Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/wafv2_web_acl: remove force_new property from arguments to prevent resource recreation #14616

Merged
merged 1 commit into from
Aug 13, 2020

Conversation

anGie44
Copy link
Contributor

@anGie44 anGie44 commented Aug 13, 2020

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #13936
Fixes #14035
Fixes #14029

Notes:

  • rule name and rule visibility_config metric_name can be changed via the SDK just like in the AWS Console, no longer requiring the ForceNew property which was also the cause of the forced recreation behavior

Release note for CHANGELOG:

resource/wafv2_web_acl: remove ForceNew property from rule.name and rule.visibility_config.metric_name

Output from acceptance testing:

--- FAIL: TestAccAwsWafv2WebACL_RuleGroupReferenceStatement (2272.86s) -- related to v2 SDK change when calculating set index to compare ARN
--- PASS: TestAccAwsWafv2WebACL_Disappears (2624.62s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_webACLDisappears (2810.12s)
--- PASS: TestAccAwsWafv2WebACL_Minimal (3069.09s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_disappears (3131.46s)
--- PASS: TestAccAwsWafv2WebACLAssociation_basic (3163.23s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_basic (3201.17s)
--- PASS: TestAccAwsWafv2WebACL_basic (3247.90s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedRateBasedStatements (4075.84s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedOperatorStatements (4079.01s)
--- PASS: TestAccAwsWafv2WebACLAssociation_Disappears (4492.55s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_changeLogDestinationConfigsForceNew (4586.87s)
--- PASS: TestAccAwsWafv2WebACL_ChangeNameForceNew (4845.73s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_changeResourceARNForceNew (4895.22s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_update (5297.34s)
--- PASS: TestAccAwsWafv2WebACL_ManagedRuleGroupStatement (5485.60s)
--- PASS: TestAccAwsWafv2WebACL_RateBasedStatement (5505.18s)
--- PASS: TestAccAwsWafv2WebACL_Tags (5556.15s)
--- PASS: TestAccAwsWafv2WebACL_updateRule (5690.97s)
--- PASS: TestAccAwsWafv2WebACL_UpdateRuleProperties (6207.71s)

@anGie44 anGie44 added the bug Addresses a defect in current functionality. label Aug 13, 2020
@ghost ghost added size/XL Managed by automation to categorize the size of a PR. service/wafv2 Issues and PRs that pertain to the wafv2 service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Aug 13, 2020
@anGie44 anGie44 force-pushed the b-wafv2-web-acl-rule branch from 3861ca0 to 981800c Compare August 13, 2020 08:39
@@ -253,7 +252,7 @@ func resourceAwsWafv2WebACLUpdate(d *schema.ResourceData, meta interface{}) erro
Scope: aws.String(d.Get("scope").(string)),
LockToken: aws.String(d.Get("lock_token").(string)),
DefaultAction: expandWafv2DefaultAction(d.Get("default_action").([]interface{})),
Rules: expandWafv2Rules(d.Get("rule").(*schema.Set).List()),
Rules: expandWafv2WebACLRules(d.Get("rule").(*schema.Set).List()),
Copy link
Contributor Author

@anGie44 anGie44 Aug 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addresses TestAccAwsWafv2WebACL_ManagedRuleGroupStatement and TestAccAwsWafv2WebACL_RateBasedStatement test failures as now they actually attempt to do an update vs. a destroy/create, exposing the bug reported in #14035

@anGie44 anGie44 marked this pull request as ready for review August 13, 2020 08:43
@anGie44 anGie44 requested a review from a team August 13, 2020 08:43
@bflad bflad self-assigned this Aug 13, 2020
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 🚀 Two additional recommendations:

  • Adding documentation to the rule configuration block name argument to note that it cannot be updated
  • Adjusting the CHANGELOG message to be a little more operator-centric rather than developer-centric (e.g. Prevent unnecessary resource recreation with rule updates)

Output from acceptance testing (test failure unrelated):

--- FAIL: TestAccAwsWafv2WebACL_RuleGroupReferenceStatement (2297.93s)
--- PASS: TestAccAwsWafv2WebACL_basic (3247.90s)
--- PASS: TestAccAwsWafv2WebACL_ChangeNameForceNew (4845.73s)
--- PASS: TestAccAwsWafv2WebACL_Disappears (2624.62s)
--- PASS: TestAccAwsWafv2WebACL_ManagedRuleGroupStatement (5485.60s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedOperatorStatements (4079.01s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedRateBasedStatements (4075.84s)
--- PASS: TestAccAwsWafv2WebACL_Minimal (3069.09s)
--- PASS: TestAccAwsWafv2WebACL_RateBasedStatement (5505.18s)
--- PASS: TestAccAwsWafv2WebACL_Tags (5556.15s)
--- PASS: TestAccAwsWafv2WebACL_updateRule (5690.97s)
--- PASS: TestAccAwsWafv2WebACL_UpdateRuleProperties (6207.71s)

@anGie44
Copy link
Contributor Author

anGie44 commented Aug 13, 2020

thanks for the review @bflad! so interestingly enough, name and the visibility_configuration.metric_name can be updated in-place, contrary to what the AWS docs led us to believe... e.g. when building the provider off this branch and only the name attribute is changed in a config from RateLimit -> RateLimitUpdated:

  # aws_wafv2_web_acl.demo-waf will be updated in-place
  ~ resource "aws_wafv2_web_acl" "demo-waf" {
        arn         = "arn:aws:wafv2:us-west-1:xxxxxxxx:regional/webacl/Demo-WAF/92915db0-1a37-45f8-a638-43a892f9f75c"
        capacity    = 2
        description = "Demo-WAF"
        id          = "92915db0-1a37-45f8-a638-43a892f9f75c"
        name        = "Demo-WAF"
        scope       = "REGIONAL"
        tags        = {}

        default_action {

            block {}
        }

      - rule {
          - name     = "RateLimit" -> null
          - priority = 200 -> null

          - action {

              - block {}
            }
....
      + rule {
          + name     = "RateLimitUpdated"
          + priority = 200

          + action {

              + block {}
            }

and then applying this plan succeeds:

aws_wafv2_web_acl.demo-waf: Modifying... [id=92915db0-1a37-45f8-a638-43a892f9f75c]
aws_wafv2_web_acl.demo-waf: Still modifying... [id=92915db0-1a37-45f8-a638-43a892f9f75c, 10s elapsed]
aws_wafv2_web_acl.demo-waf: Modifications complete after 11s [id=92915db0-1a37-45f8-a638-43a892f9f75c]

with no subsequent plan-time changes:

aws_wafv2_web_acl.demo-waf: Refreshing state... [id=92915db0-1a37-45f8-a638-43a892f9f75c]

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

so i think it's safe to keep the docs as is 👍 the same behavior is true for the metric_name attribute that no longer has ForceNew

@anGie44 anGie44 merged commit 0410b9f into master Aug 13, 2020
@anGie44 anGie44 added this to the v3.2.0 milestone Aug 13, 2020
anGie44 added a commit that referenced this pull request Aug 13, 2020
@anGie44 anGie44 deleted the b-wafv2-web-acl-rule branch August 13, 2020 19:47
@ghost
Copy link

ghost commented Aug 14, 2020

This has been released in version 3.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Sep 13, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
2 participants