search

umotif-public / terraform-aws-waf-webaclv2

Terraform module to configure WAF V2 Web ACL with managed rules for Application Load Balancer
https://registry.terraform.io/modules/umotif-public/waf-webaclv2/aws
Other
137 stars 124 forks source link

Rules are constantly recreated #138

Open remi-f-artelia opened 2 weeks ago

remi-f-artelia commented 2 weeks ago

What is the current behavior?

When terraform runs over an existing aws_wafv2_web_acl, it constantly detects a change in the rules and recreates them, even if there is no change.

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

# module.waf.aws_wafv2_web_acl.main[0] has changed
  ~ resource "aws_wafv2_web_acl" "main" {
        id                          = "abcdefgh-abdc-abcd-abcd-abcdefghijkl"
        name                        = "a-name-for-wafv2"
        # (8 unchanged attributes hidden)

      - rule {
          - name     = "AWSManagedRulesAmazonIpReputationList" -> null
          - priority = 1 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesAmazonIpReputationList" -> null
                  - vendor_name = "AWS" -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = false -> null
              - metric_name                = "AWSManagedRulesAmazonIpReputationList-metric" -> null
              - sampled_requests_enabled   = false -> null
            }
        }
      - rule {
          - name     = "AWSManagedRulesCommonRuleSet" -> null
          - priority = 0 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesCommonRuleSet" -> null
                  - vendor_name = "AWS" -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = false -> null
              - metric_name                = "AWSManagedRulesCommonRuleSet-metric" -> null
              - sampled_requests_enabled   = false -> null
            }
        }
      + rule {
          + name     = "AWSManagedRulesAmazonIpReputationList"
          + priority = 1

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesAmazonIpReputationList"
                  + vendor_name = "AWS"
                    # (1 unchanged attribute hidden)
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = false
              + metric_name                = "AWSManagedRulesAmazonIpReputationList-metric"
              + sampled_requests_enabled   = false
            }
        }
      + rule {
          + name     = "AWSManagedRulesCommonRuleSet"
          + priority = 0

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesCommonRuleSet"
                  + vendor_name = "AWS"
                    # (1 unchanged attribute hidden)
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = false
              + metric_name                = "AWSManagedRulesCommonRuleSet-metric"
              + sampled_requests_enabled   = false
            }
        }

        # (12 unchanged blocks hidden)
    }

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.

  1. terraform apply => creation of the rules
  2. wait for some time (I don't understand for now why it does not happen right away but I'm confident that no one touches manually or with api on the resource since I work on an env I only manage myself)
  3. terraform apply => recreation of the rules

Other behavior: if some rule is added / deleted ==> recreation of every rules instead of working only on the affected rule.

What is the expected behavior?

Terraform is supposed to detect that the rules are already created and not recreate them if not needed.

Software versions?

terraform --version
Terraform v1.9.3
on windows_amd64

Initializing modules...
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v5.55.0

I guess the issue comes from the fact that the var.rules is not typed as a map(object) but as any and has a default value to an empty list []. But even if I pass a map (with keys matching the rule name), the rules are recreated.

I think it would need to use the aws_wafv2_rule_group resource in the module and then use the rule group reference within aws_wafv2_rule_group resource.

If we use this in conjunction with a map it should be able to reference the appropriate key in the rule_group_reference_statement