From 69312e357f8b1d81e62deeafa56ee0f0b0711c99 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Thu, 16 Jan 2020 11:38:23 +0100 Subject: [PATCH 01/19] Basic functionality --- aws/provider.go | 1 + aws/resource_aws_wafv2_ip_set.go | 191 ++++++++++++++++++++++++++ aws/resource_aws_wafv2_ip_set_test.go | 116 ++++++++++++++++ 3 files changed, 308 insertions(+) create mode 100644 aws/resource_aws_wafv2_ip_set.go create mode 100644 aws/resource_aws_wafv2_ip_set_test.go diff --git a/aws/provider.go b/aws/provider.go index 6a1e1e768bf..6801fabe536 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -881,6 +881,7 @@ func Provider() terraform.ResourceProvider { "aws_wafregional_xss_match_set": resourceAwsWafRegionalXssMatchSet(), "aws_wafregional_web_acl": resourceAwsWafRegionalWebAcl(), "aws_wafregional_web_acl_association": resourceAwsWafRegionalWebAclAssociation(), + "aws_wafv2_ip_set": resourceAwsWafv2IPSet(), "aws_worklink_fleet": resourceAwsWorkLinkFleet(), "aws_worklink_website_certificate_authority_association": resourceAwsWorkLinkWebsiteCertificateAuthorityAssociation(), "aws_workspaces_directory": resourceAwsWorkspacesDirectory(), diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go new file mode 100644 index 00000000000..a526ce6246e --- /dev/null +++ b/aws/resource_aws_wafv2_ip_set.go @@ -0,0 +1,191 @@ +package aws + +import ( + "fmt" + "github.com/aws/aws-sdk-go/service/wafv2" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/helper/validation" + "log" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" +) + +func resourceAwsWafv2IPSet() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsWafv2IPSetCreate, + Read: resourceAwsWafv2IPSetRead, + Update: resourceAwsWafv2IPSetUpdate, + Delete: resourceAwsWafv2IPSetDelete, + + Schema: map[string]*schema.Schema{ + "addresses": { + Type: schema.TypeSet, + Required: true, + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "arn": { + Type: schema.TypeString, + Computed: true, + }, + "description": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "ip_address_version": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validation.StringInSlice([]string{ + wafv2.IPAddressVersionIpv4, + wafv2.IPAddressVersionIpv6, + }, false), + }, + "name": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "scope": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validation.StringInSlice([]string{ + wafv2.ScopeCloudfront, + wafv2.ScopeRegional, + }, false), + }, + "tags": tagsSchema(), + }, + } +} + +func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).wafv2conn + var resp *wafv2.CreateIPSetOutput + + params := &wafv2.CreateIPSetInput{ + Addresses: expandStringSet(d.Get("addresses").(*schema.Set)), + Description: aws.String(d.Get("description").(string)), + IPAddressVersion: aws.String(d.Get("ip_address_version").(string)), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + } + err := resource.Retry(15*time.Minute, func() *resource.RetryError { + var err error + resp, err = conn.CreateIPSet(params) + if err != nil { + if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { + return resource.RetryableError(err) + } + if isAWSErr(err, wafv2.ErrCodeWAFTagOperationException, "An error occurred during the tagging operation") { + return resource.RetryableError(err) + } + if isAWSErr(err, wafv2.ErrCodeWAFTagOperationInternalErrorException, "AWS WAF couldn’t perform your tagging operation because of an internal error") { + return resource.RetryableError(err) + } + if isAWSErr(err, wafv2.ErrCodeWAFOptimisticLockException, "AWS WAF couldn’t save your changes because you tried to update or delete a resource that has changed since you last retrieved it") { + return resource.RetryableError(err) + } + return resource.NonRetryableError(err) + } + return nil + }) + if isResourceTimeoutError(err) { + _, err = conn.CreateIPSet(params) + } + if err != nil { + return err + } + d.SetId(*resp.Summary.Id) + + return resourceAwsWafv2IPSetRead(d, meta) +} + +func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).wafv2conn + + params := &wafv2.GetIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + } + + resp, err := conn.GetIPSet(params) + if err != nil { + if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == wafv2.ErrCodeWAFNonexistentItemException { + log.Printf("[WARN] WAFV2 IPSet (%s) not found, removing from state", d.Id()) + d.SetId("") + return nil + } + + return err + } + + d.Set("name", resp.IPSet.Name) + d.Set("description", resp.IPSet.Description) + d.Set("ip_address_version", resp.IPSet.IPAddressVersion) + d.Set("addresses", resp.IPSet.Addresses) + d.Set("arn", resp.IPSet.ARN) + + return nil +} + +func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error { + return resourceAwsWafv2IPSetRead(d, meta) +} + +func resourceAwsWafv2IPSetDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).wafv2conn + var resp *wafv2.GetIPSetOutput + params := &wafv2.GetIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + } + log.Printf("[INFO] Deleting WAFV2 IPSet %s", d.Id()) + + err := resource.Retry(15*time.Minute, func() *resource.RetryError { + var err error + resp, err = conn.GetIPSet(params) + if err != nil { + return resource.NonRetryableError(fmt.Errorf("Error getting lock token: %s", err)) + } + + _, err = conn.DeleteIPSet(&wafv2.DeleteIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + LockToken: resp.LockToken, + }) + + if err != nil { + if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { + return resource.RetryableError(err) + } + if isAWSErr(err, wafv2.ErrCodeWAFOptimisticLockException, "AWS WAF couldn’t save your changes because you tried to update or delete a resource that has changed since you last retrieved it") { + return resource.RetryableError(err) + } + return resource.NonRetryableError(err) + } + return nil + }) + + if isResourceTimeoutError(err) { + _, err = conn.DeleteIPSet(&wafv2.DeleteIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + LockToken: resp.LockToken, + }) + } + + if err != nil { + return fmt.Errorf("Error deleting WAFV2 IPSet: %s", err) + } + + return nil +} diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go new file mode 100644 index 00000000000..01dc52d1ae2 --- /dev/null +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -0,0 +1,116 @@ +package aws + +import ( + "fmt" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/service/wafv2" + "regexp" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" + + "github.com/aws/aws-sdk-go/aws" + "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" +) + +func TestAccAwsWafv2IPSet_basic(t *testing.T) { + var v wafv2.IPSet + ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) + resourceName := "aws_wafv2_ip_set.ip_set" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSWafv2IPSetDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2IPSetConfig(ipSetName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", ipSetName), + resource.TestCheckResourceAttr(resourceName, "description", ipSetName), + resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), + resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv4), + ), + }, + }, + }) +} + +func testAccCheckAWSWafv2IPSetDestroy(s *terraform.State) error { + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_wafv2_ip_set" { + continue + } + + conn := testAccProvider.Meta().(*AWSClient).wafv2conn + resp, err := conn.GetIPSet( + &wafv2.GetIPSetInput{ + Id: aws.String(rs.Primary.ID), + Name: aws.String(rs.Primary.Attributes["name"]), + Scope: aws.String(rs.Primary.Attributes["scope"]), + }) + + if err == nil { + if *resp.IPSet.Id == rs.Primary.ID { + return fmt.Errorf("WAFV2 IPSet %s still exists", rs.Primary.ID) + } + } + + // Return nil if the IPSet is already destroyed + if awsErr, ok := err.(awserr.Error); ok { + if awsErr.Code() == wafv2.ErrCodeWAFNonexistentItemException { + return nil + } + } + + return err + } + + return nil +} + +func testAccCheckAWSWafv2IPSetExists(n string, v *wafv2.IPSet) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No WAFV2 IPSet ID is set") + } + + conn := testAccProvider.Meta().(*AWSClient).wafv2conn + resp, err := conn.GetIPSet(&wafv2.GetIPSetInput{ + Id: aws.String(rs.Primary.ID), + Name: aws.String(rs.Primary.Attributes["name"]), + Scope: aws.String(rs.Primary.Attributes["scope"]), + }) + + if err != nil { + return err + } + + if *resp.IPSet.Id == rs.Primary.ID { + *v = *resp.IPSet + return nil + } + + return fmt.Errorf("WAFV2 IPSet (%s) not found", rs.Primary.ID) + } +} + +func testAccAwsWafv2IPSetConfig(name string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "ip_set" { + name = "%s" + description = "%s" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = ["1.2.3.4/32", "5.6.7.8/32"] +} +`, name, name) +} From 5bbb31f61291618a9890e90241ec16bcd4e87bb6 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Fri, 17 Jan 2020 17:08:39 +0100 Subject: [PATCH 02/19] Fix addresses --- aws/resource_aws_wafv2_ip_set.go | 9 +++++---- aws/resource_aws_wafv2_ip_set_test.go | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index a526ce6246e..86440355f6d 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -22,8 +22,8 @@ func resourceAwsWafv2IPSet() *schema.Resource { Schema: map[string]*schema.Schema{ "addresses": { - Type: schema.TypeSet, - Required: true, + Type: schema.TypeList, + Optional: true, Elem: &schema.Schema{Type: schema.TypeString}, }, "arn": { @@ -68,12 +68,13 @@ func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error var resp *wafv2.CreateIPSetOutput params := &wafv2.CreateIPSetInput{ - Addresses: expandStringSet(d.Get("addresses").(*schema.Set)), + Addresses: expandStringList(d.Get("addresses").([]interface{})), Description: aws.String(d.Get("description").(string)), IPAddressVersion: aws.String(d.Get("ip_address_version").(string)), Name: aws.String(d.Get("name").(string)), Scope: aws.String(d.Get("scope").(string)), } + err := resource.Retry(15*time.Minute, func() *resource.RetryError { var err error resp, err = conn.CreateIPSet(params) @@ -128,8 +129,8 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { d.Set("name", resp.IPSet.Name) d.Set("description", resp.IPSet.Description) d.Set("ip_address_version", resp.IPSet.IPAddressVersion) - d.Set("addresses", resp.IPSet.Addresses) d.Set("arn", resp.IPSet.ARN) + d.Set("addresses", flattenStringList(resp.IPSet.Addresses)) return nil } diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 01dc52d1ae2..82406b35d35 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -33,6 +33,9 @@ func TestAccAwsWafv2IPSet_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "description", ipSetName), resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv4), + resource.TestCheckResourceAttr(resourceName, "addresses.#", "2"), + resource.TestCheckResourceAttr(resourceName, "addresses.0", "1.2.3.4/32"), + resource.TestCheckResourceAttr(resourceName, "addresses.1", "5.6.7.8/32"), ), }, }, From cfa3efc25faa02cb55efe704d3fdc8e516cdf247 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Thu, 23 Jan 2020 17:12:52 +0100 Subject: [PATCH 03/19] Add update --- aws/resource_aws_wafv2_ip_set.go | 93 ++++++++++++++++++++++++--- aws/resource_aws_wafv2_ip_set_test.go | 62 +++++++++++++++++- 2 files changed, 143 insertions(+), 12 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 86440355f6d..6eca7cf99ae 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -22,8 +22,10 @@ func resourceAwsWafv2IPSet() *schema.Resource { Schema: map[string]*schema.Schema{ "addresses": { - Type: schema.TypeList, + Type: schema.TypeSet, Optional: true, + MinItems: 1, + MaxItems: 50, Elem: &schema.Schema{Type: schema.TypeString}, }, "arn": { @@ -31,9 +33,9 @@ func resourceAwsWafv2IPSet() *schema.Resource { Computed: true, }, "description": { - Type: schema.TypeString, - Required: true, - ForceNew: true, + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringLenBetween(1, 256), }, "ip_address_version": { Type: schema.TypeString, @@ -45,9 +47,10 @@ func resourceAwsWafv2IPSet() *schema.Resource { }, false), }, "name": { - Type: schema.TypeString, - Required: true, - ForceNew: true, + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validation.StringLenBetween(1, 128), }, "scope": { Type: schema.TypeString, @@ -68,13 +71,20 @@ func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error var resp *wafv2.CreateIPSetOutput params := &wafv2.CreateIPSetInput{ - Addresses: expandStringList(d.Get("addresses").([]interface{})), - Description: aws.String(d.Get("description").(string)), + Addresses: []*string{}, IPAddressVersion: aws.String(d.Get("ip_address_version").(string)), Name: aws.String(d.Get("name").(string)), Scope: aws.String(d.Get("scope").(string)), } + if v, ok := d.GetOk("addresses"); ok && v.(*schema.Set).Len() > 0 { + params.Addresses = expandStringSet(d.Get("addresses").(*schema.Set)) + } + + if d.HasChange("description") { + params.Description = aws.String(d.Get("description").(string)) + } + err := resource.Retry(15*time.Minute, func() *resource.RetryError { var err error resp, err = conn.CreateIPSet(params) @@ -130,12 +140,75 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { d.Set("description", resp.IPSet.Description) d.Set("ip_address_version", resp.IPSet.IPAddressVersion) d.Set("arn", resp.IPSet.ARN) - d.Set("addresses", flattenStringList(resp.IPSet.Addresses)) + + if err := d.Set("addresses", schema.NewSet(schema.HashString, flattenStringList(resp.IPSet.Addresses))); err != nil { + return fmt.Errorf("Error setting addresses: %s", err) + } return nil } func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).wafv2conn + var resp *wafv2.GetIPSetOutput + params := &wafv2.GetIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + } + log.Printf("[INFO] Updating WAFV2 IPSet %s", d.Id()) + + err := resource.Retry(15*time.Minute, func() *resource.RetryError { + var err error + resp, err = conn.GetIPSet(params) + if err != nil { + return resource.NonRetryableError(fmt.Errorf("Error getting lock token: %s", err)) + } + + u := &wafv2.UpdateIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + Addresses: []*string{}, + Description: aws.String(d.Get("description").(string)), + LockToken: resp.LockToken, + } + + if v, ok := d.GetOk("addresses"); ok && v.(*schema.Set).Len() > 0 { + u.Addresses = expandStringSet(d.Get("addresses").(*schema.Set)) + } + + if d.HasChange("description") { + u.Description = aws.String(d.Get("description").(string)) + } + + _, err = conn.UpdateIPSet(u) + + if err != nil { + if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { + return resource.RetryableError(err) + } + if isAWSErr(err, wafv2.ErrCodeWAFOptimisticLockException, "AWS WAF couldn’t save your changes because you tried to update or delete a resource that has changed since you last retrieved it") { + return resource.RetryableError(err) + } + return resource.NonRetryableError(err) + } + return nil + }) + + if isResourceTimeoutError(err) { + _, err = conn.DeleteIPSet(&wafv2.DeleteIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + LockToken: resp.LockToken, + }) + } + + if err != nil { + return fmt.Errorf("Error updating WAFV2 IPSet: %s", err) + } + return resourceAwsWafv2IPSetRead(d, meta) } diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 82406b35d35..b395eb79a96 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -34,8 +34,44 @@ func TestAccAwsWafv2IPSet_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv4), resource.TestCheckResourceAttr(resourceName, "addresses.#", "2"), - resource.TestCheckResourceAttr(resourceName, "addresses.0", "1.2.3.4/32"), - resource.TestCheckResourceAttr(resourceName, "addresses.1", "5.6.7.8/32"), + ), + }, + { + Config: testAccAwsWafv2IPSetConfigUpdate(ipSetName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", ipSetName), + resource.TestCheckResourceAttr(resourceName, "description", "Updated"), + resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), + resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv4), + resource.TestCheckResourceAttr(resourceName, "addresses.#", "3"), + ), + }, + }, + }) +} + +func TestAccAwsWafv2IPSet_minimal(t *testing.T) { + var v wafv2.IPSet + ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) + resourceName := "aws_wafv2_ip_set.ip_set" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSWafv2IPSetDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2IPSetConfigMinimal(ipSetName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", ipSetName), + resource.TestCheckResourceAttr(resourceName, "description", ""), + resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), + resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv4), + resource.TestCheckResourceAttr(resourceName, "addresses.#", "0"), ), }, }, @@ -117,3 +153,25 @@ resource "aws_wafv2_ip_set" "ip_set" { } `, name, name) } + +func testAccAwsWafv2IPSetConfigUpdate(name string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "ip_set" { + name = "%s" + description = "Updated" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = ["1.1.1.1/32", "2.2.2.2/32", "3.3.3.3/32"] +} +`, name) +} + +func testAccAwsWafv2IPSetConfigMinimal(name string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "ip_set" { + name = "%s" + scope = "REGIONAL" + ip_address_version = "IPV4" +} +`, name) +} From 92d36954170b38615487f95370d8829997a15db9 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Wed, 12 Feb 2020 16:20:21 +0100 Subject: [PATCH 04/19] Add force new test --- aws/resource_aws_wafv2_ip_set_test.go | 39 +++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index b395eb79a96..986ad0c7aa7 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -78,6 +78,45 @@ func TestAccAwsWafv2IPSet_minimal(t *testing.T) { }) } +func TestAccAwsWafv2IPSet_changeNameForceNew(t *testing.T) { + var before, after wafv2.IPSet + ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) + ipSetNewName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) + resourceName := "aws_wafv2_ip_set.ip_set" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSWafv2IPSetDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2IPSetConfig(ipSetName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &before), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", ipSetName), + resource.TestCheckResourceAttr(resourceName, "description", ipSetName), + resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), + resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv4), + resource.TestCheckResourceAttr(resourceName, "addresses.#", "2"), + ), + }, + { + Config: testAccAwsWafv2IPSetConfig(ipSetNewName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &after), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", ipSetNewName), + resource.TestCheckResourceAttr(resourceName, "description", ipSetNewName), + resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), + resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv4), + resource.TestCheckResourceAttr(resourceName, "addresses.#", "2"), + ), + }, + }, + }) +} + func testAccCheckAWSWafv2IPSetDestroy(s *terraform.State) error { for _, rs := range s.RootModule().Resources { if rs.Type != "aws_wafv2_ip_set" { From d6c40b64661862e7cf1da81a2f1deb8fb60701aa Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Wed, 12 Feb 2020 17:28:20 +0100 Subject: [PATCH 05/19] Add import --- aws/resource_aws_wafv2_ip_set.go | 16 ++++++++++++++++ aws/resource_aws_wafv2_ip_set_test.go | 19 +++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 6eca7cf99ae..f2a27f4f24c 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -6,6 +6,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/helper/validation" "log" + "strings" "time" "github.com/aws/aws-sdk-go/aws" @@ -19,6 +20,21 @@ func resourceAwsWafv2IPSet() *schema.Resource { Read: resourceAwsWafv2IPSetRead, Update: resourceAwsWafv2IPSetUpdate, Delete: resourceAwsWafv2IPSetDelete, + Importer: &schema.ResourceImporter{ + State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + idParts := strings.Split(d.Id(), "/") + if len(idParts) != 3 || idParts[0] == "" || idParts[1] == "" || idParts[2] == "" { + return nil, fmt.Errorf("Unexpected format of ID (%q), expected ID/NAME/SCOPE", d.Id()) + } + id := idParts[0] + name := idParts[1] + scope := idParts[2] + d.SetId(id) + d.Set("name", name) + d.Set("scope", scope) + return []*schema.ResourceData{d}, nil + }, + }, Schema: map[string]*schema.Schema{ "addresses": { diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 986ad0c7aa7..8ff911d300f 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -48,6 +48,12 @@ func TestAccAwsWafv2IPSet_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "addresses.#", "3"), ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccAWSWafv2IPSetImportStateIdFunc(resourceName), + }, }, }) } @@ -117,6 +123,8 @@ func TestAccAwsWafv2IPSet_changeNameForceNew(t *testing.T) { }) } +// TAGS + func testAccCheckAWSWafv2IPSetDestroy(s *terraform.State) error { for _, rs := range s.RootModule().Resources { if rs.Type != "aws_wafv2_ip_set" { @@ -214,3 +222,14 @@ resource "aws_wafv2_ip_set" "ip_set" { } `, name) } + +func testAccAWSWafv2IPSetImportStateIdFunc(resourceName string) resource.ImportStateIdFunc { + return func(s *terraform.State) (string, error) { + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return "", fmt.Errorf("Not found: %s", resourceName) + } + + return fmt.Sprintf("%s/%s/%s", rs.Primary.ID, rs.Primary.Attributes["name"], rs.Primary.Attributes["scope"]), nil + } +} From e0b7a44d96fef0aedd933c66a1f09518818dcbad Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Mon, 17 Feb 2020 17:31:03 +0100 Subject: [PATCH 06/19] Add tags support --- aws/resource_aws_wafv2_ip_set.go | 22 +++++++ aws/resource_aws_wafv2_ip_set_test.go | 89 ++++++++++++++++++++++++++- 2 files changed, 110 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index f2a27f4f24c..37e5712e832 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -5,6 +5,7 @@ import ( "github.com/aws/aws-sdk-go/service/wafv2" "github.com/hashicorp/terraform-plugin-sdk/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/helper/validation" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags" "log" "strings" "time" @@ -101,6 +102,10 @@ func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error params.Description = aws.String(d.Get("description").(string)) } + if v := d.Get("tags").(map[string]interface{}); len(v) > 0 { + params.Tags = keyvaluetags.New(v).IgnoreAws().Wafv2Tags() + } + err := resource.Retry(15*time.Minute, func() *resource.RetryError { var err error resp, err = conn.CreateIPSet(params) @@ -161,11 +166,21 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error setting addresses: %s", err) } + tags, err := keyvaluetags.Wafv2ListTags(conn, *resp.IPSet.ARN) + if err != nil { + return fmt.Errorf("error listing tags for WAFV2 IpSet (%s): %s", *resp.IPSet.ARN, err) + } + + if err := d.Set("tags", tags.IgnoreAws().Map()); err != nil { + return fmt.Errorf("error setting tags: %s", err) + } + return nil } func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafv2conn + //tags := keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().Wafv2Tags() var resp *wafv2.GetIPSetOutput params := &wafv2.GetIPSetInput{ Id: aws.String(d.Id()), @@ -225,6 +240,13 @@ func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error return fmt.Errorf("Error updating WAFV2 IPSet: %s", err) } + if d.HasChange("tags") { + o, n := d.GetChange("tags") + if err := keyvaluetags.Wafv2UpdateTags(conn, d.Get("arn").(string), o, n); err != nil { + return fmt.Errorf("error updating tags: %s", err) + } + } + return resourceAwsWafv2IPSetRead(d, meta) } diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 8ff911d300f..1697922c6cd 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -34,6 +34,9 @@ func TestAccAwsWafv2IPSet_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv4), resource.TestCheckResourceAttr(resourceName, "addresses.#", "2"), + resource.TestCheckResourceAttr(resourceName, "tags.%", "2"), + resource.TestCheckResourceAttr(resourceName, "tags.Tag1", "Value1"), + resource.TestCheckResourceAttr(resourceName, "tags.Tag2", "Value2"), ), }, { @@ -123,7 +126,53 @@ func TestAccAwsWafv2IPSet_changeNameForceNew(t *testing.T) { }) } -// TAGS +func TestAccAwsWafv2IPSet_tags(t *testing.T) { + var v wafv2.IPSet + ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) + resourceName := "aws_wafv2_ip_set.ip_set" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSWafv2IPSetDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2IPSetConfigOneTag(ipSetName, "Tag1", "Value1"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "tags.%", "1"), + resource.TestCheckResourceAttr(resourceName, "tags.Tag1", "Value1"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccAWSWafv2IPSetImportStateIdFunc(resourceName), + }, + { + Config: testAccAwsWafv2IPSetConfigTwoTags(ipSetName, "Tag1", "Value1Updated", "Tag2", "Value2"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "tags.%", "2"), + resource.TestCheckResourceAttr(resourceName, "tags.Tag1", "Value1Updated"), + resource.TestCheckResourceAttr(resourceName, "tags.Tag2", "Value2"), + ), + }, + { + Config: testAccAwsWafv2IPSetConfigOneTag(ipSetName, "Tag2", "Value2"), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "tags.%", "1"), + resource.TestCheckResourceAttr(resourceName, "tags.Tag2", "Value2"), + ), + }, + }, + }) +} func testAccCheckAWSWafv2IPSetDestroy(s *terraform.State) error { for _, rs := range s.RootModule().Resources { @@ -197,6 +246,11 @@ resource "aws_wafv2_ip_set" "ip_set" { scope = "REGIONAL" ip_address_version = "IPV4" addresses = ["1.2.3.4/32", "5.6.7.8/32"] + + tags = { + Tag1 = "Value1" + Tag2 = "Value2" + } } `, name, name) } @@ -223,6 +277,39 @@ resource "aws_wafv2_ip_set" "ip_set" { `, name) } +func testAccAwsWafv2IPSetConfigOneTag(name, tagKey, tagValue string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "ip_set" { + name = "%s" + description = "%s" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = ["1.2.3.4/32", "5.6.7.8/32"] + + tags = { + %q = %q + } +} +`, name, name, tagKey, tagValue) +} + +func testAccAwsWafv2IPSetConfigTwoTags(name, tag1Key, tag1Value, tag2Key, tag2Value string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "ip_set" { + name = "%s" + description = "%s" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = ["1.2.3.4/32", "5.6.7.8/32"] + + tags = { + %q = %q + %q = %q + } +} +`, name, name, tag1Key, tag1Value, tag2Key, tag2Value) +} + func testAccAWSWafv2IPSetImportStateIdFunc(resourceName string) resource.ImportStateIdFunc { return func(s *terraform.State) (string, error) { rs, ok := s.RootModule().Resources[resourceName] From 8b7b3ce273c686566455f09f9e066e6cc3d6f423 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Fri, 21 Feb 2020 15:10:23 +0100 Subject: [PATCH 07/19] Add docs --- website/allowed-subcategories.txt | 1 + website/aws.erb | 13 ++++++ website/docs/r/wafv2_ip_set.html.markdown | 54 +++++++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 website/docs/r/wafv2_ip_set.html.markdown diff --git a/website/allowed-subcategories.txt b/website/allowed-subcategories.txt index 2f7427c5abb..191b7117809 100644 --- a/website/allowed-subcategories.txt +++ b/website/allowed-subcategories.txt @@ -105,6 +105,7 @@ Transfer VPC WAF Regional WAF +WAFv2 WorkLink WorkMail WorkSpaces diff --git a/website/aws.erb b/website/aws.erb index 9c2b258301d..58c7fdf91e1 100644 --- a/website/aws.erb +++ b/website/aws.erb @@ -3553,6 +3553,19 @@ +
  • + WAFv2 + +
  • WorkLink
      diff --git a/website/docs/r/wafv2_ip_set.html.markdown b/website/docs/r/wafv2_ip_set.html.markdown new file mode 100644 index 00000000000..7b36423fee2 --- /dev/null +++ b/website/docs/r/wafv2_ip_set.html.markdown @@ -0,0 +1,54 @@ +--- +subcategory: "WAFv2" +layout: "aws" +page_title: "AWS: aws_wafv2_ip_set" +description: |- + Provides an AWS WAFv2 IP Set resource. +--- + +# Resource: aws_wafv2_ip_set + +Provides a WAFv2 IP Set Resource + +## Example Usage + +```hcl +resource "aws_wafv2_ip_set" "example" { + name = "example" + description = "Example IP set" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = ["1.2.3.4/32", "5.6.7.8/32"] + + tags = { + Tag1 = "Value1" + Tag2 = "Value2" + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) A friendly name of the IP set. +* `description` - (Optional) A friendly description of the IP set. +* `scope` - (Required) Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are `CLOUDFRONT` or `REGIONAL`. To work with CloudFront, you must also specify the Region US East (N. Virginia). +* `ip_address_version` - (Required) Specify IPV4 or IPV6. Valid values are `IPV4` or `IPV6`. +* `addresses` - (Required) Contains an array of strings that specify one or more IP addresses or blocks of IP addresses in Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all address ranges for IP versions IPv4 and IPv6. +* `tags` - (Optional) An array of key:value pairs to associate with the resource. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - A unique identifier for the set. +* `arn` - The Amazon Resource Name (ARN) that identifies the cluster. + +## Import + +WAFv2 IP Sets can be imported using their ID, Name and Scope e.g. + +``` +$ terraform import aws_wafv2_ip_set.example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc/example/REGIONAL +``` From a3adf86502ee76fd7b5bc7a123d52b9bf8f5aa16 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Fri, 21 Feb 2020 15:12:29 +0100 Subject: [PATCH 08/19] Sort imports --- aws/resource_aws_wafv2_ip_set.go | 8 ++++---- aws/resource_aws_wafv2_ip_set_test.go | 9 ++++----- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 37e5712e832..24ad089af2e 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -2,17 +2,17 @@ package aws import ( "fmt" - "github.com/aws/aws-sdk-go/service/wafv2" - "github.com/hashicorp/terraform-plugin-sdk/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/helper/validation" - "github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags" "log" "strings" "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/service/wafv2" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/helper/validation" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags" ) func resourceAwsWafv2IPSet() *schema.Resource { diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 1697922c6cd..a4754099af6 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -2,16 +2,15 @@ package aws import ( "fmt" - "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/service/wafv2" "regexp" "testing" - "github.com/hashicorp/terraform-plugin-sdk/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/terraform" - "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/service/wafv2" "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" ) func TestAccAwsWafv2IPSet_basic(t *testing.T) { From 462ffde263198bef605e19504c6ac2fa0242caf6 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Fri, 21 Feb 2020 15:37:41 +0100 Subject: [PATCH 09/19] Cleanup --- aws/resource_aws_wafv2_ip_set.go | 1 - 1 file changed, 1 deletion(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 24ad089af2e..c5145282a3d 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -180,7 +180,6 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafv2conn - //tags := keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().Wafv2Tags() var resp *wafv2.GetIPSetOutput params := &wafv2.GetIPSetInput{ Id: aws.String(d.Id()), From 0d644eaedba14496d36ca1bfaa25501f27025df0 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Fri, 27 Mar 2020 23:12:55 +0100 Subject: [PATCH 10/19] Apply review changes --- aws/resource_aws_wafv2_ip_set.go | 61 +++++++++------------------ aws/resource_aws_wafv2_ip_set_test.go | 6 +++ 2 files changed, 27 insertions(+), 40 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index c5145282a3d..2f52ee8a20c 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -7,7 +7,6 @@ import ( "time" "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/service/wafv2" "github.com/hashicorp/terraform-plugin-sdk/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" @@ -63,6 +62,10 @@ func resourceAwsWafv2IPSet() *schema.Resource { wafv2.IPAddressVersionIpv6, }, false), }, + "lock_token": { + Type: schema.TypeString, + Computed: true, + }, "name": { Type: schema.TypeString, Required: true, @@ -148,7 +151,7 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { resp, err := conn.GetIPSet(params) if err != nil { - if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == wafv2.ErrCodeWAFNonexistentItemException { + if isAWSErr(err, wafv2.ErrCodeWAFNonexistentItemException, "AWS WAF couldn’t perform the operation because your resource doesn’t exist") { log.Printf("[WARN] WAFV2 IPSet (%s) not found, removing from state", d.Id()) d.SetId("") return nil @@ -161,8 +164,9 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { d.Set("description", resp.IPSet.Description) d.Set("ip_address_version", resp.IPSet.IPAddressVersion) d.Set("arn", resp.IPSet.ARN) + d.Set("lock_token", resp.LockToken) - if err := d.Set("addresses", schema.NewSet(schema.HashString, flattenStringList(resp.IPSet.Addresses))); err != nil { + if err := d.Set("addresses", flattenStringSet(resp.IPSet.Addresses)); err != nil { return fmt.Errorf("Error setting addresses: %s", err) } @@ -180,39 +184,27 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafv2conn - var resp *wafv2.GetIPSetOutput - params := &wafv2.GetIPSetInput{ - Id: aws.String(d.Id()), - Name: aws.String(d.Get("name").(string)), - Scope: aws.String(d.Get("scope").(string)), - } + log.Printf("[INFO] Updating WAFV2 IPSet %s", d.Id()) err := resource.Retry(15*time.Minute, func() *resource.RetryError { - var err error - resp, err = conn.GetIPSet(params) - if err != nil { - return resource.NonRetryableError(fmt.Errorf("Error getting lock token: %s", err)) - } - u := &wafv2.UpdateIPSetInput{ - Id: aws.String(d.Id()), - Name: aws.String(d.Get("name").(string)), - Scope: aws.String(d.Get("scope").(string)), - Addresses: []*string{}, - Description: aws.String(d.Get("description").(string)), - LockToken: resp.LockToken, + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + Addresses: []*string{}, + LockToken: aws.String(d.Get("lock_token").(string)), } if v, ok := d.GetOk("addresses"); ok && v.(*schema.Set).Len() > 0 { u.Addresses = expandStringSet(d.Get("addresses").(*schema.Set)) } - if d.HasChange("description") { + if v, ok := d.GetOk("description"); ok && len(v.(string)) > 0 { u.Description = aws.String(d.Get("description").(string)) } - _, err = conn.UpdateIPSet(u) + _, err := conn.UpdateIPSet(u) if err != nil { if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { @@ -227,11 +219,11 @@ func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error }) if isResourceTimeoutError(err) { - _, err = conn.DeleteIPSet(&wafv2.DeleteIPSetInput{ + _, err = conn.UpdateIPSet(&wafv2.UpdateIPSetInput{ Id: aws.String(d.Id()), Name: aws.String(d.Get("name").(string)), Scope: aws.String(d.Get("scope").(string)), - LockToken: resp.LockToken, + LockToken: aws.String(d.Get("lock_token").(string)), }) } @@ -251,26 +243,15 @@ func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error func resourceAwsWafv2IPSetDelete(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafv2conn - var resp *wafv2.GetIPSetOutput - params := &wafv2.GetIPSetInput{ - Id: aws.String(d.Id()), - Name: aws.String(d.Get("name").(string)), - Scope: aws.String(d.Get("scope").(string)), - } + log.Printf("[INFO] Deleting WAFV2 IPSet %s", d.Id()) err := resource.Retry(15*time.Minute, func() *resource.RetryError { - var err error - resp, err = conn.GetIPSet(params) - if err != nil { - return resource.NonRetryableError(fmt.Errorf("Error getting lock token: %s", err)) - } - - _, err = conn.DeleteIPSet(&wafv2.DeleteIPSetInput{ + _, err := conn.DeleteIPSet(&wafv2.DeleteIPSetInput{ Id: aws.String(d.Id()), Name: aws.String(d.Get("name").(string)), Scope: aws.String(d.Get("scope").(string)), - LockToken: resp.LockToken, + LockToken: aws.String(d.Get("lock_token").(string)), }) if err != nil { @@ -290,7 +271,7 @@ func resourceAwsWafv2IPSetDelete(d *schema.ResourceData, meta interface{}) error Id: aws.String(d.Id()), Name: aws.String(d.Get("name").(string)), Scope: aws.String(d.Get("scope").(string)), - LockToken: resp.LockToken, + LockToken: aws.String(d.Get("lock_token").(string)), }) } diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index a4754099af6..385e7c11a00 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -82,6 +82,12 @@ func TestAccAwsWafv2IPSet_minimal(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "addresses.#", "0"), ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccAWSWafv2IPSetImportStateIdFunc(resourceName), + }, }, }) } From fcd90c331d2ab631ad354305996c75f9e332b530 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Fri, 27 Mar 2020 23:26:35 +0100 Subject: [PATCH 11/19] Make user aware of optimistick lock exception --- aws/resource_aws_wafv2_ip_set.go | 9 --------- 1 file changed, 9 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 2f52ee8a20c..80b7d2f13b8 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -122,9 +122,6 @@ func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error if isAWSErr(err, wafv2.ErrCodeWAFTagOperationInternalErrorException, "AWS WAF couldn’t perform your tagging operation because of an internal error") { return resource.RetryableError(err) } - if isAWSErr(err, wafv2.ErrCodeWAFOptimisticLockException, "AWS WAF couldn’t save your changes because you tried to update or delete a resource that has changed since you last retrieved it") { - return resource.RetryableError(err) - } return resource.NonRetryableError(err) } return nil @@ -210,9 +207,6 @@ func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { return resource.RetryableError(err) } - if isAWSErr(err, wafv2.ErrCodeWAFOptimisticLockException, "AWS WAF couldn’t save your changes because you tried to update or delete a resource that has changed since you last retrieved it") { - return resource.RetryableError(err) - } return resource.NonRetryableError(err) } return nil @@ -258,9 +252,6 @@ func resourceAwsWafv2IPSetDelete(d *schema.ResourceData, meta interface{}) error if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { return resource.RetryableError(err) } - if isAWSErr(err, wafv2.ErrCodeWAFOptimisticLockException, "AWS WAF couldn’t save your changes because you tried to update or delete a resource that has changed since you last retrieved it") { - return resource.RetryableError(err) - } return resource.NonRetryableError(err) } return nil From d6fe40a0f52901bdc113c29cd07632df952fa526 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Tue, 31 Mar 2020 13:22:52 +0200 Subject: [PATCH 12/19] Retry in case association is being removed --- aws/resource_aws_wafv2_ip_set.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 80b7d2f13b8..8bafc43bcf6 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -252,6 +252,9 @@ func resourceAwsWafv2IPSetDelete(d *schema.ResourceData, meta interface{}) error if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { return resource.RetryableError(err) } + if isAWSErr(err, wafv2.ErrCodeWAFAssociatedItemException, "AWS WAF couldn’t perform the operation because your resource is being used by another resource or it’s associated with another resource") { + return resource.RetryableError(err) + } return resource.NonRetryableError(err) } return nil From bc7f3ce73b4a011acd7a9495ee5051b78733ab76 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Sun, 5 Apr 2020 21:45:11 +0200 Subject: [PATCH 13/19] Format test config --- aws/resource_aws_wafv2_ip_set_test.go | 42 +++++++++++++-------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 385e7c11a00..6f0add039ec 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -246,11 +246,11 @@ func testAccCheckAWSWafv2IPSetExists(n string, v *wafv2.IPSet) resource.TestChec func testAccAwsWafv2IPSetConfig(name string) string { return fmt.Sprintf(` resource "aws_wafv2_ip_set" "ip_set" { - name = "%s" - description = "%s" - scope = "REGIONAL" + name = "%s" + description = "%s" + scope = "REGIONAL" ip_address_version = "IPV4" - addresses = ["1.2.3.4/32", "5.6.7.8/32"] + addresses = ["1.2.3.4/32", "5.6.7.8/32"] tags = { Tag1 = "Value1" @@ -263,11 +263,11 @@ resource "aws_wafv2_ip_set" "ip_set" { func testAccAwsWafv2IPSetConfigUpdate(name string) string { return fmt.Sprintf(` resource "aws_wafv2_ip_set" "ip_set" { - name = "%s" - description = "Updated" - scope = "REGIONAL" + name = "%s" + description = "Updated" + scope = "REGIONAL" ip_address_version = "IPV4" - addresses = ["1.1.1.1/32", "2.2.2.2/32", "3.3.3.3/32"] + addresses = ["1.1.1.1/32", "2.2.2.2/32", "3.3.3.3/32"] } `, name) } @@ -275,8 +275,8 @@ resource "aws_wafv2_ip_set" "ip_set" { func testAccAwsWafv2IPSetConfigMinimal(name string) string { return fmt.Sprintf(` resource "aws_wafv2_ip_set" "ip_set" { - name = "%s" - scope = "REGIONAL" + name = "%s" + scope = "REGIONAL" ip_address_version = "IPV4" } `, name) @@ -285,14 +285,14 @@ resource "aws_wafv2_ip_set" "ip_set" { func testAccAwsWafv2IPSetConfigOneTag(name, tagKey, tagValue string) string { return fmt.Sprintf(` resource "aws_wafv2_ip_set" "ip_set" { - name = "%s" - description = "%s" - scope = "REGIONAL" + name = "%s" + description = "%s" + scope = "REGIONAL" ip_address_version = "IPV4" - addresses = ["1.2.3.4/32", "5.6.7.8/32"] + addresses = ["1.2.3.4/32", "5.6.7.8/32"] tags = { - %q = %q + "%s" = "%s" } } `, name, name, tagKey, tagValue) @@ -301,15 +301,15 @@ resource "aws_wafv2_ip_set" "ip_set" { func testAccAwsWafv2IPSetConfigTwoTags(name, tag1Key, tag1Value, tag2Key, tag2Value string) string { return fmt.Sprintf(` resource "aws_wafv2_ip_set" "ip_set" { - name = "%s" - description = "%s" - scope = "REGIONAL" + name = "%s" + description = "%s" + scope = "REGIONAL" ip_address_version = "IPV4" - addresses = ["1.2.3.4/32", "5.6.7.8/32"] + addresses = ["1.2.3.4/32", "5.6.7.8/32"] tags = { - %q = %q - %q = %q + "%s" = "%s" + "%s" = "%s" } } `, name, name, tag1Key, tag1Value, tag2Key, tag2Value) From a73f2458fa1edce738b72b616b26b58502fc9a80 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Tue, 5 May 2020 00:16:30 +0200 Subject: [PATCH 14/19] Apply review comments --- aws/config.go | 16 ++++ aws/resource_aws_wafv2_ip_set.go | 128 +++++++++----------------- aws/resource_aws_wafv2_ip_set_test.go | 46 ++++++--- 3 files changed, 92 insertions(+), 98 deletions(-) diff --git a/aws/config.go b/aws/config.go index fda4fafb566..59b93a29a54 100644 --- a/aws/config.go +++ b/aws/config.go @@ -709,6 +709,22 @@ func (c *Config) Client() (interface{}, error) { } }) + client.wafv2conn.Handlers.Retry.PushBack(func(r *request.Request) { + if isAWSErr(r.Error, wafv2.ErrCodeWAFInternalErrorException, "Retry your request") { + r.Retryable = aws.Bool(true) + } + + if r.Operation.Name == "CreateIPSet" { + // WAFv2 supports tag on create which can result in the below error codes according to the documentation + if isAWSErr(r.Error, wafv2.ErrCodeWAFTagOperationException, "Retry your request") { + r.Retryable = aws.Bool(true) + } + if isAWSErr(err, wafv2.ErrCodeWAFTagOperationInternalErrorException, "Retry your request") { + r.Retryable = aws.Bool(true) + } + } + }) + if !c.SkipGetEC2Platforms { supportedPlatforms, err := GetSupportedEC2Platforms(client.ec2conn) if err != nil { diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 8bafc43bcf6..317f9f20548 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -40,7 +40,6 @@ func resourceAwsWafv2IPSet() *schema.Resource { "addresses": { Type: schema.TypeSet, Optional: true, - MinItems: 1, MaxItems: 50, Elem: &schema.Schema{Type: schema.TypeString}, }, @@ -88,50 +87,31 @@ func resourceAwsWafv2IPSet() *schema.Resource { func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafv2conn - var resp *wafv2.CreateIPSetOutput - params := &wafv2.CreateIPSetInput{ - Addresses: []*string{}, + Addresses: aws.StringSlice([]string{}), IPAddressVersion: aws.String(d.Get("ip_address_version").(string)), Name: aws.String(d.Get("name").(string)), Scope: aws.String(d.Get("scope").(string)), } if v, ok := d.GetOk("addresses"); ok && v.(*schema.Set).Len() > 0 { - params.Addresses = expandStringSet(d.Get("addresses").(*schema.Set)) + params.Addresses = expandStringSet(v.(*schema.Set)) } - if d.HasChange("description") { - params.Description = aws.String(d.Get("description").(string)) + if v, ok := d.GetOk("description"); ok { + params.Description = aws.String(v.(string)) } if v := d.Get("tags").(map[string]interface{}); len(v) > 0 { params.Tags = keyvaluetags.New(v).IgnoreAws().Wafv2Tags() } - err := resource.Retry(15*time.Minute, func() *resource.RetryError { - var err error - resp, err = conn.CreateIPSet(params) - if err != nil { - if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { - return resource.RetryableError(err) - } - if isAWSErr(err, wafv2.ErrCodeWAFTagOperationException, "An error occurred during the tagging operation") { - return resource.RetryableError(err) - } - if isAWSErr(err, wafv2.ErrCodeWAFTagOperationInternalErrorException, "AWS WAF couldn’t perform your tagging operation because of an internal error") { - return resource.RetryableError(err) - } - return resource.NonRetryableError(err) - } - return nil - }) - if isResourceTimeoutError(err) { - _, err = conn.CreateIPSet(params) - } + resp, err := conn.CreateIPSet(params) + if err != nil { - return err + return fmt.Errorf("Error creating WAFv2 IPSet: %s", err) } + d.SetId(*resp.Summary.Id) return resourceAwsWafv2IPSetRead(d, meta) @@ -139,6 +119,7 @@ func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafv2conn + ignoreTagsConfig := meta.(*AWSClient).IgnoreTagsConfig params := &wafv2.GetIPSetInput{ Id: aws.String(d.Id()), @@ -149,7 +130,7 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { resp, err := conn.GetIPSet(params) if err != nil { if isAWSErr(err, wafv2.ErrCodeWAFNonexistentItemException, "AWS WAF couldn’t perform the operation because your resource doesn’t exist") { - log.Printf("[WARN] WAFV2 IPSet (%s) not found, removing from state", d.Id()) + log.Printf("[WARN] WAFv2 IPSet (%s) not found, removing from state", d.Id()) d.SetId("") return nil } @@ -169,11 +150,11 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { tags, err := keyvaluetags.Wafv2ListTags(conn, *resp.IPSet.ARN) if err != nil { - return fmt.Errorf("error listing tags for WAFV2 IpSet (%s): %s", *resp.IPSet.ARN, err) + return fmt.Errorf("Error listing tags for WAFv2 IpSet (%s): %s", *resp.IPSet.ARN, err) } - if err := d.Set("tags", tags.IgnoreAws().Map()); err != nil { - return fmt.Errorf("error setting tags: %s", err) + if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil { + return fmt.Errorf("Error setting tags: %s", err) } return nil @@ -182,53 +163,34 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafv2conn - log.Printf("[INFO] Updating WAFV2 IPSet %s", d.Id()) - - err := resource.Retry(15*time.Minute, func() *resource.RetryError { - u := &wafv2.UpdateIPSetInput{ - Id: aws.String(d.Id()), - Name: aws.String(d.Get("name").(string)), - Scope: aws.String(d.Get("scope").(string)), - Addresses: []*string{}, - LockToken: aws.String(d.Get("lock_token").(string)), - } - - if v, ok := d.GetOk("addresses"); ok && v.(*schema.Set).Len() > 0 { - u.Addresses = expandStringSet(d.Get("addresses").(*schema.Set)) - } + log.Printf("[INFO] Updating WAFv2 IPSet %s", d.Id()) - if v, ok := d.GetOk("description"); ok && len(v.(string)) > 0 { - u.Description = aws.String(d.Get("description").(string)) - } - - _, err := conn.UpdateIPSet(u) + params := &wafv2.UpdateIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + Addresses: aws.StringSlice([]string{}), + LockToken: aws.String(d.Get("lock_token").(string)), + } - if err != nil { - if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { - return resource.RetryableError(err) - } - return resource.NonRetryableError(err) - } - return nil - }) + if v, ok := d.GetOk("addresses"); ok && v.(*schema.Set).Len() > 0 { + params.Addresses = expandStringSet(v.(*schema.Set)) + } - if isResourceTimeoutError(err) { - _, err = conn.UpdateIPSet(&wafv2.UpdateIPSetInput{ - Id: aws.String(d.Id()), - Name: aws.String(d.Get("name").(string)), - Scope: aws.String(d.Get("scope").(string)), - LockToken: aws.String(d.Get("lock_token").(string)), - }) + if v, ok := d.GetOk("description"); ok && len(v.(string)) > 0 { + params.Description = aws.String(v.(string)) } + _, err := conn.UpdateIPSet(params) + if err != nil { - return fmt.Errorf("Error updating WAFV2 IPSet: %s", err) + return fmt.Errorf("Error updating WAFv2 IPSet: %s", err) } if d.HasChange("tags") { o, n := d.GetChange("tags") if err := keyvaluetags.Wafv2UpdateTags(conn, d.Get("arn").(string), o, n); err != nil { - return fmt.Errorf("error updating tags: %s", err) + return fmt.Errorf("Error updating tags: %s", err) } } @@ -238,20 +200,19 @@ func resourceAwsWafv2IPSetUpdate(d *schema.ResourceData, meta interface{}) error func resourceAwsWafv2IPSetDelete(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafv2conn - log.Printf("[INFO] Deleting WAFV2 IPSet %s", d.Id()) + log.Printf("[INFO] Deleting WAFv2 IPSet %s", d.Id()) - err := resource.Retry(15*time.Minute, func() *resource.RetryError { - _, err := conn.DeleteIPSet(&wafv2.DeleteIPSetInput{ - Id: aws.String(d.Id()), - Name: aws.String(d.Get("name").(string)), - Scope: aws.String(d.Get("scope").(string)), - LockToken: aws.String(d.Get("lock_token").(string)), - }) + params := &wafv2.DeleteIPSetInput{ + Id: aws.String(d.Id()), + Name: aws.String(d.Get("name").(string)), + Scope: aws.String(d.Get("scope").(string)), + LockToken: aws.String(d.Get("lock_token").(string)), + } + err := resource.Retry(5*time.Minute, func() *resource.RetryError { + var err error + _, err = conn.DeleteIPSet(params) if err != nil { - if isAWSErr(err, wafv2.ErrCodeWAFInternalErrorException, "AWS WAF couldn’t perform the operation because of a system problem") { - return resource.RetryableError(err) - } if isAWSErr(err, wafv2.ErrCodeWAFAssociatedItemException, "AWS WAF couldn’t perform the operation because your resource is being used by another resource or it’s associated with another resource") { return resource.RetryableError(err) } @@ -261,16 +222,11 @@ func resourceAwsWafv2IPSetDelete(d *schema.ResourceData, meta interface{}) error }) if isResourceTimeoutError(err) { - _, err = conn.DeleteIPSet(&wafv2.DeleteIPSetInput{ - Id: aws.String(d.Id()), - Name: aws.String(d.Get("name").(string)), - Scope: aws.String(d.Get("scope").(string)), - LockToken: aws.String(d.Get("lock_token").(string)), - }) + _, err = conn.DeleteIPSet(params) } if err != nil { - return fmt.Errorf("Error deleting WAFV2 IPSet: %s", err) + return fmt.Errorf("Error deleting WAFv2 IPSet: %s", err) } return nil diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 6f0add039ec..da0ef229f8d 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -13,7 +13,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/terraform" ) -func TestAccAwsWafv2IPSet_basic(t *testing.T) { +func TestAccAwsWafv2IPSet_Basic(t *testing.T) { var v wafv2.IPSet ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) resourceName := "aws_wafv2_ip_set.ip_set" @@ -26,7 +26,7 @@ func TestAccAwsWafv2IPSet_basic(t *testing.T) { { Config: testAccAwsWafv2IPSetConfig(ipSetName), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccCheckAWSWafv2IPSetExists(resourceName, &v), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), resource.TestCheckResourceAttr(resourceName, "name", ipSetName), resource.TestCheckResourceAttr(resourceName, "description", ipSetName), @@ -41,7 +41,7 @@ func TestAccAwsWafv2IPSet_basic(t *testing.T) { { Config: testAccAwsWafv2IPSetConfigUpdate(ipSetName), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccCheckAWSWafv2IPSetExists(resourceName, &v), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), resource.TestCheckResourceAttr(resourceName, "name", ipSetName), resource.TestCheckResourceAttr(resourceName, "description", "Updated"), @@ -60,7 +60,29 @@ func TestAccAwsWafv2IPSet_basic(t *testing.T) { }) } -func TestAccAwsWafv2IPSet_minimal(t *testing.T) { +func TestAccAwsWafv2IPSet_Disappears(t *testing.T) { + var r wafv2.IPSet + ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) + resourceName := "aws_wafv2_ip_set.ip_set" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSWafv2IPSetDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2IPSetConfig(ipSetName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists(resourceName, &r), + testAccCheckResourceDisappears(testAccProvider, resourceAwsWafv2IPSet(), resourceName), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + +func TestAccAwsWafv2IPSet_Minimal(t *testing.T) { var v wafv2.IPSet ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) resourceName := "aws_wafv2_ip_set.ip_set" @@ -73,7 +95,7 @@ func TestAccAwsWafv2IPSet_minimal(t *testing.T) { { Config: testAccAwsWafv2IPSetConfigMinimal(ipSetName), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccCheckAWSWafv2IPSetExists(resourceName, &v), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), resource.TestCheckResourceAttr(resourceName, "name", ipSetName), resource.TestCheckResourceAttr(resourceName, "description", ""), @@ -92,7 +114,7 @@ func TestAccAwsWafv2IPSet_minimal(t *testing.T) { }) } -func TestAccAwsWafv2IPSet_changeNameForceNew(t *testing.T) { +func TestAccAwsWafv2IPSet_ChangeNameForceNew(t *testing.T) { var before, after wafv2.IPSet ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) ipSetNewName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) @@ -106,7 +128,7 @@ func TestAccAwsWafv2IPSet_changeNameForceNew(t *testing.T) { { Config: testAccAwsWafv2IPSetConfig(ipSetName), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &before), + testAccCheckAWSWafv2IPSetExists(resourceName, &before), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), resource.TestCheckResourceAttr(resourceName, "name", ipSetName), resource.TestCheckResourceAttr(resourceName, "description", ipSetName), @@ -118,7 +140,7 @@ func TestAccAwsWafv2IPSet_changeNameForceNew(t *testing.T) { { Config: testAccAwsWafv2IPSetConfig(ipSetNewName), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &after), + testAccCheckAWSWafv2IPSetExists(resourceName, &after), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), resource.TestCheckResourceAttr(resourceName, "name", ipSetNewName), resource.TestCheckResourceAttr(resourceName, "description", ipSetNewName), @@ -131,7 +153,7 @@ func TestAccAwsWafv2IPSet_changeNameForceNew(t *testing.T) { }) } -func TestAccAwsWafv2IPSet_tags(t *testing.T) { +func TestAccAwsWafv2IPSet_Tags(t *testing.T) { var v wafv2.IPSet ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) resourceName := "aws_wafv2_ip_set.ip_set" @@ -144,7 +166,7 @@ func TestAccAwsWafv2IPSet_tags(t *testing.T) { { Config: testAccAwsWafv2IPSetConfigOneTag(ipSetName, "Tag1", "Value1"), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccCheckAWSWafv2IPSetExists(resourceName, &v), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), resource.TestCheckResourceAttr(resourceName, "tags.%", "1"), resource.TestCheckResourceAttr(resourceName, "tags.Tag1", "Value1"), @@ -159,7 +181,7 @@ func TestAccAwsWafv2IPSet_tags(t *testing.T) { { Config: testAccAwsWafv2IPSetConfigTwoTags(ipSetName, "Tag1", "Value1Updated", "Tag2", "Value2"), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccCheckAWSWafv2IPSetExists(resourceName, &v), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), resource.TestCheckResourceAttr(resourceName, "tags.%", "2"), resource.TestCheckResourceAttr(resourceName, "tags.Tag1", "Value1Updated"), @@ -169,7 +191,7 @@ func TestAccAwsWafv2IPSet_tags(t *testing.T) { { Config: testAccAwsWafv2IPSetConfigOneTag(ipSetName, "Tag2", "Value2"), Check: resource.ComposeTestCheckFunc( - testAccCheckAWSWafv2IPSetExists("aws_wafv2_ip_set.ip_set", &v), + testAccCheckAWSWafv2IPSetExists(resourceName, &v), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), resource.TestCheckResourceAttr(resourceName, "tags.%", "1"), resource.TestCheckResourceAttr(resourceName, "tags.Tag2", "Value2"), From f848f090d2f2aba8fccd57ff5d882af34411845c Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Wed, 6 May 2020 23:09:43 +0200 Subject: [PATCH 15/19] Suppress IPv6 state diffs --- aws/resource_aws_wafv2_ip_set.go | 22 ++++++++++++ aws/resource_aws_wafv2_ip_set_test.go | 51 +++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 317f9f20548..6c95d656642 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -42,6 +42,28 @@ func resourceAwsWafv2IPSet() *schema.Resource { Optional: true, MaxItems: 50, Elem: &schema.Schema{Type: schema.TypeString}, + DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { + o, n := d.GetChange("addresses") + oldAddresses := o.(*schema.Set).List() + newAddresses := n.(*schema.Set).List() + if len(oldAddresses) == len(newAddresses) { + for _, ov := range oldAddresses { + hasAddress := false + for _, nv := range newAddresses { + // isIpv6CidrsEquals works for both IPv4 and IPv6 + if isIpv6CidrsEquals(ov.(string), nv.(string)) { + hasAddress = true + break + } + } + if !hasAddress { + return false + } + } + return true + } + return false + }, }, "arn": { Type: schema.TypeString, diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index da0ef229f8d..4d12fb832f3 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -82,6 +82,41 @@ func TestAccAwsWafv2IPSet_Disappears(t *testing.T) { }) } +func TestAccAwsWafv2IPSet_IPv6(t *testing.T) { + var v wafv2.IPSet + ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) + resourceName := "aws_wafv2_ip_set.ip_set" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSWafv2IPSetDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsWafv2IPSetConfigIPv6(ipSetName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSWafv2IPSetExists(resourceName, &v), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/ipset/.+$`)), + resource.TestCheckResourceAttr(resourceName, "name", ipSetName), + resource.TestCheckResourceAttr(resourceName, "description", ipSetName), + resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional), + resource.TestCheckResourceAttr(resourceName, "ip_address_version", wafv2.IPAddressVersionIpv6), + resource.TestCheckResourceAttr(resourceName, "addresses.#", "3"), + resource.TestCheckResourceAttr(resourceName, "addresses.1676510651", "1234:5678:9abc:6811:0000:0000:0000:0000/64"), + resource.TestCheckResourceAttr(resourceName, "addresses.3671909787", "2001:db8::/32"), + resource.TestCheckResourceAttr(resourceName, "addresses.4089736081", "0:0:0:0:0:ffff:7f00:1/64"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccAWSWafv2IPSetImportStateIdFunc(resourceName), + }, + }, + }) +} + func TestAccAwsWafv2IPSet_Minimal(t *testing.T) { var v wafv2.IPSet ipSetName := fmt.Sprintf("ip-set-%s", acctest.RandString(5)) @@ -294,6 +329,22 @@ resource "aws_wafv2_ip_set" "ip_set" { `, name) } +func testAccAwsWafv2IPSetConfigIPv6(name string) string { + return fmt.Sprintf(` +resource "aws_wafv2_ip_set" "ip_set" { + name = "%s" + description = "%s" + scope = "REGIONAL" + ip_address_version = "IPV6" + addresses = [ + "0:0:0:0:0:ffff:7f00:1/64", + "1234:5678:9abc:6811:0000:0000:0000:0000/64", + "2001:db8::/32" + ] +} +`, name, name) +} + func testAccAwsWafv2IPSetConfigMinimal(name string) string { return fmt.Sprintf(` resource "aws_wafv2_ip_set" "ip_set" { From 5e80d7899afcde9195c652bbd392450a6f2690ec Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Mon, 11 May 2020 21:58:12 +0200 Subject: [PATCH 16/19] Remove error message condition --- aws/resource_aws_wafv2_ip_set.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 6c95d656642..1daebf2fc49 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -151,7 +151,7 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { resp, err := conn.GetIPSet(params) if err != nil { - if isAWSErr(err, wafv2.ErrCodeWAFNonexistentItemException, "AWS WAF couldn’t perform the operation because your resource doesn’t exist") { + if isAWSErr(err, wafv2.ErrCodeWAFNonexistentItemException, "") { log.Printf("[WARN] WAFv2 IPSet (%s) not found, removing from state", d.Id()) d.SetId("") return nil @@ -235,7 +235,7 @@ func resourceAwsWafv2IPSetDelete(d *schema.ResourceData, meta interface{}) error var err error _, err = conn.DeleteIPSet(params) if err != nil { - if isAWSErr(err, wafv2.ErrCodeWAFAssociatedItemException, "AWS WAF couldn’t perform the operation because your resource is being used by another resource or it’s associated with another resource") { + if isAWSErr(err, wafv2.ErrCodeWAFAssociatedItemException, "") { return resource.RetryableError(err) } return resource.NonRetryableError(err) From 2afecdcb451842a0c7c23715599d35d0a1083fc4 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Wed, 13 May 2020 22:03:55 +0200 Subject: [PATCH 17/19] Add extra error checking --- aws/resource_aws_wafv2_ip_set.go | 10 +++++++--- aws/resource_aws_wafv2_ip_set_test.go | 18 ++++++++---------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 1daebf2fc49..83e7c53dfd8 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -130,11 +130,11 @@ func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error resp, err := conn.CreateIPSet(params) - if err != nil { + if err != nil || resp == nil || resp.Summary == nil { return fmt.Errorf("Error creating WAFv2 IPSet: %s", err) } - d.SetId(*resp.Summary.Id) + d.SetId(aws.StringValue(resp.Summary.Id)) return resourceAwsWafv2IPSetRead(d, meta) } @@ -160,6 +160,10 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { return err } + if resp == nil || resp.IPSet == nil { + return fmt.Errorf("Error reading WAFv2 IPSet") + } + d.Set("name", resp.IPSet.Name) d.Set("description", resp.IPSet.Description) d.Set("ip_address_version", resp.IPSet.IPAddressVersion) @@ -170,7 +174,7 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error setting addresses: %s", err) } - tags, err := keyvaluetags.Wafv2ListTags(conn, *resp.IPSet.ARN) + tags, err := keyvaluetags.Wafv2ListTags(conn, aws.StringValue(resp.IPSet.ARN)) if err != nil { return fmt.Errorf("Error listing tags for WAFv2 IpSet (%s): %s", *resp.IPSet.ARN, err) } diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 4d12fb832f3..0787f145a8d 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -6,7 +6,6 @@ import ( "testing" "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/service/wafv2" "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/helper/resource" @@ -251,16 +250,15 @@ func testAccCheckAWSWafv2IPSetDestroy(s *terraform.State) error { }) if err == nil { - if *resp.IPSet.Id == rs.Primary.ID { - return fmt.Errorf("WAFV2 IPSet %s still exists", rs.Primary.ID) + if aws.StringValue(resp.IPSet.Id) == rs.Primary.ID && resp != nil && resp.IPSet != nil { + return fmt.Errorf("WAFv2 IPSet %s still exists", rs.Primary.ID) } + return nil } // Return nil if the IPSet is already destroyed - if awsErr, ok := err.(awserr.Error); ok { - if awsErr.Code() == wafv2.ErrCodeWAFNonexistentItemException { - return nil - } + if isAWSErr(err, wafv2.ErrCodeWAFNonexistentItemException, "") { + return nil } return err @@ -277,7 +275,7 @@ func testAccCheckAWSWafv2IPSetExists(n string, v *wafv2.IPSet) resource.TestChec } if rs.Primary.ID == "" { - return fmt.Errorf("No WAFV2 IPSet ID is set") + return fmt.Errorf("No WAFv2 IPSet ID is set") } conn := testAccProvider.Meta().(*AWSClient).wafv2conn @@ -291,12 +289,12 @@ func testAccCheckAWSWafv2IPSetExists(n string, v *wafv2.IPSet) resource.TestChec return err } - if *resp.IPSet.Id == rs.Primary.ID { + if aws.StringValue(resp.IPSet.Id) == rs.Primary.ID && resp != nil && resp.IPSet != nil { *v = *resp.IPSet return nil } - return fmt.Errorf("WAFV2 IPSet (%s) not found", rs.Primary.ID) + return fmt.Errorf("WAFv2 IPSet (%s) not found", rs.Primary.ID) } } From 3dd120d57db515e58126b918c2cbdd7d713c4ba0 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Thu, 14 May 2020 22:32:08 +0200 Subject: [PATCH 18/19] Improve nil checks --- aws/resource_aws_wafv2_ip_set.go | 17 ++++++++++------- aws/resource_aws_wafv2_ip_set_test.go | 11 +++++++++-- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 83e7c53dfd8..2019da2293e 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -130,10 +130,14 @@ func resourceAwsWafv2IPSetCreate(d *schema.ResourceData, meta interface{}) error resp, err := conn.CreateIPSet(params) - if err != nil || resp == nil || resp.Summary == nil { + if err != nil { return fmt.Errorf("Error creating WAFv2 IPSet: %s", err) } + if resp == nil || resp.Summary == nil { + return fmt.Errorf("Error creating WAFv2 IPSet") + } + d.SetId(aws.StringValue(resp.Summary.Id)) return resourceAwsWafv2IPSetRead(d, meta) @@ -156,7 +160,6 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { d.SetId("") return nil } - return err } @@ -164,11 +167,11 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error reading WAFv2 IPSet") } - d.Set("name", resp.IPSet.Name) - d.Set("description", resp.IPSet.Description) - d.Set("ip_address_version", resp.IPSet.IPAddressVersion) - d.Set("arn", resp.IPSet.ARN) - d.Set("lock_token", resp.LockToken) + d.Set("name", aws.StringValue(resp.IPSet.Name)) + d.Set("description", aws.StringValue(resp.IPSet.Description)) + d.Set("ip_address_version", aws.StringValue(resp.IPSet.IPAddressVersion)) + d.Set("arn", aws.StringValue(resp.IPSet.ARN)) + d.Set("lock_token", aws.StringValue(resp.LockToken)) if err := d.Set("addresses", flattenStringSet(resp.IPSet.Addresses)); err != nil { return fmt.Errorf("Error setting addresses: %s", err) diff --git a/aws/resource_aws_wafv2_ip_set_test.go b/aws/resource_aws_wafv2_ip_set_test.go index 0787f145a8d..dacd0567f2a 100644 --- a/aws/resource_aws_wafv2_ip_set_test.go +++ b/aws/resource_aws_wafv2_ip_set_test.go @@ -250,7 +250,10 @@ func testAccCheckAWSWafv2IPSetDestroy(s *terraform.State) error { }) if err == nil { - if aws.StringValue(resp.IPSet.Id) == rs.Primary.ID && resp != nil && resp.IPSet != nil { + if resp == nil || resp.IPSet == nil { + return fmt.Errorf("Error getting WAFv2 IPSet") + } + if aws.StringValue(resp.IPSet.Id) == rs.Primary.ID { return fmt.Errorf("WAFv2 IPSet %s still exists", rs.Primary.ID) } return nil @@ -289,7 +292,11 @@ func testAccCheckAWSWafv2IPSetExists(n string, v *wafv2.IPSet) resource.TestChec return err } - if aws.StringValue(resp.IPSet.Id) == rs.Primary.ID && resp != nil && resp.IPSet != nil { + if resp == nil || resp.IPSet == nil { + return fmt.Errorf("Error getting WAFv2 IPSet") + } + + if aws.StringValue(resp.IPSet.Id) == rs.Primary.ID { *v = *resp.IPSet return nil } From 9eb4e157ec9cbf919685657e62f56ccfc15b9e94 Mon Sep 17 00:00:00 2001 From: Pascal van Buijtene Date: Fri, 15 May 2020 18:27:51 +0200 Subject: [PATCH 19/19] Apply review changes --- aws/resource_aws_wafv2_ip_set.go | 5 +++-- website/docs/r/wafv2_ip_set.html.markdown | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/aws/resource_aws_wafv2_ip_set.go b/aws/resource_aws_wafv2_ip_set.go index 2019da2293e..da0f648e772 100644 --- a/aws/resource_aws_wafv2_ip_set.go +++ b/aws/resource_aws_wafv2_ip_set.go @@ -177,9 +177,10 @@ func resourceAwsWafv2IPSetRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error setting addresses: %s", err) } - tags, err := keyvaluetags.Wafv2ListTags(conn, aws.StringValue(resp.IPSet.ARN)) + arn := aws.StringValue(resp.IPSet.ARN) + tags, err := keyvaluetags.Wafv2ListTags(conn, arn) if err != nil { - return fmt.Errorf("Error listing tags for WAFv2 IpSet (%s): %s", *resp.IPSet.ARN, err) + return fmt.Errorf("Error listing tags for WAFv2 IpSet (%s): %s", arn, err) } if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil { diff --git a/website/docs/r/wafv2_ip_set.html.markdown b/website/docs/r/wafv2_ip_set.html.markdown index 7b36423fee2..10fa926bbe6 100644 --- a/website/docs/r/wafv2_ip_set.html.markdown +++ b/website/docs/r/wafv2_ip_set.html.markdown @@ -47,7 +47,7 @@ In addition to all arguments above, the following attributes are exported: ## Import -WAFv2 IP Sets can be imported using their ID, Name and Scope e.g. +WAFv2 IP Sets can be imported using `ID/name/scope` ``` $ terraform import aws_wafv2_ip_set.example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc/example/REGIONAL