aws_waf_rate_based_rule doesn't update rate_limit changes

[ghost]

This issue was originally opened by @vad as hashicorp/terraform#22368. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.12.6
+ provider.aws v2.22.0
...

Terraform Configuration Files

provider "aws" {
  region  = "eu-west-1"
}

resource "aws_waf_ipset" "ipset" {
  name = "tfIPSet"

  ip_set_descriptors {
    type  = "IPV4"
    value = "192.0.7.0/24"
  }
}

resource "aws_waf_rate_based_rule" "wafrule" {
  depends_on  = ["aws_waf_ipset.ipset"]
  name        = "tfWAFRule"
  metric_name = "tfWAFRule"

  rate_key   = "IP"
  rate_limit = 4000

  predicates {
    data_id = "${aws_waf_ipset.ipset.id}"
    negated = false
    type    = "IPMatch"
  }
}
...

Debug Output

Relavant part:

https://gist.github.com/vad/3588212535b6a00b186bbd0dd4dd69cd

Expected Behavior

If if change rate_limit value I expect terraform to update the rate based rule.

Actual Behavior

Terraform detects the change and actually tells me it update the rule but it didn't:

aws_waf_ipset.ipset: Refreshing state... [id=<ID>]
aws_waf_rate_based_rule.wafrule: Refreshing state... [id=<ID>]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_waf_rate_based_rule.wafrule will be updated in-place
  ~ resource "aws_waf_rate_based_rule" "wafrule" {
        id          = "<ID>"
        metric_name = "tfWAFRule"
        name        = "tfWAFRule"
        rate_key    = "IP"
      ~ rate_limit  = 4000 -> 3000

        predicates {
            data_id = "<ID>"
            negated = false
            type    = "IPMatch"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_waf_rate_based_rule.wafrule: Modifying... [id=<ID>]
aws_waf_rate_based_rule.wafrule: Modifications complete after 0s [id=<ID>]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

If I apply again, this repeats.

Steps to Reproduce

1. terraform init
2. terraform apply
3. change rate_limit
4. terraform apply

[connollydaire]

we're seeing this exact behaviour too trying to update the rate limits - TF reports it has mad the modification but it has not.

[anGie44]

Hi @vad and @connollydaire, thank you for following this issue. I was able to confirm this behavior and the linked PR should correct things.

[anGie44]

The related fix has been merged and will release with v3.5.0 of the Terraform AWS Provider, likely out this Thursday.

[ghost]

This has been released in version 3.5.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!