search

oracle / terraform-provider-oci

Terraform Oracle Cloud Infrastructure provider
https://www.terraform.io/docs/providers/oci/
Mozilla Public License 2.0
753 stars 672 forks source link

Bulk update waas protection rules #1408

Closed MartinusHol closed 1 year ago

MartinusHol commented 3 years ago

Hi,

I'm trying to update the action of all WAF Policies to "DETECT" with the exception of a list of polices that should be updated to "OFF". Unfortunately, after running for almost 3 hours, the apply halts, reporting the error here underneath. As it turned out: only 7 out of a 600+ policies were updated. Asside from the disappointing result, is there a way to speed this up?

error

Error: 409-IncorrectState Provider version: 4.29.0, released on 2021-06-01. This provider is 5 update(s) behind to current. Service: Waas Protection Rule Error Message: The lifecycleState is 'UPDATING'. It must be 'ACTIVE'. OPC request ID: ***** Suggestion: The resource is in a conflicted state. Please retry again or contact support for help with service: Waas Protection Rule

variable

variable TemplateKlant_WebApplicationFirewallProtectionRules_Outsystems { type = object ( { action = string disabled_rules = list(string) } ) default = { action = "DETECT" disabled_rules = [ "941320" , "942431" , "942432" , "981173" , "920480" , "942200" , "942260" , "942340" , "942490" , "981243" , "981245" , "981246" , "981257" , "942460" , "960024" , "981078" ] }
}

resource

data "oci_waas_protection_rules" "WebApplicationFirewallProtectionRules" { waas_policy_id = oci_waas_waas_policy.WebApplicationFirewall.id }

locals { WebApplicationFirewallProtectionRulesMap = zipmap ( data.oci_waas_protection_rules.WebApplicationFirewallProtectionRules.protection_rules[].key , data.oci_waas_protection_rules.WebApplicationFirewallProtectionRules.protection_rules[].action )
}

resource "oci_waas_protection_rule" "WebApplicationFirewallProtectionRule" { for_each = local.WebApplicationFirewallProtectionRulesMap waas_policy_id = oci_waas_waas_policy.WebApplicationFirewall.id key = each.key action = contains ( var.web_application_firewall_block_protection_rules.disabled_rules , each.key ) ? "OFF" : var.web_application_firewall_block_protection_rules.action }

hva314 commented 2 years ago

Issue happens with just the creation of 2 rules:

resource "oci_waas_protection_rule" "protection_rule_2020590201" {
  waas_policy_id = oci_waas_waas_policy.test_waas_policy.id
  key            = 2020590201
  action         = "DETECT"
}

resource "oci_waas_protection_rule" "protection_rule_933190" {
  waas_policy_id = oci_waas_waas_policy.test_waas_policy.id
  key            = 933190
  action         = "DETECT"
}

Different from the procedure in the OCI Console, in which multiple changes goes to "Unpublished Changes", then user can "Publish All", two resources are being created simultaneously:

module.waas.oci_waas_protection_rule.protection_rule_933190: Still creating... [1m40s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [1m50s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_933190: Still creating... [1m50s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [2m0s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_933190: Still creating... [2m0s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [2m10s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [2m20s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [2m30s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [2m40s elapsed]                                                                                                       module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [2m50s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [3m0s elapsed]

Then after a bit, only rules 2020590201 is in "creating", then 2020590201 finished while 933190 failed:

module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [18m40s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Still creating... [18m50s elapsed]
module.waas.oci_waas_protection_rule.protection_rule_2020590201: Creation complete after 18m56s [id=waasPolicyId/ocid1.waaspolicy.oc1..aaaaaaaashnabxbb7mr5z6fjc4bsetfqyxaqpv6icagsdbsmx5dbskvdabpa/key/2020590201]
╷
│ Error: 409-IncorrectState
│ Provider version: 4.44.0, released on 2021-09-15.
│ Service: Waas Protection Rule
│ Error Message: The lifecycleState is 'UPDATING'. It must be 'ACTIVE'.
│ OPC request ID: 06764ddc8915d6edcebb108e7f481e09/da198447db2c251c0f715dbec4c17545/0aa04831b8e191ee0eb8734e37b42f05
│ Suggestion: The resource is in a conflicted state. Please retry again or contact support for help with service: Waas Protection Rule
│
│
│   with module.waas.oci_waas_protection_rule.protection_rule_933190,
│   on waas/waas_rules.tf line 11, in resource "oci_waas_protection_rule" "protection_rule_933190":
│   11: resource "oci_waas_protection_rule" "protection_rule_933190" {
│
╵

Also, changes and creations of protection rule and waas policy take wayyyyy too long. 20 to 30min for each resource.

ravinitp commented 1 year ago

We are very sorry that we couldn't respond to each and every issue reported on GitHub. Although we have refined the process to prioritize customer issues on GitHub, since this issue was reported a while ago, there is a good chance it may have been fixed in the latest version of Terraform Provider OCI. If you are still experiencing this issue, please create a new issue and label it as Bug.