diff --git a/aws/resource_aws_waf_rate_based_rule.go b/aws/resource_aws_waf_rate_based_rule.go index ea8fdf68a40..d1b4e24306d 100644 --- a/aws/resource_aws_waf_rate_based_rule.go +++ b/aws/resource_aws_waf_rate_based_rule.go @@ -171,7 +171,7 @@ func resourceAwsWafRateBasedRuleRead(d *schema.ResourceData, meta interface{}) e func resourceAwsWafRateBasedRuleUpdate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).wafconn - if d.HasChange("predicates") { + if d.HasChanges("predicates", "rate_limit") { o, n := d.GetChange("predicates") oldP, newP := o.(*schema.Set).List(), n.(*schema.Set).List() rateLimit := d.Get("rate_limit") diff --git a/aws/resource_aws_waf_rate_based_rule_test.go b/aws/resource_aws_waf_rate_based_rule_test.go index 22511f0638b..4cf524a1d3f 100644 --- a/aws/resource_aws_waf_rate_based_rule_test.go +++ b/aws/resource_aws_waf_rate_based_rule_test.go @@ -156,6 +156,58 @@ func TestAccAWSWafRateBasedRule_changePredicates(t *testing.T) { }) } +// Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/9659 +func TestAccAWSWafRateBasedRule_changeRateLimit(t *testing.T) { + var ipset waf.IPSet + var before, after waf.RateBasedRule + var idx int + ruleName := fmt.Sprintf("wafrule%s", acctest.RandString(5)) + resourceName := "aws_waf_rate_based_rule.wafrule" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSWaf(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSWafRuleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSWafRateBasedRuleConfig_changeRateLimit(ruleName, 4000), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckAWSWafIPSetExists("aws_waf_ipset.ipset", &ipset), + testAccCheckAWSWafRateBasedRuleExists(resourceName, &before), + resource.TestCheckResourceAttr(resourceName, "name", ruleName), + resource.TestCheckResourceAttr(resourceName, "rate_limit", "4000"), + resource.TestCheckResourceAttr(resourceName, "predicates.#", "1"), + computeWafRateBasedRulePredicateWithIpSet(&ipset, false, "IPMatch", &idx), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "predicates.*", map[string]string{ + "negated": "false", + "type": "IPMatch", + }), + ), + }, + { + Config: testAccAWSWafRateBasedRuleConfig_changeRateLimit(ruleName, 3000), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckAWSWafIPSetExists("aws_waf_ipset.ipset", &ipset), + testAccCheckAWSWafRateBasedRuleExists(resourceName, &after), + resource.TestCheckResourceAttr(resourceName, "name", ruleName), + resource.TestCheckResourceAttr(resourceName, "rate_limit", "3000"), + resource.TestCheckResourceAttr(resourceName, "predicates.#", "1"), + computeWafRateBasedRulePredicateWithIpSet(&ipset, false, "IPMatch", &idx), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "predicates.*", map[string]string{ + "negated": "false", + "type": "IPMatch", + }), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + // computeWafRateBasedRulePredicateWithIpSet calculates index // which isn't static because dataId is generated as part of the test func computeWafRateBasedRulePredicateWithIpSet(ipSet *waf.IPSet, negated bool, pType string, idx *int) resource.TestCheckFunc { @@ -400,6 +452,33 @@ resource "aws_waf_rate_based_rule" "wafrule" { `, name, name, name) } +func testAccAWSWafRateBasedRuleConfig_changeRateLimit(name string, rateLimit int) string { + return fmt.Sprintf(` +resource "aws_waf_ipset" "ipset" { + name = "%s" + + ip_set_descriptors { + type = "IPV4" + value = "192.0.7.0/24" + } +} + +resource "aws_waf_rate_based_rule" "wafrule" { + depends_on = [aws_waf_ipset.ipset] + name = "%[1]s" + metric_name = "%[1]s" + rate_key = "IP" + rate_limit = %[2]d + + predicates { + data_id = aws_waf_ipset.ipset.id + negated = false + type = "IPMatch" + } +} +`, name, rateLimit) +} + func testAccAWSWafRateBasedRuleConfigChangeName(name string) string { return fmt.Sprintf(` resource "aws_waf_ipset" "ipset" {