hashicorp · bflad · Jul 31, 2018 · Jul 30, 2018
diff --git a/aws/resource_aws_waf_web_acl.go b/aws/resource_aws_waf_web_acl.go
@@ -108,7 +108,7 @@ func resourceAwsWafWebAclCreate(d *schema.ResourceData, meta interface{}) error
 	out, err := wr.RetryWithToken(func(token *string) (interface{}, error) {
 		params := &waf.CreateWebACLInput{
 			ChangeToken:   token,
-			DefaultAction: expandDefaultAction(d),
+			DefaultAction: expandWafAction(d.Get("default_action").(*schema.Set).List()),
 			MetricName:    aws.String(d.Get("metric_name").(string)),
 			Name:          aws.String(d.Get("name").(string)),
 		}
@@ -140,11 +140,14 @@ func resourceAwsWafWebAclRead(d *schema.ResourceData, meta interface{}) error {
 		return err
 	}
 
-	defaultAction := flattenDefaultAction(resp.WebACL.DefaultAction)
-	if defaultAction != nil {
-		if err := d.Set("default_action", defaultAction); err != nil {
-			return fmt.Errorf("error setting default_action: %s", err)
-		}
+	if resp == nil || resp.WebACL == nil {
+		log.Printf("[WARN] WAF ACL (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	if err := d.Set("default_action", flattenWafAction(resp.WebACL.DefaultAction)); err != nil {
+		return fmt.Errorf("error setting default_action: %s", err)
 	}
 	d.Set("name", resp.WebACL.Name)
 	d.Set("metric_name", resp.WebACL.MetricName)
@@ -156,22 +159,53 @@ func resourceAwsWafWebAclRead(d *schema.ResourceData, meta interface{}) error {
 }
 
 func resourceAwsWafWebAclUpdate(d *schema.ResourceData, meta interface{}) error {
-	err := updateWebAclResource(d, meta, waf.ChangeActionInsert)
-	if err != nil {
-		return fmt.Errorf("Error Updating WAF ACL: %s", err)
+	conn := meta.(*AWSClient).wafconn
+
+	if d.HasChange("default_action") || d.HasChange("rules") {
+		o, n := d.GetChange("rules")
+		oldR, newR := o.(*schema.Set).List(), n.(*schema.Set).List()
+
+		wr := newWafRetryer(conn, "global")
+		_, err := wr.RetryWithToken(func(token *string) (interface{}, error) {
+			req := &waf.UpdateWebACLInput{
+				ChangeToken:   token,
+				DefaultAction: expandWafAction(d.Get("default_action").(*schema.Set).List()),
+				Updates:       diffWafWebAclRules(oldR, newR),
+				WebACLId:      aws.String(d.Id()),
+			}
+			return conn.UpdateWebACL(req)
+		})
+		if err != nil {
+			return fmt.Errorf("Error Updating WAF ACL: %s", err)
+		}
 	}
+
 	return resourceAwsWafWebAclRead(d, meta)
 }
 
 func resourceAwsWafWebAclDelete(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).wafconn
-	err := updateWebAclResource(d, meta, waf.ChangeActionDelete)
-	if err != nil {
-		return fmt.Errorf("Error Removing WAF ACL Rules: %s", err)
+
+	// First, need to delete all rules
+	rules := d.Get("rules").(*schema.Set).List()
+	if len(rules) > 0 {
+		wr := newWafRetryer(conn, "global")
+		_, err := wr.RetryWithToken(func(token *string) (interface{}, error) {
+			req := &waf.UpdateWebACLInput{
+				ChangeToken:   token,
+				DefaultAction: expandWafAction(d.Get("default_action").(*schema.Set).List()),
+				Updates:       diffWafWebAclRules(rules, []interface{}{}),
+				WebACLId:      aws.String(d.Id()),
+			}
+			return conn.UpdateWebACL(req)
+		})
+		if err != nil {
+			return fmt.Errorf("Error Removing WAF Regional ACL Rules: %s", err)
+		}
 	}
 
 	wr := newWafRetryer(conn, "global")
-	_, err = wr.RetryWithToken(func(token *string) (interface{}, error) {
+	_, err := wr.RetryWithToken(func(token *string) (interface{}, error) {
 		req := &waf.DeleteWebACLInput{
 			ChangeToken: token,
 			WebACLId:    aws.String(d.Id()),
@@ -185,91 +219,3 @@ func resourceAwsWafWebAclDelete(d *schema.ResourceData, meta interface{}) error
 	}
 	return nil
 }
-
-func updateWebAclResource(d *schema.ResourceData, meta interface{}, ChangeAction string) error {
-	conn := meta.(*AWSClient).wafconn
-
-	wr := newWafRetryer(conn, "global")
-	_, err := wr.RetryWithToken(func(token *string) (interface{}, error) {
-		req := &waf.UpdateWebACLInput{
-			ChangeToken: token,
-			WebACLId:    aws.String(d.Id()),
-		}
-
-		if d.HasChange("default_action") {
-			req.DefaultAction = expandDefaultAction(d)
-		}
-
-		rules := d.Get("rules").(*schema.Set)
-		for _, rule := range rules.List() {
-			aclRule := rule.(map[string]interface{})
-
-			var aclRuleUpdate *waf.WebACLUpdate
-			switch aclRule["type"].(string) {
-			case waf.WafRuleTypeGroup:
-				overrideAction := aclRule["override_action"].([]interface{})[0].(map[string]interface{})
-				aclRuleUpdate = &waf.WebACLUpdate{
-					Action: aws.String(ChangeAction),
-					ActivatedRule: &waf.ActivatedRule{
-						Priority:       aws.Int64(int64(aclRule["priority"].(int))),
-						RuleId:         aws.String(aclRule["rule_id"].(string)),
-						Type:           aws.String(aclRule["type"].(string)),
-						OverrideAction: &waf.WafOverrideAction{Type: aws.String(overrideAction["type"].(string))},
-					},
-				}
-			default:
-				action := aclRule["action"].([]interface{})[0].(map[string]interface{})
-				aclRuleUpdate = &waf.WebACLUpdate{
-					Action: aws.String(ChangeAction),
-					ActivatedRule: &waf.ActivatedRule{
-						Priority: aws.Int64(int64(aclRule["priority"].(int))),
-						RuleId:   aws.String(aclRule["rule_id"].(string)),
-						Type:     aws.String(aclRule["type"].(string)),
-						Action:   &waf.WafAction{Type: aws.String(action["type"].(string))},
-					},
-				}
-			}
-
-			req.Updates = append(req.Updates, aclRuleUpdate)
-		}
-		return conn.UpdateWebACL(req)
-	})
-	if err != nil {
-		return fmt.Errorf("Error Updating WAF ACL: %s", err)
-	}
-	return nil
-}
-
-func expandDefaultAction(d *schema.ResourceData) *waf.WafAction {
-	set, ok := d.GetOk("default_action")
-	if !ok {
-		return nil
-	}
-
-	s := set.(*schema.Set).List()
-	if s == nil || len(s) == 0 {
-		return nil
-	}
-
-	if s[0] == nil {
-		log.Printf("[ERR] First element of Default Action is set to nil")
-		return nil
-	}
-
-	dA := s[0].(map[string]interface{})
-
-	return &waf.WafAction{
-		Type: aws.String(dA["type"].(string)),
-	}
-}
-
-func flattenDefaultAction(n *waf.WafAction) []map[string]interface{} {
-	if n == nil {
-		return nil
-	}
-
-	m := setMap(make(map[string]interface{}))
-
-	m.SetString("type", n.Type)
-	return m.MapList()
-}