resource/wafv2_web_acl: remove force_new property from arguments to prevent resource recreation

[anGie44]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #13936
Fixes #14035
Fixes #14029

Notes:

• rule name and rule visibility_config metric_name can be changed via the SDK just like in the AWS Console, no longer requiring the ForceNew property which was also the cause of the forced recreation behavior

Release note for CHANGELOG:

resource/wafv2_web_acl: remove ForceNew property from rule.name and rule.visibility_config.metric_name

Output from acceptance testing:

--- FAIL: TestAccAwsWafv2WebACL_RuleGroupReferenceStatement (2272.86s) -- related to v2 SDK change when calculating set index to compare ARN
--- PASS: TestAccAwsWafv2WebACL_Disappears (2624.62s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_webACLDisappears (2810.12s)
--- PASS: TestAccAwsWafv2WebACL_Minimal (3069.09s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_disappears (3131.46s)
--- PASS: TestAccAwsWafv2WebACLAssociation_basic (3163.23s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_basic (3201.17s)
--- PASS: TestAccAwsWafv2WebACL_basic (3247.90s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedRateBasedStatements (4075.84s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedOperatorStatements (4079.01s)
--- PASS: TestAccAwsWafv2WebACLAssociation_Disappears (4492.55s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_changeLogDestinationConfigsForceNew (4586.87s)
--- PASS: TestAccAwsWafv2WebACL_ChangeNameForceNew (4845.73s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_changeResourceARNForceNew (4895.22s)
--- PASS: TestAccAwsWafv2WebACLLoggingConfiguration_update (5297.34s)
--- PASS: TestAccAwsWafv2WebACL_ManagedRuleGroupStatement (5485.60s)
--- PASS: TestAccAwsWafv2WebACL_RateBasedStatement (5505.18s)
--- PASS: TestAccAwsWafv2WebACL_Tags (5556.15s)
--- PASS: TestAccAwsWafv2WebACL_updateRule (5690.97s)
--- PASS: TestAccAwsWafv2WebACL_UpdateRuleProperties (6207.71s)

[anGie44]

addresses TestAccAwsWafv2WebACL_ManagedRuleGroupStatement and TestAccAwsWafv2WebACL_RateBasedStatement test failures as now they actually attempt to do an update vs. a destroy/create, exposing the bug reported in #14035

[bflad]

Looks good to me 🚀 Two additional recommendations:

• Adding documentation to the rule configuration block name argument to note that it cannot be updated
• Adjusting the CHANGELOG message to be a little more operator-centric rather than developer-centric (e.g. Prevent unnecessary resource recreation with rule updates)

Output from acceptance testing (test failure unrelated):

--- FAIL: TestAccAwsWafv2WebACL_RuleGroupReferenceStatement (2297.93s)
--- PASS: TestAccAwsWafv2WebACL_basic (3247.90s)
--- PASS: TestAccAwsWafv2WebACL_ChangeNameForceNew (4845.73s)
--- PASS: TestAccAwsWafv2WebACL_Disappears (2624.62s)
--- PASS: TestAccAwsWafv2WebACL_ManagedRuleGroupStatement (5485.60s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedOperatorStatements (4079.01s)
--- PASS: TestAccAwsWafv2WebACL_MaxNestedRateBasedStatements (4075.84s)
--- PASS: TestAccAwsWafv2WebACL_Minimal (3069.09s)
--- PASS: TestAccAwsWafv2WebACL_RateBasedStatement (5505.18s)
--- PASS: TestAccAwsWafv2WebACL_Tags (5556.15s)
--- PASS: TestAccAwsWafv2WebACL_updateRule (5690.97s)
--- PASS: TestAccAwsWafv2WebACL_UpdateRuleProperties (6207.71s)

[anGie44]

thanks for the review @bflad! so interestingly enough, name and the visibility_configuration.metric_name can be updated in-place, contrary to what the AWS docs led us to believe... e.g. when building the provider off this branch and only the name attribute is changed in a config from RateLimit -> RateLimitUpdated:

  # aws_wafv2_web_acl.demo-waf will be updated in-place
  ~ resource "aws_wafv2_web_acl" "demo-waf" {
        arn         = "arn:aws:wafv2:us-west-1:xxxxxxxx:regional/webacl/Demo-WAF/92915db0-1a37-45f8-a638-43a892f9f75c"
        capacity    = 2
        description = "Demo-WAF"
        id          = "92915db0-1a37-45f8-a638-43a892f9f75c"
        name        = "Demo-WAF"
        scope       = "REGIONAL"
        tags        = {}

        default_action {

            block {}
        }

      - rule {
          - name     = "RateLimit" -> null
          - priority = 200 -> null

          - action {

              - block {}
            }
....
      + rule {
          + name     = "RateLimitUpdated"
          + priority = 200

          + action {

              + block {}
            }

and then applying this plan succeeds:

aws_wafv2_web_acl.demo-waf: Modifying... [id=92915db0-1a37-45f8-a638-43a892f9f75c]
aws_wafv2_web_acl.demo-waf: Still modifying... [id=92915db0-1a37-45f8-a638-43a892f9f75c, 10s elapsed]
aws_wafv2_web_acl.demo-waf: Modifications complete after 11s [id=92915db0-1a37-45f8-a638-43a892f9f75c]

with no subsequent plan-time changes:

aws_wafv2_web_acl.demo-waf: Refreshing state... [id=92915db0-1a37-45f8-a638-43a892f9f75c]

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

so i think it's safe to keep the docs as is 👍 the same behavior is true for the metric_name attribute that no longer has ForceNew

[ghost]

This has been released in version 3.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!