Terraform-provider-aws: Attaching Regional WAF to API Gateway re-applies every update
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform version 0.11.8
AWS Provider version: 1.43.2
Affected Resource(s)
- aws_wafregional_web_acl_association
Terraform Configuration Files
I haven't got a simple example that I can share currently, however the aws_wafregional_web_acl_association was originally designed for attaching a regional WAF to an application load balancer. The resource works for an API Gateway, however on refresh it fails to detect that the WAF is associated with the API gateway and re-associates it.
This appears to be because the aws API check for ListResourcesForWebACL only returns application load balancer results by default, and would require an additional call (passing resource type = API_GATEWAY ) to check for the API Gateway association.
Expected Behavior
With no changes, a terraform plan should return nothing to do.
Actual Behavior
Wants to perform the association on every plan/apply:
- module.automation_infrastructure.module.module-name-goes-here.aws_wafregional_web_acl_association.waf_association
id:
resource_arn: "arn:aws:apigateway:ap-southeast-2::/restapis/abqmyzzv6d/stages/dev"
web_acl_id: "ebe3ecfd-e4a0-4ec3-ae85-a6c21146c232"
Steps to Reproduce
terraform apply
Important Factoids
Testing the ListResourcesForWebACL call:
$ aws waf-regional list-resources-for-web-acl --web-acl-id "ebe3ecfd-e4a0-4ec3-ae85-a6c21146c232"
{
"ResourceArns": []
}
$ aws waf-regional list-resources-for-web-acl --web-acl-id "ebe3ecfd-e4a0-4ec3-ae85-a6c21146c232" --resource-type APPLICATION_LOAD_BALANCER
{
"ResourceArns": []
}
$ aws waf-regional list-resources-for-web-acl --web-acl-id "ebe3ecfd-e4a0-4ec3-ae85-a6c21146c232" --resource-type API_GATEWAY
{
"ResourceArns": [
"arn:aws:apigateway:ap-southeast-2::/restapis/abqmyzzv6d/stages/dev"
]
}
References
It doesn't actually specify that the ListResourcesForWebACL call only returns APPLICATION_LOAD_BALANCER results when no resource type is specified, but my testing appears to demonstrate that this is the case.
AWS ListResourcesForWebACL Documentation
melbit-michaelw
All 5 comments
(Note on issue labelling: we don't currently list API Gateway support in the resource documentation, so its an enhancement)
bflad
on 13 Nov 2018
@bflad Apologies for poking you directly, but there's an open PR that appears to resolve this problem, but it isn't getting any attention. Can you assist with getting this reviewed ?
melbit-michaelw
on 21 Feb 2019
Support for additional resource ARN types (e.g. API Gateway) has been merged and will release with version 2.6.0 of the Terraform AWS Provider later today. 👍
bflad
on 10 Apr 2019
This has been released in version 2.6.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 11 Apr 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 30 Mar 2020
Related issues
hashibot
·
3Comments
hashibot
·
3Comments
dvishniakov
·
3Comments
blaltarriba
·
3Comments
EmmN
·
3Comments
Most helpful comment
@bflad Apologies for poking you directly, but there's an open PR that appears to resolve this problem, but it isn't getting any attention. Can you assist with getting this reviewed ?