Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/wafv2_rule_group: remove force_new property from arguments to prevent resource recreation #14617

Merged
merged 2 commits into from
Aug 13, 2020
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion aws/resource_aws_wafv2_rule_group.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,6 @@ func resourceAwsWafv2RuleGroup() *schema.Resource {
"name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validation.StringLenBetween(1, 128),
},
"priority": {
Expand Down
299 changes: 263 additions & 36 deletions aws/resource_aws_wafv2_rule_group_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,43 @@ func TestAccAwsWafv2RuleGroup_basic(t *testing.T) {
ruleGroupName := acctest.RandomWithPrefix("tf-acc-test")
resourceName := "aws_wafv2_rule_group.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAwsWafv2RuleGroupDestroy,
Steps: []resource.TestStep{
{
Config: testAccAwsWafv2RuleGroupConfig_Basic(ruleGroupName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
resource.TestCheckResourceAttr(resourceName, "capacity", "2"),
resource.TestCheckResourceAttr(resourceName, "name", ruleGroupName),
resource.TestCheckResourceAttr(resourceName, "description", ruleGroupName),
resource.TestCheckResourceAttr(resourceName, "rule.#", "0"),
resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional),
resource.TestCheckResourceAttr(resourceName, "visibility_config.#", "1"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateIdFunc: testAccAwsWafv2RuleGroupImportStateIdFunc(resourceName),
},
},
})
}

func TestAccAwsWafv2RuleGroup_updateRule(t *testing.T) {
var v wafv2.RuleGroup
ruleGroupName := acctest.RandomWithPrefix("tf-acc-test")
resourceName := "aws_wafv2_rule_group.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Expand Down Expand Up @@ -55,15 +92,115 @@ func TestAccAwsWafv2RuleGroup_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "rule.#", "2"),
resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"name": "rule-1",
"priority": "1",
"action.#": "1",
"action.0.allow.#": "0",
"action.0.block.#": "0",
"action.0.count.#": "1",
"statement.#": "1",
"statement.0.geo_match_statement.#": "1",
"statement.0.geo_match_statement.0.country_codes.#": "2",
}),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateIdFunc: testAccAwsWafv2RuleGroupImportStateIdFunc(resourceName),
},
},
})
}

func TestAccAwsWafv2RuleGroup_updateRuleProperties(t *testing.T) {
var v wafv2.RuleGroup
ruleGroupName := acctest.RandomWithPrefix("tf-acc-test")
resourceName := "aws_wafv2_rule_group.test"
ruleName2 := fmt.Sprintf("%s-2", ruleGroupName)

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAwsWafv2RuleGroupDestroy,
Steps: []resource.TestStep{
{
Config: testAccAwsWafv2RuleGroupConfig_BasicUpdate(ruleGroupName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
resource.TestCheckResourceAttr(resourceName, "capacity", "50"),
resource.TestCheckResourceAttr(resourceName, "name", ruleGroupName),
resource.TestCheckResourceAttr(resourceName, "description", "Updated"),
resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional),
resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.#", "1"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"name": "rule-2",
"priority": "10",
"name": "rule-1",
"priority": "1",
"action.#": "1",
"action.0.allow.#": "0",
"action.0.block.#": "1",
"action.0.count.#": "0",
"statement.#": "1",
"action.0.block.#": "0",
"action.0.count.#": "1",
"visibility_config.0.cloudwatch_metrics_enabled": "false",
"visibility_config.0.metric_name": "friendly-rule-metric-name",
"visibility_config.0.sampled_requests_enabled": "false",
"statement.#": "1",
"statement.0.geo_match_statement.#": "1",
"statement.0.geo_match_statement.0.country_codes.#": "2",
}),
),
},
{
// Test step verifies addition of a rule block with the first block unchanged
Config: testAccAwsWafv2RuleGroupConfig_UpdateMultipleRules(ruleGroupName, "rule-1", ruleName2, 1, 2),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
resource.TestCheckResourceAttr(resourceName, "capacity", "50"),
resource.TestCheckResourceAttr(resourceName, "name", ruleGroupName),
resource.TestCheckResourceAttr(resourceName, "description", "Updated"),
resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional),
resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.#", "1"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "rule.#", "2"),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"name": "rule-1",
"priority": "1",
"action.#": "1",
"action.0.allow.#": "0",
"action.0.block.#": "0",
"action.0.count.#": "1",
"visibility_config.#": "1",
"visibility_config.0.cloudwatch_metrics_enabled": "false",
"visibility_config.0.metric_name": "rule-1",
"visibility_config.0.sampled_requests_enabled": "false",
"statement.#": "1",
"statement.0.geo_match_statement.#": "1",
"statement.0.geo_match_statement.0.country_codes.#": "2",
}),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"name": ruleName2,
"priority": "2",
"action.#": "1",
"action.0.allow.#": "0",
"action.0.block.#": "1",
"action.0.count.#": "0",
"visibility_config.#": "1",
"visibility_config.0.cloudwatch_metrics_enabled": "false",
"visibility_config.0.metric_name": ruleName2,
"visibility_config.0.sampled_requests_enabled": "false",
"statement.#": "1",
"statement.0.size_constraint_statement.#": "1",
"statement.0.size_constraint_statement.0.comparison_operator": "LT",
"statement.0.size_constraint_statement.0.field_to_match.#": "1",
Expand All @@ -79,13 +216,65 @@ func TestAccAwsWafv2RuleGroup_basic(t *testing.T) {
"priority": "5",
"type": "NONE",
}),
),
},
{
// Test step to verify a change in priority for rule #1 and a change in name and priority for rule #2
Config: testAccAwsWafv2RuleGroupConfig_UpdateMultipleRules(ruleGroupName, "rule-1", "updated", 5, 10),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsWafv2RuleGroupExists(resourceName, &v),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexp.MustCompile(`regional/rulegroup/.+$`)),
resource.TestCheckResourceAttr(resourceName, "capacity", "50"),
resource.TestCheckResourceAttr(resourceName, "name", ruleGroupName),
resource.TestCheckResourceAttr(resourceName, "description", "Updated"),
resource.TestCheckResourceAttr(resourceName, "scope", wafv2.ScopeRegional),
resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.#", "1"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.cloudwatch_metrics_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.metric_name", "friendly-metric-name"),
resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"),
resource.TestCheckResourceAttr(resourceName, "rule.#", "2"),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"name": "rule-1",
"priority": "1",
"action.#": "1",
"action.0.allow.#": "0",
"action.0.block.#": "0",
"action.0.count.#": "1",
"name": "rule-1",
"priority": "5",
"action.#": "1",
"action.0.allow.#": "0",
"action.0.block.#": "0",
"action.0.count.#": "1",
"visibility_config.#": "1",
"visibility_config.0.cloudwatch_metrics_enabled": "false",
"visibility_config.0.metric_name": "rule-1",
"visibility_config.0.sampled_requests_enabled": "false",
"statement.#": "1",
"statement.0.geo_match_statement.#": "1",
"statement.0.geo_match_statement.0.country_codes.#": "2",
}),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*", map[string]string{
"name": "updated",
"priority": "10",
"action.#": "1",
"action.0.allow.#": "0",
"action.0.block.#": "1",
"action.0.count.#": "0",
"visibility_config.#": "1",
"visibility_config.0.cloudwatch_metrics_enabled": "false",
"visibility_config.0.metric_name": "updated",
"visibility_config.0.sampled_requests_enabled": "false",
"statement.#": "1",
"statement.0.size_constraint_statement.#": "1",
"statement.0.size_constraint_statement.0.comparison_operator": "LT",
"statement.0.size_constraint_statement.0.field_to_match.#": "1",
"statement.0.size_constraint_statement.0.field_to_match.0.query_string.#": "1",
"statement.0.size_constraint_statement.0.size": "50",
"statement.0.size_constraint_statement.0.text_transformation.#": "2",
}),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*.statement.0.size_constraint_statement.0.text_transformation.*", map[string]string{
"priority": "2",
"type": "CMD_LINE",
}),
tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "rule.*.statement.0.size_constraint_statement.0.text_transformation.*", map[string]string{
"priority": "5",
"type": "NONE",
}),
),
},
Expand Down Expand Up @@ -1235,31 +1424,16 @@ resource "aws_wafv2_rule_group" "test" {
scope = "REGIONAL"

rule {
name = "rule-2"
priority = 10
name = "rule-1"
priority = 1

action {
block {}
count {}
}

statement {
size_constraint_statement {
comparison_operator = "LT"
size = 50

field_to_match {
query_string {}
}

text_transformation {
priority = 5
type = "NONE"
}

text_transformation {
priority = 2
type = "CMD_LINE"
}
geo_match_statement {
country_codes = ["US", "NL"]
}
}

Expand All @@ -1270,9 +1444,26 @@ resource "aws_wafv2_rule_group" "test" {
}
}

visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
`, name)
}

func testAccAwsWafv2RuleGroupConfig_UpdateMultipleRules(name string, ruleName1, ruleName2 string, priority1, priority2 int) string {
return fmt.Sprintf(`
resource "aws_wafv2_rule_group" "test" {
capacity = 50
name = "%[1]s"
description = "Updated"
scope = "REGIONAL"

rule {
name = "rule-1"
priority = 1
name = "%[2]s"
priority = %[3]d

action {
count {}
Expand All @@ -1286,7 +1477,43 @@ resource "aws_wafv2_rule_group" "test" {

visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
metric_name = "%[2]s"
sampled_requests_enabled = false
}
}

rule {
name = "%[4]s"
priority = %[5]d

action {
block {}
}

statement {
size_constraint_statement {
comparison_operator = "LT"
size = 50

field_to_match {
query_string {}
}

text_transformation {
priority = 5
type = "NONE"
}

text_transformation {
priority = 2
type = "CMD_LINE"
}
}
}

visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "%[4]s"
sampled_requests_enabled = false
}
}
Expand All @@ -1297,7 +1524,7 @@ resource "aws_wafv2_rule_group" "test" {
sampled_requests_enabled = false
}
}
`, name)
`, name, ruleName1, priority1, ruleName2, priority2)
}

func testAccAwsWafv2RuleGroupConfig_UpdateCapacity(name string) string {
Expand Down
1 change: 0 additions & 1 deletion aws/wafv2_helper.go
Original file line number Diff line number Diff line change
Expand Up @@ -342,7 +342,6 @@ func wafv2VisibilityConfigSchema() *schema.Schema {
"metric_name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validation.All(
validation.StringLenBetween(1, 128),
validation.StringMatch(regexp.MustCompile(`^[a-zA-Z0-9-_]+$`), "must contain only alphanumeric hyphen and underscore characters"),
Expand Down