provider/aws: AWS WAF Regional IPSet + ByteMatchSet support

[yusukegoto]

This PR is from #13676.

test

resource "aws_wafregional_ipset" "ipset" {
  name = "tfIPSet"
  ip_set_descriptors {
    type = "IPV4"
    value = "192.0.7.0/24"
  }
}

exec

aws_wafregional_ipset.ipset: Creating...
  ip_set_descriptors.#:                "" => "1"
  ip_set_descriptors.4037960608.type:  "" => "IPV4"
  ip_set_descriptors.4037960608.value: "" => "192.0.7.0/24"
  name:                                "" => "tfIPSet"
aws_wafregional_ipset.ipset: Creation complete (ID: 38bf9b97-72bb-412c-bd6f-f8c5b911127b)

[radeksimko]

Thanks again for splitting this out. It's so much easier to review! 👍 💯

I left you some comments there - some are rather nitpicks, some are more important.
Read() funcs not setting all fields and region-based locking are the main ones.

I will ping you once I have a PR for WAF fixes ready - just for the reference. 😃

[radeksimko]

Perhaps a nitpick, but It's a convention to keep all internal variables (valid only within the context of a function) with lowercased letter at the beginning.

[radeksimko]

I think we're missing some fields here, specifically byte_match_tuples and all nested fields under it. The expectation from the Terraform user is that for any resource Terraform will detect drifts from the configuration. In order to do that we need to set all the available data from the API via d.Set() here in Read func.

Sets can be slightly trickier to work with, I will try and fix the WAF resources first and point you there for reference instead of trying to explain how this can be done. 😅

It's probably the cause of some of the reported WAF bugs I saw earlier, so it's worth fixing there either way.

[radeksimko]

btw. this would also break import functionality when it's actually implemented as it leverages Read() (at least the default implementation)

[radeksimko]

It would be nice to have some checks for the real object, i.e. v - like we have in many other resources, but it's not a blocker for the PR. 👌

[radeksimko]

Given how the sets and lists are represented in HCL, i.e.

byte_match_tuples {
...
}

byte_match_tuples {
...
}

it would make more sense if this field name was singular - i.e. byte_match_tuple. I will have a look into deprecating byte_match_tuples in favour of singular name in WAF resources too as we seemed to overlook this in the review of that resource code there.

[yusukegoto]

@radeksimko I agree with this. AWS CLI's api ByteMatchTuples requires list but in this case we can write each tuple. Go SDK uses tuple.
Should I change into byte_match_tuple only in WAF Regional? Or leave them in this time and change them later at the same time with WAF?

[yusukegoto]

uhm... I got the idea resource name should be singular during writing document.

[radeksimko]

Should I change into byte_match_tuple only in WAF Regional?

Yes, please.

Don't worry about other (WAF) resources - we can rename/deprecate those later - that's a job for a separate PR.

[radeksimko]

Similar to the other schema - it would make more sense to call this ip_set_descriptor IMO.

[radeksimko]

Would you mind adding error check here? We tend to avoid error checking for d.Set() of all primitive fields merely to avoid cluttering the code, but we tend to do it for lists and sets as we were bitten by not doing it many times in the past.

[radeksimko]

I thought my original WafRetryer would be useful for you here too, but I never realized it's a different service with a different name 🤦‍♂️

Oh well, good decision to create a copy of it. 👍

[radeksimko]

I'm aware this will require some refactoring throughout all the resources, but I think it's important to only lock for a given region, so that if folks deploy regional WAF in say 2 regions, one region doesn't wait for lock of the other region as it doesn't have to.

[radeksimko]

Would you mind documenting the nested fields of byte_match_tuples here too? 🙂

[radeksimko]

Would you mind documenting the nested fields of ip_set_descriptors here too? 🙂

[radeksimko]

FYI I will hold on reviewing the other WAF Regional PRs until we get this in as those will most likely require rebase and/or some cherry-picking of changes from this PR.

[radeksimko]

Hi @yusukegoto
thanks for the changes you've made so far in ByteMatchSet (singular, docs updates, diffing of tuples). Those are looking ok 👌

#13766 was merged - would you mind looking over it 👀 and adapting the rest of the changes/fixes there to this PR too?

Namely:

1. Two tests for ByteMatchSet (set with no tuples + changing existing tuples within a set)
2. WafRegionalRetryer now has Region field, but it needs to be actually in use, ideally as argument to newWafRegionalRetryer
3. Two tests for IPSet (set with no descriptors + changing existing descriptors within a set)
4. Turn ip_set_descriptors into a singleton - i.e. ip_set_descriptor
5. Allow changing existing descriptors within an existing IPSet + allow creating IPSet with no descriptor
6. Document descriptor fields for IPSet

I hope I didn't miss anything 😃
Let me know if anything's unclear and/or if you need any help in making these changes.

[yusukegoto]

@radeksimko Thanks for clearing remaining tasks! And sorry for slow response.
I will be able to have much time to fix these on weekend!

[yusukegoto]

@radeksimko
hi, I think I could, plz re-review them!! Thanks in advance.

[reedloden]

@yusukegoto, I think you mean @radeksimko, not me. :)

[yusukegoto]

@reedloden sorry for disturbing 🙇

[radeksimko]

There was a few small last things which I decided to fix and push into your branch to speed things up, I hope you don't mind. 😅

Thank you for all the changes and patience. 👍

[radeksimko]

Nice, good to have this test 👍

[yusukegoto]

@radeksimko Thank you very much for additional commits and care!! I'm trying to clean other WIP PRs:smile:

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.