catch in-use exception when removing WAF rule; linting

hashicorp · Mar 2, 2021 · 1291515 · 1291515
1 parent 4475c5d
commit 1291515
Show file tree

Hide file tree

Showing 4 changed files with 171 additions and 172 deletions.
diff --git a/aws/resource_aws_waf_rule.go b/aws/resource_aws_waf_rule.go
@@ -6,8 +6,8 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/arn"
-	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/service/waf"
+	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
@@ -95,7 +95,7 @@ func resourceAwsWafRuleCreate(d *schema.ResourceData, meta interface{}) error {
 		noPredicates := []interface{}{}
 		err := updateWafRuleResource(d.Id(), noPredicates, newPredicates, conn)
 		if err != nil {
-			return fmt.Errorf("Error Updating WAF Rule: %s", err)
+			return fmt.Errorf("error updating WAF Rule (%s): %w", d.Id(), err)
 		}
 	}
 
@@ -111,14 +111,24 @@ func resourceAwsWafRuleRead(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	resp, err := conn.GetRule(params)
+	if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, waf.ErrCodeNonexistentItemException) {
+		log.Printf("[WARN] WAF Rule (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
 	if err != nil {
-		if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == waf.ErrCodeNonexistentItemException {
-			log.Printf("[WARN] WAF Rule (%s) not found, removing from state", d.Id())
-			d.SetId("")
-			return nil
+		return fmt.Errorf("error getting WAF Rule (%s): %w", d.Id(), err)
+	}
+
+	if resp == nil || resp.Rule == nil {
+		if d.IsNewResource() {
+			return fmt.Errorf("error getting WAF Rule (%s): not found", d.Id())
 		}
 
-		return err
+		log.Printf("[WARN] WAF Rule (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
 	}
 
 	var predicates []map[string]interface{}
@@ -143,11 +153,11 @@ func resourceAwsWafRuleRead(d *schema.ResourceData, meta interface{}) error {
 	tags, err := keyvaluetags.WafListTags(conn, arn)
 
 	if err != nil {
-		return fmt.Errorf("error listing tags for WAF Rule (%s): %s", arn, err)
+		return fmt.Errorf("error listing tags for WAF Rule (%s): %w", d.Id(), err)
 	}
 
 	if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {
-		return fmt.Errorf("error setting tags: %s", err)
+		return fmt.Errorf("error setting tags: %w", err)
 	}
 
 	d.Set("predicates", predicates)
@@ -166,15 +176,15 @@ func resourceAwsWafRuleUpdate(d *schema.ResourceData, meta interface{}) error {
 
 		err := updateWafRuleResource(d.Id(), oldP, newP, conn)
 		if err != nil {
-			return fmt.Errorf("Error Updating WAF Rule: %s", err)
+			return fmt.Errorf("error updating WAF Rule (%s): %w", d.Id(), err)
 		}
 	}
 
 	if d.HasChange("tags") {
 		o, n := d.GetChange("tags")
 
 		if err := keyvaluetags.WafUpdateTags(conn, d.Get("arn").(string), o, n); err != nil {
-			return fmt.Errorf("error updating tags: %s", err)
+			return fmt.Errorf("error updating WAF Rule (%s) tags: %w", d.Id(), err)
 		}
 	}
 
@@ -189,7 +199,7 @@ func resourceAwsWafRuleDelete(d *schema.ResourceData, meta interface{}) error {
 		noPredicates := []interface{}{}
 		err := updateWafRuleResource(d.Id(), oldPredicates, noPredicates, conn)
 		if err != nil {
-			return fmt.Errorf("Error updating WAF Rule Predicates: %s", err)
+			return fmt.Errorf("error updating WAF Rule (%s) predicates: %w", d.Id(), err)
 		}
 	}
 
@@ -199,11 +209,24 @@ func resourceAwsWafRuleDelete(d *schema.ResourceData, meta interface{}) error {
 			ChangeToken: token,
 			RuleId:      aws.String(d.Id()),
 		}
-		log.Printf("[INFO] Deleting WAF Rule")
-		return conn.DeleteRule(req)
+
+		output, err := conn.DeleteRule(req)
+
+		// Deleting a WAF Rule after being removed from a WAF WebACL
+		// can return a WAFReferencedItemException when attempted in quick succession;
+		// thus, we catch the error here and re-attempt
+		if tfawserr.ErrCodeEquals(err, waf.ErrCodeReferencedItemException) {
+			return output, nil
+		}
+
+		return output, err
 	})
+
 	if err != nil {
-		return fmt.Errorf("Error deleting WAF Rule: %s", err)
+		if tfawserr.ErrCodeEquals(err, waf.ErrCodeNonexistentItemException) {
+			return nil
+		}
+		return fmt.Errorf("error deleting WAF Rule (%s): %w", d.Id(), err)
 	}
 
 	return nil
@@ -221,7 +244,7 @@ func updateWafRuleResource(id string, oldP, newP []interface{}, conn *waf.WAF) e
 		return conn.UpdateRule(req)
 	})
 	if err != nil {
-		return fmt.Errorf("Error Updating WAF Rule: %s", err)
+		return fmt.Errorf("error updating WAF Rule (%s): %w", id, err)
 	}
 
 	return nil

diff --git a/aws/resource_aws_waf_rule_test.go b/aws/resource_aws_waf_rule_test.go
@@ -505,7 +505,7 @@ func testAccPreCheckAWSWaf(t *testing.T) {
 func testAccAWSWafRuleConfig(name string) string {
 	return fmt.Sprintf(`
 resource "aws_waf_ipset" "ipset" {
-  name = "%s"
+  name = %[1]q
 
   ip_set_descriptors {
     type  = "IPV4"
@@ -515,22 +515,22 @@ resource "aws_waf_ipset" "ipset" {
 
 resource "aws_waf_rule" "wafrule" {
   depends_on  = [aws_waf_ipset.ipset]
-  name        = "%s"
-  metric_name = "%s"
+  name        = %[1]q
+  metric_name = %[1]q
 
   predicates {
     data_id = aws_waf_ipset.ipset.id
     negated = false
     type    = "IPMatch"
   }
 }
-`, name, name, name)
+`, name)
 }
 
 func testAccAWSWafRuleConfigChangeName(name string) string {
 	return fmt.Sprintf(`
 resource "aws_waf_ipset" "ipset" {
-  name = "%s"
+  name = %[1]q
 
   ip_set_descriptors {
     type  = "IPV4"
@@ -540,22 +540,22 @@ resource "aws_waf_ipset" "ipset" {
 
 resource "aws_waf_rule" "wafrule" {
   depends_on  = [aws_waf_ipset.ipset]
-  name        = "%s"
-  metric_name = "%s"
+  name        = %[1]q
+  metric_name = %[1]q
 
   predicates {
     data_id = aws_waf_ipset.ipset.id
     negated = false
     type    = "IPMatch"
   }
 }
-`, name, name, name)
+`, name)
 }
 
 func testAccAWSWafRuleConfig_changePredicates(name string) string {
 	return fmt.Sprintf(`
 resource "aws_waf_ipset" "ipset" {
-  name = "%s"
+  name = %[1]q
 
   ip_set_descriptors {
     type  = "IPV4"
@@ -564,7 +564,7 @@ resource "aws_waf_ipset" "ipset" {
 }
 
 resource "aws_waf_byte_match_set" "set" {
-  name = "%s"
+  name = %[1]q
 
   byte_match_tuples {
     text_transformation   = "NONE"
@@ -579,31 +579,31 @@ resource "aws_waf_byte_match_set" "set" {
 }
 
 resource "aws_waf_rule" "wafrule" {
-  name        = "%s"
-  metric_name = "%s"
+  name        = %[1]q
+  metric_name = %[1]q
 
   predicates {
     data_id = aws_waf_byte_match_set.set.id
     negated = true
     type    = "ByteMatch"
   }
 }
-`, name, name, name, name)
+`, name)
 }
 
 func testAccAWSWafRuleConfig_noPredicates(name string) string {
 	return fmt.Sprintf(`
 resource "aws_waf_rule" "wafrule" {
-  name        = "%s"
-  metric_name = "%s"
+  name        = %[1]q
+  metric_name = %[1]q
 }
-`, name, name)
+`, name)
 }
 
 func testAccAWSWafRuleConfig_geoMatchSetPredicate(name string) string {
 	return fmt.Sprintf(`
 resource "aws_waf_geo_match_set" "geo_match_set" {
-  name = "%s"
+  name = %[1]q
 
   geo_match_constraint {
     type  = "Country"
@@ -612,22 +612,22 @@ resource "aws_waf_geo_match_set" "geo_match_set" {
 }
 
 resource "aws_waf_rule" "wafrule" {
-  name        = "%s"
-  metric_name = "%s"
+  name        = %[1]q
+  metric_name = %[1]q
 
   predicates {
     data_id = aws_waf_geo_match_set.geo_match_set.id
     negated = true
     type    = "GeoMatch"
   }
 }
-`, name, name, name)
+`, name)
 }
 
 func testAccAWSWafRuleConfigTags1(rName, tag1Key, tag1Value string) string {
 	return fmt.Sprintf(`
 resource "aws_waf_ipset" "ipset" {
-  name = "%s"
+  name = %[1]q
 
   ip_set_descriptors {
     type  = "IPV4"
@@ -637,8 +637,8 @@ resource "aws_waf_ipset" "ipset" {
 
 resource "aws_waf_rule" "wafrule" {
   depends_on  = [aws_waf_ipset.ipset]
-  name        = "%s"
-  metric_name = "%s"
+  name        = %[1]q
+  metric_name = %[1]q
 
   predicates {
     data_id = aws_waf_ipset.ipset.id
@@ -650,13 +650,13 @@ resource "aws_waf_rule" "wafrule" {
     %q = %q
   }
 }
-`, rName, rName, rName, tag1Key, tag1Value)
+`, rName, tag1Key, tag1Value)
 }
 
 func testAccAWSWafRuleConfigTags2(rName, tag1Key, tag1Value, tag2Key, tag2Value string) string {
 	return fmt.Sprintf(`
 resource "aws_waf_ipset" "ipset" {
-  name = "%s"
+  name = %[1]q
 
   ip_set_descriptors {
     type  = "IPV4"
@@ -666,8 +666,8 @@ resource "aws_waf_ipset" "ipset" {
 
 resource "aws_waf_rule" "wafrule" {
   depends_on  = [aws_waf_ipset.ipset]
-  name        = "%s"
-  metric_name = "%s"
+  name        = %[1]q
+  metric_name = %[1]q
 
   predicates {
     data_id = aws_waf_ipset.ipset.id
@@ -680,5 +680,5 @@ resource "aws_waf_rule" "wafrule" {
     %q = %q
   }
 }
-`, rName, rName, rName, tag1Key, tag1Value, tag2Key, tag2Value)
+`, rName, tag1Key, tag1Value, tag2Key, tag2Value)
 }