Terraform and AWS Provider Version
Terraform v1.14.9
on linux_amd64
Affected Resource(s) or Data Source(s)
Expected Behavior
When NOT setting the attribute: resource_tag_logical_operator in code, we expect the plan to display a diff showing that it would change the value of this attribute on the firewall manager policy from 'OR' to an 'AND'.
Actual Behavior
The provider did not display any change to this attribute, but when the apply happened it changed the value from resource_tag_logical_operator='OR' to 'AND'. This caused an outage for those resources.
Relevant Error/Panic Output
No response
Sample Terraform Configuration
Click to expand configuration
resource "aws_fms_policy" "waf_regional_policy" {
region = var.region
name = "WAFRegionalPolicy-${var.region}"
description = "Firewall Manager policy that applies WAF rules to API Gateway Stage resources"
exclude_resource_tags = true
resource_tag_logical_operator = "OR" # This is what we had to add
resource_type = "AWS::ApiGateway::Stage"
remediation_enabled = var.waf_remediation_enabled
delete_unused_fm_managed_resources = true
resource_tags = {
WAFExclusion = "True"
deploymentscheme = "internal"
}
security_service_policy_data {
type = "WAFV2"
managed_service_data = jsonencode({
type = "WAFV2"
preProcessRuleGroups = [
{
ruleGroupType = "RuleGroup"
ruleGroupArn = aws_wafv2_rule_group.akamai_allowlist_regional.arn
overrideAction = {
type = "NONE"
}
}
]
postProcessRuleGroups = []
defaultAction = {
type = "BLOCK"
}
overrideCustomerWebACLAssociation = false
optimizeUnassociatedWebACL = true
webACLSource = "RETROFIT_EXISTING"
})
}
}
Steps to Reproduce
We were importing an existing resource:
- Create resource in AWS, configure with two tags, select 'OR'
- Apply configuration, do not include the resource_tag_logical_operator config
- Notice, no changes were observed.
OR, you can follow these steps to create one in TF using AND, then switch to OR:
2. Apply configuration, do not include the resource_tag_logical_operator config.
3. Update the resource in console to switch to 'OR'
4. Re apply the configuration, notice there is no change
5. Change config to add the value, you'll see the output shows no changes since it matches what is configured in AWS
Debug Logging
Click to expand log output
GenAI / LLM Assisted Development
n/a
Important Facts and References
Notice, no changes. However, when we set the attribute it shows a change:
Would you like to implement a fix?
No
Terraform and AWS Provider Version
Affected Resource(s) or Data Source(s)
Expected Behavior
When NOT setting the attribute: resource_tag_logical_operator in code, we expect the plan to display a diff showing that it would change the value of this attribute on the firewall manager policy from 'OR' to an 'AND'.
Actual Behavior
The provider did not display any change to this attribute, but when the apply happened it changed the value from resource_tag_logical_operator='OR' to 'AND'. This caused an outage for those resources.
Relevant Error/Panic Output
No response
Sample Terraform Configuration
Click to expand configuration
Steps to Reproduce
We were importing an existing resource:
OR, you can follow these steps to create one in TF using AND, then switch to OR:
2. Apply configuration, do not include the resource_tag_logical_operator config.
3. Update the resource in console to switch to 'OR'
4. Re apply the configuration, notice there is no change
5. Change config to add the value, you'll see the output shows no changes since it matches what is configured in AWS
Debug Logging
Click to expand log output
GenAI / LLM Assisted Development
n/a
Important Facts and References
Notice, no changes. However, when we set the attribute it shows a change:
Would you like to implement a fix?
No