search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.6k stars 9.55k forks source link

WAFv2 Rule Not Updating #26798

Closed ghost closed 3 years ago

ghost commented 3 years ago

Terraform Version

12.2.0

Terraform Configuration Files

resource "aws_wafv2_web_acl" "XXX_web_acl" {
  provider = aws.XXX-WAF
  name     = "XXX-web-acl-${lower(var.environment)}"
  scope    = "REGIONAL"

  default_action {
    allow {
    }
  }

  rule {
    name      = "RequestBlock"
    priority  = 0

    action {
      block {
      }
    }

    statement {
      and_statement {
        statement {
          byte_match_statement {
            field_to_match {
              single_header {
                name   = "host"
              }
            }
            positional_constraint = "CONTAINS"
            search_string = var.XXX_portal_url
            text_transformation {
              priority = 0
              type     = "NONE"
            }
          }
        }
        statement {
          regex_pattern_set_reference_statement {
            arn = aws_wafv2_regex_pattern_set.XXX_regex.arn
            field_to_match {
              body {
              }
            }
            text_transformation {
              priority = 0
              type     = "NONE"
            }
          }
        }
        statement {
          byte_match_statement {
            field_to_match {
              method {
              }
            }
            positional_constraint = "CONTAINS"
            search_string  = "POST"
            text_transformation {
              priority = 0
              type     = "NONE"
            }
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "XXX-web-acl-request-block-${lower(var.environment)}"
      sampled_requests_enabled   = true
    }
  }

  tags = {
    Terraform   = "true"
    Environment = var.environment
    Project     = var.project_name
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "XXX-cloudwtach-${lower(var.environment)}"
    sampled_requests_enabled   = true
  }
}

Expected Behavior

The block below (existing rule):


statement {
          regex_pattern_set_reference_statement {
            arn = aws_wafv2_regex_pattern_set.XXX_regex.arn
            field_to_match {
              Uri_path {
              }
            }
            text_transformation {
              priority = 0
              type     = "NONE"
            }
          }
        }

Should be replaced by:


statement {
          regex_pattern_set_reference_statement {
            arn = aws_wafv2_regex_pattern_set.XXX_regex.arn
            field_to_match {
              body {
              }
            }
            text_transformation {
              priority = 0
              type     = "NONE"
            }
          }
        }

Actual Behavior

Steps to Reproduce

Additional Context

The terraform isbeing updated alongside multiple other resources via a Jenkins pipeline, however this terraform is in it's own separate file and is a standalone piece of infra

References

n/a

jbardin commented 3 years ago

Hi @Stegrugel

There have been a lot of changes since the 12.2.0 release, and I suggest you try a current release to see if it resolves your issue. If the behavior you're seeing is not fixed in the latest 0.13 or 0.14 release, the next step would be to file an issue with the AWS provider.

Thanks!

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.