Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WAFv2 is deleted & re-created after doing a plan/apply when editing rules thus changing the ARN #14745

Closed
cisnerosk opened this issue Aug 19, 2020 · 3 comments
Closed

WAFv2 is deleted & re-created after doing a plan/apply when editing rules thus changing the ARN #14745

cisnerosk opened this issue Aug 19, 2020 · 3 comments
Labels
service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@cisnerosk
Copy link

cisnerosk commented Aug 19, 2020
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

terraform version: Terraform v0.12.27
terraform AWS provider version: 2.68

Affected Resource(s)

  • aws_wafv2_web_acl

Terraform Configuration Files

resource "aws_wafv2_web_acl" "example" {
    name = "example"
    description = "This is managed by Terraform"
    scope = "REGIONAL"

    default_action {
        allow {}
    }

    rule {
        name = "example"
        priority = 1

        action {
            block {}
        }

        statement {
            geo_match_statement {
                country_codes = ["US"]
            }
        }
        visibility_config {
            cloudwatch_metrics_enabled = true
            metric_name = "example"
            sampled_requests_enabled = true 
        }
    }

    rule {
        name = "AWSManagedRulesLinuxRuleSet"
        priority = 2

        override_action {
            count {}
        }

        statement {
            managed_rule_group_statement {
                name = "AWSManagedRulesLinuxRuleSet"
                vendor_name = "AWS"
            }
        }

        visibility_config {
            cloudwatch_metrics_enabled = true
            metric_name = "AWSManagedRulesLinuxRuleSet"
            sampled_requests_enabled = true
        }
    }

    visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name = "example"
        sampled_requests_enabled = true
    }

}

resource "aws_wafv2_web_acl_association" "example" {
    resource_arn = example
    web_acl_arn = aws_wafv2_web_acl.example.arn
    depends_on = [
        aws_wafv2_web_acl.example
    ]
}

Expected Behavior

My WAFv2 should have retained the same ID and not be destroyed/recreated after minor changes such as a rule addition/deletion. If I manually add a rule in the console, it does not recreate the WAF. The re-creation process is not ideal because the association has to happen again, so there is a period of time where the resources are not protected and when enhanced logging is enabled, there is a period of time where logging is also not working since the WAF doesn't exist anymore.

Actual Behavior

  # aws_wafv2_web_acl.example must be replaced
-/+ resource "aws_wafv2_web_acl" "example" {
      ~ arn         = "arn:aws:wafv2:region:account:regional/webacl/example/original-id-string-b44" -> (known after apply)
      ~ capacity    = 1447 -> (known after apply)
        description = "This is managed by Terraform"
      ~ id          = "original-id-string-b44" -> (known after apply)
      ~ lock_token  = "lock-token-string" -> (known after apply)
        name        = "example"
        scope       = "REGIONAL"

        default_action {
            allow {}
        }

      - rule { # forces replacement
          - name     = "example" -> null
          - priority = 0 -> null

          - action {

              - block {}
            }

          - statement {

              - geo_match_statement {
                  - country_codes = [
                      - "US"
                    ] -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "example" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      + rule { # forces replacement
          + name     = "example"
          + priority = 1

          + action {

              + block {}
            }

          + statement {

              + geo_match_statement {
                  + country_codes = [
                      + "US"
                    ]
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "example"
              + sampled_requests_enabled   = true
            }
        }

        rule {
            name     = "AWSManagedRulesLinuxRuleSet"
            priority = 2

            override_action {
                count {}
            }

            statement {

                managed_rule_group_statement {
                    name        = "AWSManagedRulesLinuxRuleSet"
                    vendor_name = "AWS"
                }
            }

            visibility_config {
                cloudwatch_metrics_enabled = true
                metric_name                = "AWSManagedRulesLinuxRuleSet"
                sampled_requests_enabled   = true
            }
        }

        visibility_config {
            cloudwatch_metrics_enabled = true
            metric_name                = "example"
            sampled_requests_enabled   = true
        }
    }

  # aws_wafv2_web_acl_association.example must be replaced
-/+ resource "aws_wafv2_web_acl_association" "example" {
      ~ id           = "arn:aws:wafv2:region:account:regional/webacl/example/original-id-string-b44,arn:aws:elasticloadbalancing:region:account:loadbalancer/app/lb-name/lb-name-string-id" -> (known after apply)
        resource_arn = "arn:aws:elasticloadbalancing:region:account:loadbalancer/app/lb-name/lb-name-string-id"
      ~ web_acl_arn  = "arn:aws:wafv2:region:account:regional/webacl/example/original-id-string-b44" -> (known after apply) # forces replacement
    }

Steps to Reproduce

  1. Change priority of rules or add a new rule to an existing WAFv2 managed by Terraform.
  2. Do a plan to see the "known after apply" for the ARN on the WAFv2.
  3. Do an apply to see that your ID has changed in the AWS console.
@ghost ghost added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Aug 19, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Aug 19, 2020
@anGie44 anGie44 removed the needs-triage Waiting for first response or review from a maintainer. label Aug 19, 2020
@anGie44
Copy link
Contributor

anGie44 commented Aug 19, 2020
edited
Loading

Hi @cisnerosk, thanks for creating an issue! Making a quick pass it looks like this relates to an issue that's now been addressed in v3.2.0 of the AWS Provider (reference: #13936) . do note that upgrading from 2.68.0 brings along the challenging issue we're still facing with #14062

@cisnerosk
Copy link
Author

I missed this issue, apologies! Thank you for letting me know! 😄

@ghost
Copy link

ghost commented Sep 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anGie44 @cisnerosk