Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_wafv2_web_acl description/tag changes result in inconsistent final plan #27479

Closed
amaxine opened this issue Oct 26, 2022 · 10 comments
Closed

[Bug]: aws_wafv2_web_acl description/tag changes result in inconsistent final plan #27479

amaxine opened this issue Oct 26, 2022 · 10 comments
Assignees
@YakDriver
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@amaxine
Copy link

amaxine commented Oct 26, 2022
edited by YakDriver
Loading

Related:

Terraform Core Version

1.3.3

AWS Provider Version

4.36.1

Affected Resource(s)

  • aws_wafv2_web_acl

Expected Behavior

It's possible to update tags and description of aws_wafv2_web_acl resources.

After importing pre-existing rules (thanks to recently added support for rate_based_statements), we're met with Provider produced inconsistent final plan when just changing description and tags on the resource.

I don't believe rate_based_statement support is the culprit but I didn't investigate additional problems in depth.

Actual Behavior

Any applies modifying the tags or description of an aws_wafv2_web_acl resource result in Provider produced inconsistent final plan.

Modifying rules doesn't result in any errors.

Relevant Error/Panic Output Snippet

Error: Provider produced inconsistent final plan

When expanding the plan for module.traefik.aws_wafv2_web_acl.public[0] to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .rule: planned set element cty.ObjectVal(map[string]cty.Value{"action":cty.ListValEmpty(cty.Object(map[string]cty.Type{"allow":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})), "block":cty.List(cty.Object(map[string]cty.Type{"custom_response":cty.List(cty.Object(map[string]cty.Type{"custom_response_body_key":cty.String, "response_code":cty.Number, "response_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})), "captcha":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})), [... trimmed]

Terraform Configuration Files

provider "aws" {}

resource "aws_wafv2_web_acl" "public" {
  name        = "Public"
  description = "Some ACL"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "rule0"
    priority = 0

    action {
      block {
        custom_response {
          response_code = 429
        }
      }
    }

    statement {
      rate_based_statement {
        aggregate_key_type = "IP"
        limit              = 100

        scope_down_statement {
          statement {
            byte_match_statement {
              search_string         = "example.com"
              positional_constraint = "EXACTLY"

              field_to_match {
                single_header {
                  name = "host"
                }
              }

              text_transformation {
                priority = 0
                type     = "NONE"
              }
            }
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "rule0"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "public"
    sampled_requests_enabled   = true
  }
}

Steps to Reproduce

  1. Create a wafv2_web_acl resource
  2. Modify the description or tags in a subsequent terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

We discovered this issue after importing rules (thanks to recently added rate_based_statement support) while changing the description, but after further testing the only consistent reason for failure were changes to the description field or new/changed tags.

References

Would you like to implement a fix?

No response
@amaxine amaxine added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Oct 26, 2022
@github-actions github-actions bot added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Oct 26, 2022
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Oct 26, 2022
@ewbankkit
Copy link
Contributor

Similar:

@aholthagerty
Copy link

aholthagerty commented Nov 1, 2022
edited
Loading

Same issue, I believe: #23936

this has been an active bug for months, but the bots auto-closed the issue.

@a-schaefers
Copy link

I can reproduce this bug as well.

@aholthagerty
Copy link

workaround: when updating tags, update rule name to force rule recreation. seems to circumvent the bug.

This was referenced Nov 4, 2022
Closed
Closed
Closed
Closed
Closed
Closed
@mmaetzler
Copy link

FYI: This issues with WAFv2 has been reported multiple times:

@emmaLP
Copy link

emmaLP commented Nov 14, 2022
edited
Loading

This issue is still happening in version 4.39.0. Can we get an update please?

@ewbankkit ewbankkit mentioned this issue Jan 11, 2023
Closed
@justinretzolk justinretzolk mentioned this issue Mar 14, 2023
Closed
This was referenced Jul 13, 2023
Closed
Closed
Closed
Closed
Closed
@YakDriver
Copy link
Member

YakDriver commented Jul 13, 2023
edited
Loading

NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim).

For more details see #23992 (comment) and #28672 (comment).

@YakDriver YakDriver self-assigned this Jul 13, 2023
@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 13, 2023
@justinretzolk
Copy link
Member

Hi all 👋 As was mentioned above, this issue appears to be fixed when using a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later). If you experience additional unexpected behaviors with versions that meet these parameters, please open a new issue so that we can investigate further.

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 20, 2023
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@YakDriver YakDriver

Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@ewbankkit @emmaLP @a-schaefers @YakDriver @amaxine @justinretzolk @aholthagerty @mmaetzler