Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rules are constantly recreated #138

Open
remi-f-artelia opened this issue Oct 10, 2024 · 0 comments
Open

Rules are constantly recreated #138

remi-f-artelia opened this issue Oct 10, 2024 · 0 comments

Comments

@remi-f-artelia
Copy link

What is the current behavior?

When terraform runs over an existing aws_wafv2_web_acl, it constantly detects a change in the rules and recreates them, even if there is no change.

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

# module.waf.aws_wafv2_web_acl.main[0] has changed
  ~ resource "aws_wafv2_web_acl" "main" {
        id                          = "abcdefgh-abdc-abcd-abcd-abcdefghijkl"
        name                        = "a-name-for-wafv2"
        # (8 unchanged attributes hidden)

      - rule {
          - name     = "AWSManagedRulesAmazonIpReputationList" -> null
          - priority = 1 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesAmazonIpReputationList" -> null
                  - vendor_name = "AWS" -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = false -> null
              - metric_name                = "AWSManagedRulesAmazonIpReputationList-metric" -> null
              - sampled_requests_enabled   = false -> null
            }
        }
      - rule {
          - name     = "AWSManagedRulesCommonRuleSet" -> null
          - priority = 0 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesCommonRuleSet" -> null
                  - vendor_name = "AWS" -> null
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = false -> null
              - metric_name                = "AWSManagedRulesCommonRuleSet-metric" -> null
              - sampled_requests_enabled   = false -> null
            }
        }
      + rule {
          + name     = "AWSManagedRulesAmazonIpReputationList"
          + priority = 1

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesAmazonIpReputationList"
                  + vendor_name = "AWS"
                    # (1 unchanged attribute hidden)
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = false
              + metric_name                = "AWSManagedRulesAmazonIpReputationList-metric"
              + sampled_requests_enabled   = false
            }
        }
      + rule {
          + name     = "AWSManagedRulesCommonRuleSet"
          + priority = 0

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesCommonRuleSet"
                  + vendor_name = "AWS"
                    # (1 unchanged attribute hidden)
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = false
              + metric_name                = "AWSManagedRulesCommonRuleSet-metric"
              + sampled_requests_enabled   = false
            }
        }

        # (12 unchanged blocks hidden)
    }

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.

  1. terraform apply => creation of the rules
  2. wait for some time (I don't understand for now why it does not happen right away but I'm confident that no one touches manually or with api on the resource since I work on an env I only manage myself)
  3. terraform apply => recreation of the rules

Other behavior: if some rule is added / deleted ==> recreation of every rules instead of working only on the affected rule.

What is the expected behavior?

Terraform is supposed to detect that the rules are already created and not recreate them if not needed.

Software versions?

terraform --version
Terraform v1.9.3
on windows_amd64

Initializing modules...
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v5.55.0

I guess the issue comes from the fact that the var.rules is not typed as a map(object) but as any and has a default value to an empty list [].
But even if I pass a map (with keys matching the rule name), the rules are recreated.

I think it would need to use the aws_wafv2_rule_group resource in the module and then use the rule group reference within aws_wafv2_rule_group resource.

If we use this in conjunction with a map it should be able to reference the appropriate key in the rule_group_reference_statement

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant