Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WAFv2] resource/wafv2_rule_group: recreated on any changes to the rules #14071

Closed
anGie44 opened this issue Jul 7, 2020 · 6 comments · Fixed by #14617
Closed

[WAFv2] resource/wafv2_rule_group: recreated on any changes to the rules #14071

anGie44 opened this issue Jul 7, 2020 · 6 comments · Fixed by #14617
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Milestone
v3.2.0

Comments

@anGie44
Copy link
Contributor

anGie44 commented Jul 7, 2020
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Relates #13936

Terraform Version

Terraform v0.12.26
provider.aws v2.67.0

Affected Resource(s)

aws_wafv2_rule_group

Terraform Configuration Files

resource "aws_wafv2_rule_group" "example" {
  capacity    = 50
  name        = "tf-acc-test-123"
  description = "tf-acc-test-123"
  scope       = "REGIONAL"

  rule {
    name     = "rule-2"
    priority = 10

    action {
      block {}
    }

    statement {
      size_constraint_statement {
        comparison_operator = "LT"
        size                = 50

        field_to_match {
          query_string {}
        }

        text_transformation {
          priority = 5
          type     = "NONE"
        }

        text_transformation {
          priority = 2
          type     = "CMD_LINE"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

Expected Behavior

I expected the resource aws_wafv2_rule_group to just be updated and not recreated when I changed the priority of a rule for example.

Actual Behavior

When making any changes to the rules, the resource aws_wafv2_rule_group is recreated.

 - rule { # forces replacement
          - name     = "rule-2" -> null
          - priority = 10 -> null

          - action {

              - block {}
            }

          - statement {

              - size_constraint_statement {
                  - comparison_operator = "LT" -> null
                  - size                = 50 -> null

                  - field_to_match {

                      - query_string {}
                    }

                  - text_transformation {
                      - priority = 2 -> null
                      - type     = "CMD_LINE" -> null
                    }
                  - text_transformation {
                      - priority = 5 -> null
                      - type     = "NONE" -> null
                    }
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = false -> null
              - metric_name                = "friendly-rule-metric-name" -> null
              - sampled_requests_enabled   = false -> null
            }
        }
 + rule { # forces replacement
          + name     = "rule-2"
          + priority = 1

          + action {

              + block {}
            }

          + statement {

              + size_constraint_statement {
                  + comparison_operator = "LT"
                  + size                = 50

                  + field_to_match {

                      + query_string {}
                    }

                  + text_transformation {
                      + priority = 2
                      + type     = "CMD_LINE"
                    }
                  + text_transformation {
                      + priority = 5
                      + type     = "NONE"
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = false
              + metric_name                = "friendly-rule-metric-name"
              + sampled_requests_enabled   = false
            }
        }

        visibility_config {
            cloudwatch_metrics_enabled = false
            metric_name                = "friendly-metric-name"
            sampled_requests_enabled   = false
        }
    }

Steps to Reproduce

Just change the rule priority
@anGie44 anGie44 added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Jul 7, 2020
@anGie44 anGie44 changed the title [WAFv2] Resource aws_wafv2_rule_group is recreated on any changes to the rules [WAFv2] resource/aws_wafv2_rule_group: recreated on any changes to the rules Jul 7, 2020
@anGie44 anGie44 changed the title [WAFv2] resource/aws_wafv2_rule_group: recreated on any changes to the rules [WAFv2] resource/wafv2_rule_group: recreated on any changes to the rules Jul 7, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jul 7, 2020
@anGie44 anGie44 added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 7, 2020
@bryanlalexander
Copy link
Contributor

We just ran into this today as well. It does seem overly destructive to delete the resource, in this case, to update the rules.

@juanpgomez-gsa
Copy link

I am also seeing the same behavior with aws_wafv2_web_acl.

@AshMenhennett
Copy link

Ran into this recently and look for a resolution - in this case, any removal of a rule from the aws_wafv2_web_acl resource results in a tear down of the firewall. This resource is not suitable for a production environment with a break-glass scenario that requires updates to the rules in-place to meet Security requirements (I.e. enforce some private access controls).

Happy to put in the steps to reproduce, it's the same scenario as per above, directly targeting the aws_wafv2_web_acl resource itself.

@anGie44 anGie44 mentioned this issue Aug 13, 2020
Merged
@anGie44 anGie44 added this to the v3.2.0 milestone Aug 13, 2020
@anGie44
Copy link
Contributor Author

anGie44 commented Aug 13, 2020

A fix has been merged and will release with v3.2.0 of the Terraform AWS Provider, expected out later today.

@ghost
Copy link

ghost commented Aug 14, 2020

This has been released in version 3.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Sep 13, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
v3.2.0
4 participants
@AshMenhennett @anGie44 @bryanlalexander @juanpgomez-gsa