Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_alb_listener_rule can not be modified when using new coniditions #11362

Closed
Console32 opened this issue Dec 19, 2019 · 3 comments · Fixed by #11364
Closed

aws_alb_listener_rule can not be modified when using new coniditions #11362

Console32 opened this issue Dec 19, 2019 · 3 comments · Fixed by #11364
Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/elbv2 Issues and PRs that pertain to the elbv2 service.
Milestone
v2.43.0

Comments

@Console32
Copy link

Console32 commented Dec 19, 2019
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.18
+ provider.aws v2.42.0
+ provider.null v2.1.2
+ provider.random v2.2.1
+ provider.template v2.1.2

Affected Resource(s)

  • aws_alb_listener_rule

Terraform Configuration Files

resource aws_alb_listener_rule "oidc_auth_rules" {
  count = length(var.oidc_settings)

  listener_arn = aws_alb_listener.alb_listener_user.arn
  action {
    type = "authenticate-oidc"

    authenticate_oidc {
      authorization_endpoint = "${var.oidc_settings[count.index].issuer}/authorize"
      client_id              = var.oidc_settings[count.index].client_id
      client_secret          = var.oidc_settings[count.index].client_secret
      issuer                 = "${var.oidc_settings[count.index].issuer}/"
      token_endpoint         = "${var.oidc_settings[count.index].issuer}/oauth/token"
      user_info_endpoint     = "${var.oidc_settings[count.index].issuer}/userinfo"
      session_cookie_name    = var.oidc_settings[count.index].cookie
      scope                  = "openid email profile"

      authentication_request_extra_params = {
        audience   = "${var.oidc_settings[count.index].issuer}/userinfo"
        connection = "main-tenant-oidc"
        prompt     = "login"
      }
    }
  }

  condition {
    query_string {
      key   = "profile"
      value = var.oidc_settings[count.index].profile_match
    }
  }

Debug Output

Expected Behavior

Modifying a aws_alb_listener_rule should update the listener rule as planned

  # aws_alb_listener_rule.oidc_auth_rules[0] will be updated in-place
  ~ resource "aws_alb_listener_rule" "oidc_auth_rules" {
      ....
          ~ authenticate_oidc {
             ...

                on_unauthenticated_request          = "authenticate"
              ~ scope                               = "openid email profile" -> "openid profile"
            }
        }
       ....

        condition {
            field  = "query-string"
            values = []

            query_string {
                key   = "profile"
                value = "MPM.Search"
            }
        }
    }

Actual Behavior

Error: Both field and values must be set in a condition block

on load_balancer.tf line 40, in resource "aws_alb_listener_rule" "oidc_auth_rules":
40: resource aws_alb_listener_rule "oidc_auth_rules" {

Steps to Reproduce

  1. Create a aws_alb
  2. Create a aws_alb_listener
  3. Create a aws_alb_listener_rule that contains a condition of type query string
  4. terraform apply
  5. Modify the aws_alb_listener_rule to trigger a inplace update (changing the scope for example)
  6. terraform apply

References
@ghost ghost added the service/elbv2 Issues and PRs that pertain to the elbv2 service. label Dec 19, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Dec 19, 2019
dpiddockcmp pushed a commit to dpiddock/terraform-provider-aws that referenced this issue Dec 19, 2019
@dpiddock
Handle rule updates when Condition not modified
37dbe43 
Fixes hashicorp#11323
Fixes hashicorp#11362
@dpiddockcmp dpiddockcmp mentioned this issue Dec 19, 2019
Merged
@bflad bflad added bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. and removed needs-triage Waiting for first response or review from a maintainer. labels Dec 19, 2019
@bflad bflad added this to the v2.43.0 milestone Dec 19, 2019
bflad pushed a commit that referenced this issue Dec 19, 2019
@dpiddockcmp @bflad
resource/aws_lb_listener_rule: Fix ALB listener rule update regression (
5dc0549 
#11364)

* Add some update tests. Issue #11323

New condition rule logic breaks when one a condition is present but
*not* being updated. Includes single condition when the action is being
modified. User is presented with:
Error: Only one of field, host_header, http_header,
http_request_method, path_pattern, query_string or source_ip can be set
in a condition block

* Handle rule updates when Condition not modified

Fixes #11323
Fixes #11362

Output from acceptance testing:

```
--- PASS: TestAccAWSLBListenerRule_conditionHttpHeader_invalid (3.89s)
--- PASS: TestAccAWSLBListenerRule_multipleConditionThrowsError (4.41s)
--- PASS: TestAccAWSLBListenerRule_conditionAttributesCount (28.37s)
--- PASS: TestAccAWSLBListenerRule_fixedResponse (175.92s)
--- PASS: TestAccAWSLBListenerRule_basic (180.33s)
--- PASS: TestAccAWSLBListenerRule_conditionHttpHeader (180.49s)
--- PASS: TestAccAWSLBListenerRule_conditionHttpRequestMethod (185.53s)
--- PASS: TestAccAWSLBListenerRule_conditionHostHeader (187.50s)
--- PASS: TestAccAWSLBListenerRule_cognito (190.30s)
--- PASS: TestAccAWSLBListenerRule_updateRulePriority (196.64s)
--- PASS: TestAccAWSLBListenerRule_conditionPathPattern_deprecated (202.36s)
--- PASS: TestAccAWSLBListenerRule_conditionPathPattern (209.18s)
--- PASS: TestAccAWSLBListenerRule_Action_Order (210.40s)
--- PASS: TestAccAWSLBListenerRule_conditionHostHeader_deprecated (215.83s)
--- PASS: TestAccAWSLBListenerRule_updateFixedResponse (221.31s)
--- PASS: TestAccAWSLBListenerRule_redirect (225.96s)
--- PASS: TestAccAWSLBListenerRule_oidc (226.93s)
--- PASS: TestAccAWSLBListenerRule_conditionQueryString (208.73s)
--- PASS: TestAccAWSLBListenerRule_conditionUpdatePathPattern_deprecated (240.20s)
--- PASS: TestAccAWSLBListenerRule_changeListenerRuleArnForcesNew (253.40s)
--- PASS: TestAccAWSLBListenerRuleBackwardsCompatibility (260.08s)
--- PASS: TestAccAWSLBListenerRule_Action_Order_Recreates (261.67s)
--- PASS: TestAccAWSLBListenerRule_priority (280.50s)
--- PASS: TestAccAWSLBListenerRule_conditionUpdateMultiple (177.25s)
--- PASS: TestAccAWSLBListenerRule_conditionMultiple (190.69s)
--- PASS: TestAccAWSLBListenerRule_conditionUpdateMixed (198.27s)
--- PASS: TestAccAWSLBListenerRule_conditionSourceIp (208.93s)
```
@bflad
Copy link
Contributor

bflad commented Dec 19, 2019

The fix for this issue has been merged and will release with version 2.43.0 of the Terraform AWS Provider, later today. Thanks to @dpiddockcmp for the help fixing this. 👍

@ghost
Copy link

ghost commented Dec 19, 2019

This has been released in version 2.43.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 28, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/elbv2 Issues and PRs that pertain to the elbv2 service.
Projects
None yet
Milestone
v2.43.0
Development

Successfully merging a pull request may close this issue.

Fix ALB listener rule update regression dpiddock/terraform-provider-aws
2 participants
@bflad @Console32