terraform-provider-akamai icon indicating copy to clipboard operation
terraform-provider-akamai copied to clipboard

Published 20 hours ago verified publisher icon akamai

[DXE-3690] API Match Target wants to update on every terraform plan

Open martinrw opened this issue 11 months ago • 1 comments

Terraform Version

v1.3.4

terraform {
  required_providers {
    akamai = {
      source  = "akamai/akamai"
      version = "5.5.0"
    }
  }
}

Affected Resource(s)

  • akamai_appsec_match_target But seems like only for API type targets

Terraform Configuration Files

resource "akamai_appsec_match_target" "myservice_match_target" {
  config_id    = data.akamai_appsec_configuration.mycompany_config.config_id
  match_target = templatefile("${path.module}/appsec/api_match_targets.json", {
    config_id           = data.akamai_appsec_configuration.mycompany_config.config_id,
    myservice_hostname  = var.myservice_hostname
    security_policy_id  = akamai_appsec_security_policy.my_security_policy.security_policy_id
  })
}

And the Matchtargets Json file:

{
    "type": "api",
    "configId": "${config_id}",
    "defaultFile": "NO_MATCH",
    "effectiveSecurityControls": {
        "applyApplicationLayerControls": true,
        "applyBotmanControls": true,
        "applyNetworkLayerControls": true,
        "applyPageIntegrityControls": false,
        "applyRateControls": true,
        "applyReputationControls": true,
        "applySlowPostControls": true
    },
    "filePaths": [
      "/*"
    ],
    "hostnames": [
      "${myservice_hostname}"
    ],
    "isNegativeFileExtensionMatch": false,
    "isNegativePathMatch": false,
    "securityPolicy": {
      "policyId": "${security_policy_id}"
    },
    "apis": [
      {
        "id" : 12345,
        "name" : "myservice-Akamai-Test"
      }
    ]
  }

Actual Behavior

The terraform plan wants to remove the "targetid" field every time. Even after I apply it and run the plan again it still wants to remove it:

  # module.akamai.akamai_appsec_match_target.myservice_match_target will be updated in-place
  ~ resource "akamai_appsec_match_target" "myservice_match_target" {
        id              = "67890:7658471"
      ~ match_target    = jsonencode(
          ~ {
              + configId                     = "67890"
              + defaultFile                  = "NO_MATCH"
              + effectiveSecurityControls    = {
                  + applyApplicationLayerControls = true
                  + applyBotmanControls           = true
                  + applyNetworkLayerControls     = true
                  + applyPageIntegrityControls    = false
                  + applyRateControls             = true
                  + applyReputationControls       = true
                  + applySlowPostControls         = true
                }
              + filePaths                    = [
                  + "/*",
                ]
              + hostnames                    = [
                  + "myservice-akamai-test.mycompany.eu",
                ]
              + isNegativeFileExtensionMatch = false
              + isNegativePathMatch          = false
              - targetId                     = 7658471 -> null
                # (3 unchanged elements hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

Expected Behavior

The plan should show no differences, there should be nothing to change. My understanding is that the targetid is a unique ID for the match target so I don't see how I can pre-populate that in the matchtarget json file.

I have another match target why is type website and it doesn't seem to do the same thing

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan
  2. terraform apply
  3. terraform plan

martinrw avatar Mar 15 '24 14:03 martinrw

Hello @martinrw ,

thank you for reporting this issue. We was able to reproduce this error. We will keep you informed about the progress.

Best regards, Pawel

PawelSnoch avatar Mar 19 '24 11:03 PawelSnoch