search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.81k stars 9.16k forks source link

aws_wafv2_web_acl_logging_configuration doesn't pick up variables.tf #18568

Closed yuko12 closed 3 years ago

yuko12 commented 3 years ago

Community Note

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.9 aws v3.35.0

Affected Resource(s)

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_wafv2_web_acl_logging_configuration" "main" {
  count = var.create_logging_configuration ? 1 : 0

  log_destination_configs = var.log_destination_configs
  resource_arn            = aws_wafv2_web_acl.main[0].arn

  dynamic "redacted_fields" {
    for_each = var.redacted_fields
    content {
      dynamic "single_header" {
        for_each = length(lookup(redacted_fields.value, "single_header", {})) == 0 ? [] : [lookup(redacted_fields.value, "single_header", {})]
        content {
          name = lookup(single_header.value, "name", null)
        }
      }

      dynamic "single_query_argument" {
        for_each = length(lookup(redacted_fields.value, "single_query_argument", {})) == 0 ? [] : [lookup(redacted_fields.value, "single_query_argument", {})]
        content {
          name = lookup(single_query_argument.value, "name", null)
        }
      }
    }
  }
}

Debug Output

Panic Output

Expected Behavior

If we use above block resource "aws_wafv2_web_acl_logging_configuration" in terraform module to create WAF web acl and respective logging configuration, we should declare variables there and put default values for

variable "create_logging_configuration" {
  description = "Whether to create logging configuration in order start logging from a WAFv2 Web ACL to Amazon Kinesis Data Firehose."
  type        = bool
  default     = false
}

variable "log_destination_configs" {
  description = "The Amazon Kinesis Data Firehose Amazon Resource Name (ARNs) that you want to associate with the web ACL."
  type        = list(string)
  default     = []
}

variable "redacted_fields" {
  description = "The parts of the request that you want to keep out of the logs. Up to 100 `redacted_fields` blocks are supported."
  default     = []
}

Then we should be able to override default values with declaration of variables again within live config folder. That would allow us to define different values for prod/qa (different live config folders) and not specify the same var values in every module definition. The above described way works fine for aws_wafv2_web_acl and aws_cloudfront_distribution resources for example, but not for aws_wafv2_web_acl_logging_configuration

Actual Behavior

aws_wafv2_web_acl_logging_configuration - don't see var definitions in live config folder, but works if we set it in module definition like

module "test_waf_acl" {
  create_logging_configuration = true
  log_destination_configs      = [aws_kinesis_firehose_delivery_stream.aws_waf_logs_qa.arn]

Steps to Reproduce

  1. Create module with above resource definition. Add variables.tf with declaration and default values.
  2. Use module and add new variables.tf to overwrite default values in live config folder.
  3. See, that actual values are still from module folder and not from live config folder.

Important Factoids

References

anGie44 commented 3 years ago

Hi @yuko12 , thank you for raising this issue. For clarification, when you note that the default values are not overriden, do you mean for both "single_header" and "single_query_argument" , or just one of the 2 ? Please note, as of v3.33.0, the single_query_argument configuration block has been deprecated as it's not currently supported by the WAFv2 service.

To be able to further investigate, do you mind providing the values being used invariables.tf and/or the plan output you see when using the above resource. As well if you could provide the directory organization you are using such as

β”œβ”€β”€ example
β”‚Β Β  β”œβ”€β”€ main.tf
β”‚Β Β  β”œβ”€β”€ variables.tf

it would be greatly appreciated. Thank you in advance!

yuko12 commented 3 years ago

Hi! Thanks a lot for the prompt reply, directory structure is 

β”œβ”€β”€ product
β”‚Β Β  β”œβ”€β”€ modules
β”‚Β Β  β”‚   β”œβ”€β”€ waf
β”‚   β”‚       β”œβ”€β”€main.tf
β”‚   β”‚       β”œβ”€β”€outputs.tf
β”‚   β”‚       β”œβ”€β”€variables.tf
β”‚   β”œβ”€β”€prod
β”‚   β”‚   β”œβ”€β”€ global
β”‚   β”‚       β”œβ”€β”€ waf
β”‚   β”‚           β”œβ”€β”€main.tf
β”‚   β”‚           β”œβ”€β”€logging.tf
β”‚   β”‚           β”œβ”€β”€variables_prod.tf
β”‚   β”‚           β”œβ”€β”€provider.tf
β”‚   β”‚           β”œβ”€β”€outputs.tf
β”‚   β”‚
β”‚   β”œβ”€β”€qa
β”‚   β”‚   β”œβ”€β”€ global
β”‚   β”‚       β”œβ”€β”€ waf
β”‚   β”‚           β”œβ”€β”€main.tf
β”‚   β”‚           β”œβ”€β”€logging.tf
β”‚   β”‚           β”œβ”€β”€variables_qa.tf
β”‚   β”‚           β”œβ”€β”€provider.tf
β”‚   β”‚           β”œβ”€β”€outputs.tf

Thanks for noticing about "single_header" and "single_query_argument", however we didn't use it yet. And current issue is with variables "create_logging_configuration" and "log_destination_configs". So if I put the below config into variables_qa.tf

variable "create_logging_configuration" {
 description = "Whether to create logging configuration in order start logging from a WAFv2 Web ACL to Amazon Kinesis Data Firehose."
 type        = bool
 default     = true
}

variable "log_destination_configs" {
 description = "The Amazon Kinesis Data Firehose Amazon Resource Name (ARNs) that you want to associate with the web ACL."
 type        = list(string)
 default     = [aws_kinesis_firehose_delivery_stream.aws_waf_logs_qa.arn]
}

Or specify [aws_kinesis_firehose_delivery_stream.aws_waf_logs_qa.arn] as actual arn, it doesn't override values specified in the module file variables.tf, which are

variable "create_logging_configuration" {
 description = "Whether to create logging configuration in order start logging from a WAFv2 Web ACL to Amazon Kinesis Data Firehose."
 type        = bool
 default     =false
}

variable "log_destination_configs" {
 description = "The Amazon Kinesis Data Firehose Amazon Resource Name (ARNs) that you want to associate with the web ACL."
 type        = list(string)
 default     = []
}

I can't provide plan output, as it just says nothing to change, when I add variables_qa.tf into folder. Sorry for being not clear on specifying the issue from the very beginning.

yuko12 commented 3 years ago

Apologize, my bad, I had to add:

create_logging_configuration = var.create_logging_configuration log_destination_configs = var.log_destination_configs

in folder with live config when calling the module, then it take values from the local folder dedicated to specific environment.

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!