - sampled_requests_enabled   = false -> null
            }
        }
 + rule { # forces replacement
          + name     = "rule-2"
          + priority = 1

          + action {

              + block {}
            }

          + statement {

              + size_constraint_statement {
                  + comparison_operator = "LT"
                  + size                = 50

                  + field_to_match {

                      + query_string {}
                    }

                  + text_transformation {
                      + priority = 2
                      + type     = "CMD_LINE"
                    }
                  + text_transformation {
                      + priority = 5
                      + type     = "NONE"
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = false
              + metric_name                = "friendly-rule-metric-name"
              + sampled_requests_enabled   = false
            }
        }

        visibility_config {
            cloudwatch_metrics_enabled = false
            metric_name                = "friendly-metric-name"
            sampled_requests_enabled   = false
        }
    }

Steps to Reproduce

Just change the rule priority

bryanlalexander commented 4 years ago

We just ran into this today as well. It does seem overly destructive to delete the resource, in this case, to update the rules.

juanpgomez-gsa commented 4 years ago

I am also seeing the same behavior with aws_wafv2_web_acl.

AshMenhennett commented 4 years ago

Ran into this recently and look for a resolution - in this case, any removal of a rule from the aws_wafv2_web_acl resource results in a tear down of the firewall. This resource is not suitable for a production environment with a break-glass scenario that requires updates to the rules in-place to meet Security requirements (I.e. enforce some private access controls).

Happy to put in the steps to reproduce, it's the same scenario as per above, directly targeting the aws_wafv2_web_acl resource itself.

anGie44 commented 4 years ago

A fix has been merged and will release with v3.2.0 of the Terraform AWS Provider, expected out later today.

ghost commented 4 years ago

This has been released in version 3.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!