AWS WAF IPSet resources do not delete existing records correctly

[srikiraju]

Terraform Version

Terraform v0.7.13
Not fixed in latest

Affected Resource(s)

Please list the resources as a list, for example:

• aws_waf_ipset

Terraform Configuration Files

resource "aws_waf_ipset" "my_ipset" {
  name = "my_ipset"
}

Debug Output

module.live.aws_waf_ipset.my_ipset: Modifying...
  ip_set_descriptors.#:                "1" => "0"
  ip_set_descriptors.1394369178.type:  "IPV4" => ""
  ip_set_descriptors.1394369178.value: "10.0.1.12/32" => ""
Error applying plan:

1 error(s) occurred:

* aws_waf_ipset.my_ipset: Error Updating WAF IPSet: Error Updating WAF IPSet: InvalidParameter: 1 validation error(s) found.
- missing required field, UpdateIPSetInput.Updates.

Expected Behavior

IP set should have reset to empty

Actual Behavior

Code does not produce "DELETE" updates correctly and errors out at validation step.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. Modify ipset manually - add a new ip to block
3. terraform plan, terraform apply

[dstarr1]

I'm also having a similar issue with v0.7.13. I'm unable to successfully remove ip_set_descriptors from the aws_waf_ipset resource. I can successfully add them, but when I remove/comment out one, "terraform apply" executes successfully, but looking at AWS console the IP still exists in the waf-rule.

[josqu4red]

Same issue as @dstarr1, using Terraform v0.8.5.

[llavaud]

Issue still present using Terraform v0.8.8

[llavaud]

still present in v0.9.1

[s-nakka]

I see it on Terraform v0.9.3. My use case is to create a empty IP set and then update it using lambda from third party reputation list. I see the error when applying the plan. Though it returns the error during the apply, it still creates the required resource. It shows the same error during the deletion but doesn't delete the resource.

resource "aws_waf_ipset" "spam_third_party_list_1" {
name = "spam_third_party_list_1"
}

• aws_waf_ipset.spam_third_party_list_1 (destroy): 1 error(s) occurred:

• aws_waf_ipset.spam_third_party_list_1: Error Removing IPSetDescriptors: Error Updating WAF IPSet: InvalidParameter: 1 validation error(s) found.

• missing required field, UpdateIPSetInput.Updates.

[radeksimko]

@SandyFox This patch was released in 0.9.4, can you try upgrading to that version, please?

Thanks.

[s-nakka]

Upgraded to Terraform v0.9.4 and its working fine. Terraform plan/apply is taking too long to execute the results. At least few minutes.

[s-nakka]

@radeksimko ^^^

[radeksimko]

@SandyFox I think this is unrelated to the original PR, but to answer your question the most likely reason it takes a bit more time to update is because we can only perform a single change at a time for the whole WAF. To achieve this and avoid errors caused by parallel changes with stale tokens we have recently implemented mutex for all WAF resources which guarantees that there's only a single update operation happening at any given time. This is in line with the relevant API documentation and expectations set by AWS/WAF.

See #13656 fixing #10335 which was also shipped in 0.9.4

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.