Terraform-provider-aws: [WAFv2] resource/wafv2_rule_group: recreated on any changes to the rules
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Relates #13936
Terraform Version
Terraform v0.12.26
provider.aws v2.67.0
Affected Resource(s)
aws_wafv2_rule_group
Terraform Configuration Files
resource "aws_wafv2_rule_group" "example" {
capacity = 50
name = "tf-acc-test-123"
description = "tf-acc-test-123"
scope = "REGIONAL"
rule {
name = "rule-2"
priority = 10
action {
block {}
}
statement {
size_constraint_statement {
comparison_operator = "LT"
size = 50
field_to_match {
query_string {}
}
text_transformation {
priority = 5
type = "NONE"
}
text_transformation {
priority = 2
type = "CMD_LINE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
Expected Behavior
I expected the resource aws_wafv2_rule_group to just be updated and not recreated when I changed the priority of a rule for example.
Actual Behavior
When making any changes to the rules, the resource aws_wafv2_rule_group is recreated.
- rule { # forces replacement
- name = "rule-2" -> null
- priority = 10 -> null
- action {
- block {}
}
- statement {
- size_constraint_statement {
- comparison_operator = "LT" -> null
- size = 50 -> null
- field_to_match {
- query_string {}
}
- text_transformation {
- priority = 2 -> null
- type = "CMD_LINE" -> null
}
- text_transformation {
- priority = 5 -> null
- type = "NONE" -> null
}
}
}
- visibility_config {
- cloudwatch_metrics_enabled = false -> null
- metric_name = "friendly-rule-metric-name" -> null
- sampled_requests_enabled = false -> null
}
}
+ rule { # forces replacement
+ name = "rule-2"
+ priority = 1
+ action {
+ block {}
}
+ statement {
+ size_constraint_statement {
+ comparison_operator = "LT"
+ size = 50
+ field_to_match {
+ query_string {}
}
+ text_transformation {
+ priority = 2
+ type = "CMD_LINE"
}
+ text_transformation {
+ priority = 5
+ type = "NONE"
}
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = false
+ metric_name = "friendly-rule-metric-name"
+ sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
Steps to Reproduce
Just change the rule priority
anGie44
All 6 comments
We just ran into this today as well. It does seem overly destructive to delete the resource, in this case, to update the rules.
bryanlalexander
on 7 Jul 2020
I am also seeing the same behavior with aws_wafv2_web_acl.
juanpgomez-gsa
on 7 Jul 2020
Ran into this recently and look for a resolution - in this case, any removal of a rule from the aws_wafv2_web_acl resource results in a tear down of the firewall. This resource is not suitable for a production environment with a break-glass scenario that requires updates to the rules in-place to meet Security requirements (I.e. enforce some private access controls).
Happy to put in the steps to reproduce, it's the same scenario as per above, directly targeting the aws_wafv2_web_acl resource itself.
AshMenhennett
on 6 Aug 2020
A fix has been merged and will release with v3.2.0 of the Terraform AWS Provider, expected out later today.
anGie44
on 13 Aug 2020
This has been released in version 3.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 14 Aug 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 13 Sep 2020
Related issues
ghost
·
3Comments
joelittlejohn
·
3Comments
hashibot
·
3Comments
reedloden
·
3Comments
hashibot
·
3Comments
Most helpful comment
I am also seeing the same behavior with aws_wafv2_web_acl.