New Resource: aws_wafregional_web_acl #3754
Conversation
radeksimko
added
service/waf
| ForceNew: true, | ||
| }, | ||
| "default_action": &schema.Schema{ | ||
| Type: schema.TypeSet, |
There was a problem hiding this comment.
As this is practically a "singleton" there is no value in using TypeSet (which would deal with ordering of items in the set). Do you mind changing it to TypeList?
This should reduce complexity in CRUD and make the resource easier to use as users will be able to reference nested type field as default_action.0.type.
| Elem: &schema.Resource{ | ||
| Schema: map[string]*schema.Schema{ | ||
| "action": &schema.Schema{ | ||
| Type: schema.TypeSet, |
There was a problem hiding this comment.
Do you mind changing this to TypeList for the same reason as mentioned above in default_action?
| out, err := wr.RetryWithToken(func(token *string) (interface{}, error) { | ||
| params := &waf.CreateWebACLInput{ | ||
| ChangeToken: token, | ||
| DefaultAction: expandDefaultAction(d), |
There was a problem hiding this comment.
Couple of questions here:
- Is there any reason we can't use
expandDefaultActionWRhere? - Is there a reason
expandDefaultActionWRcan't just accept the bare minimum - which is[]interface{}instead of the wholeschema.ResourceData?
|
|
||
| resp, err := conn.GetWebACL(params) | ||
| if err != nil { | ||
| if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "WAFNonexistentItemException" { |
There was a problem hiding this comment.
Do you mind replacing this check with a helper and simplify the code that way?
if isAWSErr(err, wafregional.ErrCodeWAFNonexistentItemException, "") {| } | ||
|
|
||
| defaultAction := flattenDefaultActionWR(resp.WebACL.DefaultAction) | ||
| if defaultAction != nil { |
There was a problem hiding this comment.
It is totally fine to pass nil to d.Set() it can handle (ignore) it safely, so this nil check here is redundant and we tend to avoid such nil checks to prevent cluttering the CRUD.
| } | ||
|
|
||
| resource "aws_wafregional_rule" "wafrule" { | ||
| depends_on = ["aws_wafregional_ipset.ipset"] |
There was a problem hiding this comment.
This is redundant because the relationship is already built by the reference ${aws_wafregional_ipset.ipset.id} below. Do you mind removing it?
| } | ||
| } | ||
| resource "aws_wafregional_web_acl" "waf_acl" { | ||
| depends_on = ["aws_wafregional_ipset.ipset", "aws_wafregional_rule.wafrule"] |
There was a problem hiding this comment.
This is redundant because the relationship is already built by the reference ${aws_wafregional_rule.wafrule.id} below and further reference inside the rule. Do you mind removing it?
| } | ||
|
|
||
| resource "aws_wafregional_web_acl" "wafacl" { | ||
| depends_on = ["aws_wafregional_ipset.ipset", "aws_wafregional_rule.wafrule"] |
There was a problem hiding this comment.
This is redundant because the relationship is already built by the reference ${aws_wafregional_rule.wafrule.id} below and further reference inside the rule. Do you mind removing it?
| } | ||
|
|
||
| resource "aws_wafregional_rule" "wafrule" { | ||
| depends_on = ["aws_wafregional_ipset.ipset"] |
There was a problem hiding this comment.
This is redundant because the relationship is already built by the reference ${aws_wafregional_ipset.ipset.id} below. Do you mind removing it?
| * `priority` - (Required) Specifies the order in which the rules in a WebACL are evaluated. | ||
| Rules with a lower value are evaluated before rules with a higher value. | ||
| * `rule_id` - (Required) ID of the associated [rule](/docs/providers/aws/r/wafregional_rule.html) | ||
| * `type` - (Optional) The rule type, either `REGULAR`, as defined by [Rule](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_Rule.html), or `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. |
There was a problem hiding this comment.
This field was not actually implemented yet - do you plan on finishing it?
radeksimko
added
the
waiting-response
pvanbuijtene
force-pushed
the
wafregional-web-acl
branch
from
134a56e
to
dac457a
Compare
|
@pvanbuijtene let me know if you need any help finishing this. I'd like to get it into 1.12.0 (tentatively scheduled for the end of next week) and this particular resource has been PR'd a couple of times, so I'm willing to take it to the finish line myself, if necessary 😉 |
|
@radeksimko I understand, these are my first baby steps in golang. |
pvanbuijtene
force-pushed
the
wafregional-web-acl
branch
from
1ce4708
to
e558c83
Compare
|
Will finish other PR first because of dependency, see: #3756 (comment) |
|
@pvanbuijtene #3756 was just merged. Do you mind rebasing this PR and looking at the feedback? Thanks. |
|
@radeksimko thanks for the quick review and merge. didn't have as much time as planned, will finish this one tomorrow night. |
pvanbuijtene
force-pushed
the
wafregional-web-acl
branch
from
e558c83
to
ea6666f
Compare
|
@radeksimko it requires a bit more time and code, continuing tomorrow. |
| m := map[string]interface{}{ | ||
| "rule_id": **ruleId, | ||
| "priority": priority, | ||
| "action": actionType, |
There was a problem hiding this comment.
@radeksimko I'm afraid I'm stuck here, can't figure out how to solve the puzzle how to pass the action in order to get the index.
Wanted to add some more tests steps for the rule fields, but this is blocking me.
There was a problem hiding this comment.
You can check by running the test TestAccAWSWafRegionalWebAcl_changeRules
|
@radeksimko this one was is a bit more challenging :) Most of it is done so can be reviewed, needs some more tests but I'm stuck as explained above. |
radeksimko
removed
the
waiting-response
There was a problem hiding this comment.
Hey @pvanbuijtene
as the PR is otherwise in a pretty good shape, I took the liberty and pushed some tiny fixes to get it across the finish line. I hope you don't mind.
As you can see from the diff the root cause of the crash, as demonstrated by your test, was that you were setting action as map, when it's TypeList in the schema, hence it needs to be wrapped as []interface{} (despite the fact that there'll always be only 1 item in the list).
It may be a little bit confusing, but I hope it makes sense.
I also fixed the flattener which wasn't producing correct data as uncovered by running tests with a special ENV variable:
TF_SCHEMA_PANIC_ON_ERROR=1 make testacc TEST=./aws TESTARGS='-run=TestAccAWSWafRegionalWebAcl_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSWafRegionalWebAcl_ -timeout 120m
=== RUN TestAccAWSWafRegionalWebAcl_basic
panic: rule.0.action: '': source data must be an array or slice, got struct
Lastly I just cleaned up the docs a little bit.
I think this is now in mergeable state, so I will go ahead and merge it. In regards to missing type I understand that we'll first need to implement aws_wafregional_rule_group and aws_wafregional_rate_based_rule to take advantage of that field. i.e. it's ok to leave it out in this initial implementation.
Thank you for all your work. Let me know if you have any further questions.
|
@radeksimko thanks for the finishing touch and clarification. Tomorrow I'll have a look at the other PR. |
|
This has been released in version 1.12.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Trying to help a bit to finish the WAF Regional PRs, this is the result of the split up of #3199
Related PRs: #1046 hashicorp/terraform#13711
Thanks to the contributors: @yusukegoto @DennyLoko @BSick7