r/aws_wafv2_web_acl: set rule on import
#41205
Merged
+117
−141
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Community NoteVoting for Prioritization
For Submitters
|
github-actions
bot
added
documentation
jar-b
added
regression
jar-b
force-pushed
the
b-wafv2_web_acl-rule-import
branch
from
9006bd8 to
a34e9bd
Compare
This change fixes a regression introduced in `v5.61.0` when the `rule_json` attribute was added. The read operation logic is now inverted such that the absense of a value for `rule_json` causes the `rule` attribute to be written, rather than the presence of `rule`. Both attributes will always appear unset during import operations, so the previous logic would always cause `rule` to be unset after import, a regression from prior behavior. The updated logic allows import to behave in the same way it did prior to `v5.61.0`, always setting the `rule` attribute to the remote value.
For configurations which import an existing web ACL to to a resource with `rule_json` configured, the displayed output on the first subsequent `apply` will now be slightly different though functionally the same as before. After the initial import, the planned changes will show the addition of the `rule_json` value (this was always present), but also include a removal of a configured `rule` block (this is new). The update will occur in-place as it did previously. A note has been added to registry documentation for the `rule_json` attribute describing this behavior.
Acceptance tests have also been updated to accurately reflect that `rule` can once again be imported correctly.
```console
% make testacc PKG=wafv2 TESTS="TestAccWAFV2WebACL_"
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.5 test ./internal/service/wafv2/... -v -count 1 -parallel 20 -run='TestAccWAFV2WebACL_' -timeout 360m -vet=off
2025/01/31 16:17:00 Initializing Terraform AWS Provider...
=== NAME TestAccWAFV2WebACL_associationConfigCloudFront
web_acl_test.go:2880: skipping tests; AWS_DEFAULT_REGION (us-west-2) not supported. Supported: [us-east-1]
--- SKIP: TestAccWAFV2WebACL_associationConfigCloudFront (0.36s)
=== CONT TestAccWAFV2WebACL_CloudFrontScope
web_acl_test.go:2977: skipping tests; AWS_DEFAULT_REGION (us-west-2) not supported. Supported: [us-east-1]
--- SKIP: TestAccWAFV2WebACL_CloudFrontScope (0.00s)
=== CONT TestAccWAFV2WebACL_ruleJSONToRule
--- PASS: TestAccWAFV2WebACL_basic (30.58s)
=== CONT TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_BotControl
--- PASS: TestAccWAFV2WebACL_tokenDomains (34.47s)
=== CONT TestAccWAFV2WebACL_ByteMatchStatement_headerOrder
--- PASS: TestAccWAFV2WebACL_IPSetReference_basic (53.27s)
=== CONT TestAccWAFV2WebACL_ByteMatchStatement_body
--- PASS: TestAccWAFV2WebACL_Operators_maxNested (55.82s)
=== CONT TestAccWAFV2WebACL_ByteMatchStatement_jsonBody
--- PASS: TestAccWAFV2WebACL_ruleJSONToRule (58.13s)
=== CONT TestAccWAFV2WebACL_ByteMatchStatement_ja3fingerprint
--- PASS: TestAccWAFV2WebACL_LabelMatchStatement (64.67s)
=== CONT TestAccWAFV2WebACL_ByteMatchStatement_basic
--- PASS: TestAccWAFV2WebACL_RateBased_maxNested (65.31s)
=== CONT TestAccWAFV2WebACL_RateBased_basic
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_BotControl (35.96s)
=== CONT TestAccWAFV2WebACL_minimal
--- PASS: TestAccWAFV2WebACL_ruleJSON (90.85s)
=== CONT TestAccWAFV2WebACL_ManagedRuleGroup_specifyVersion
--- PASS: TestAccWAFV2WebACL_GeoMatch_forwardedIP (93.53s)
=== CONT TestAccWAFV2WebACL_associationConfigRegional
--- PASS: TestAccWAFV2WebACL_RuleGroupReference_basic (94.14s)
=== CONT TestAccWAFV2WebACL_ManagedRuleGroup_basic
--- PASS: TestAccWAFV2WebACL_RuleLabels (95.19s)
=== CONT TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_ACFPRuleSet
--- PASS: TestAccWAFV2WebACL_minimal (41.50s)
=== CONT TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_ATPRuleSet
--- PASS: TestAccWAFV2WebACL_RateBased_forwardedIP (112.92s)
=== CONT TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig
--- PASS: TestAccWAFV2WebACL_RuleGroupReference_manageShieldMitigationRule (116.50s)
=== CONT TestAccWAFV2WebACL_Update_nameForceNew
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_headerOrder (84.89s)
=== CONT TestAccWAFV2WebACL_Update_ruleProperties
--- PASS: TestAccWAFV2WebACL_RuleGroupReference_shieldMitigation (119.43s)
=== CONT TestAccWAFV2WebACL_disappears
--- PASS: TestAccWAFV2WebACL_GeoMatch_basic (136.16s)
=== CONT TestAccWAFV2WebACL_Update_rule
--- PASS: TestAccWAFV2WebACL_associationConfigRegional (51.54s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_jsonBody (91.38s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_ja3fingerprint (89.30s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_body (97.25s)
--- PASS: TestAccWAFV2WebACL_Custom_response (154.48s)
--- PASS: TestAccWAFV2WebACL_tags (154.85s)
--- PASS: TestAccWAFV2WebACL_RateBased_basic (91.81s)
--- PASS: TestAccWAFV2WebACL_disappears (40.18s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_basic (95.65s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_specifyVersion (78.84s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_ACFPRuleSet (76.21s)
--- PASS: TestAccWAFV2WebACL_IPSetReference_forwardedIP (173.28s)
--- PASS: TestAccWAFV2WebACL_Custom_requestHandling (173.86s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_ATPRuleSet (68.84s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig (66.66s)
--- PASS: TestAccWAFV2WebACL_Update_nameForceNew (63.09s)
--- PASS: TestAccWAFV2WebACL_Update_rule (51.33s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_basic (101.36s)
--- PASS: TestAccWAFV2WebACL_Update_ruleProperties (77.37s)
--- PASS: TestAccWAFV2WebACL_RateBased_customKeys (234.49s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/wafv2 241.100s
```
jar-b
force-pushed
the
b-wafv2_web_acl-rule-import
branch
from
a34e9bd to
3f4a674
Compare
johnsonaj
approved these changes
Feb 3, 2025
There was a problem hiding this comment.
LGTM 🚀
% make testacc PKG=wafv2 TESTS="TestAccWAFV2WebACL_" AWS_DEFAULT_REGION=us-east-1
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.5 test ./internal/service/wafv2/... -v -count 1 -parallel 20 -run='TestAccWAFV2WebACL_' -timeout 360m -vet=off
2025/02/03 16:23:55 Initializing Terraform AWS Provider...
--- PASS: TestAccWAFV2WebACL_minimal (30.90s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_BotControl (33.86s)
--- PASS: TestAccWAFV2WebACL_disappears (35.97s)
--- PASS: TestAccWAFV2WebACL_basic (66.78s)
--- PASS: TestAccWAFV2WebACL_Update_nameForceNew (83.39s)
--- PASS: TestAccWAFV2WebACL_GeoMatch_basic (83.98s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig (85.83s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_jsonBody (88.07s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_ATPRuleSet (96.15s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_headerOrder (96.20s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_ManagedRuleGroupConfig_ACFPRuleSet (96.51s)
--- PASS: TestAccWAFV2WebACL_LabelMatchStatement (105.07s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_basic (105.36s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_body (107.63s)
--- PASS: TestAccWAFV2WebACL_ruleJSONToRule (86.50s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_specifyVersion (120.78s)
--- PASS: TestAccWAFV2WebACL_CloudFrontScope (57.11s)
--- PASS: TestAccWAFV2WebACL_ByteMatchStatement_ja3fingerprint (124.25s)
--- PASS: TestAccWAFV2WebACL_GeoMatch_forwardedIP (127.27s)
--- PASS: TestAccWAFV2WebACL_ruleJSON (94.33s)
--- PASS: TestAccWAFV2WebACL_associationConfigCloudFront (55.60s)
--- PASS: TestAccWAFV2WebACL_tokenDomains (55.92s)
--- PASS: TestAccWAFV2WebACL_RateBased_basic (145.98s)
--- PASS: TestAccWAFV2WebACL_associationConfigRegional (62.84s)
--- PASS: TestAccWAFV2WebACL_Operators_maxNested (62.52s)
--- PASS: TestAccWAFV2WebACL_Update_ruleProperties (149.04s)
--- PASS: TestAccWAFV2WebACL_Custom_response (125.00s)
--- PASS: TestAccWAFV2WebACL_IPSetReference_basic (44.38s)
--- PASS: TestAccWAFV2WebACL_ManagedRuleGroup_basic (173.20s)
--- PASS: TestAccWAFV2WebACL_RateBased_maxNested (46.46s)
--- PASS: TestAccWAFV2WebACL_RateBased_forwardedIP (79.05s)
--- PASS: TestAccWAFV2WebACL_Update_rule (81.28s)
--- PASS: TestAccWAFV2WebACL_RuleLabels (62.62s)
--- PASS: TestAccWAFV2WebACL_RuleGroupReference_basic (87.49s)
--- PASS: TestAccWAFV2WebACL_tags (78.05s)
--- PASS: TestAccWAFV2WebACL_RuleGroupReference_shieldMitigation (96.67s)
--- PASS: TestAccWAFV2WebACL_RuleGroupReference_manageShieldMitigationRule (98.44s)
--- PASS: TestAccWAFV2WebACL_Custom_requestHandling (108.68s)
--- PASS: TestAccWAFV2WebACL_IPSetReference_forwardedIP (94.36s)
--- PASS: TestAccWAFV2WebACL_RateBased_customKeys (145.33s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/wafv2 282.221s
github-actions
bot
removed
the
prioritized
|
This functionality has been released in v5.86.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This change fixes a regression introduced in
v5.61.0when therule_jsonattribute was added. The read operation logic is now inverted such that the absense of a value forrule_jsoncauses theruleattribute to be written, rather than the presence ofrule. Both attributes will always appear unset during import operations, so the previous logic would always causeruleto be unset after import, a regression from prior behavior. The updated logic allows import to behave in the same way it did prior tov5.61.0, always setting theruleattribute to the remote value.For configurations which import an existing web ACL to to a resource with
rule_jsonconfigured, the displayed output on the first subsequentapplywill now be slightly different though functionally the same as before. After the initial import, the planned changes will show the addition of therule_jsonvalue (this was always present), but also include a removal of a configuredruleblock (this is new). The update will occur in-place as it did previously. A note has been added to registry documentation for therule_jsonattribute describing this behavior.Acceptance tests have also been updated to accurately reflect that
rulecan once again be imported correctly.Relations
Closes #40740
Closes #40523
Relates #38309
Output from Acceptance Testing