terraform-provider-incapsula icon indicating copy to clipboard operation
terraform-provider-incapsula copied to clipboard

Published 20 hours ago verified publisher icon imperva

Unable to change incapsula_policy_asset_association from default to another policy

Open stockmaj opened this issue 7 months ago • 0 comments

Confirmation

  • [X] My issue isn't already found on the issue tracker.
  • [X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Imperva provider version

Terraform v1.9.0-dev on linux_amd64

  • provider registry.terraform.io/devops-rob/terracurl v1.0.1
  • provider registry.terraform.io/hashicorp/azuread v2.53.0
  • provider registry.terraform.io/hashicorp/azurerm v3.110.0
  • provider registry.terraform.io/hashicorp/time v0.11.2
  • provider registry.terraform.io/imperva/incapsula v3.25.2

Your version of Terraform is out of date! The latest version is 1.9.0. You can update by downloading from https://www.terraform.io/downloads.html

Affected resource(s)

incapsula_policy_asset_association

Terraform configuration files

# current terraform state is policy_id=X where X is the default policy
resource "incapsula_policy_asset_association" "waf_rules_policy_asset_association" {
  policy_id  = Y
  asset_id   = incapsula_site.site.id
  asset_type = "WEBSITE"
}
resource "incapsula_site" "site" {
  domain = "test.com"

  wildcard_san = true
  lifecycle {
    prevent_destroy = true
  }
}

Debug output

I can privately supply debug output but it may contain configuration information that should not be made publicly available

Panic output

No response

Expected output

I expect the old asset allocation to be replaced with a new one. In the config above, X is the default policy for the account and Y is a different policy. This works if I set the policy to Y in the console and use terraform to change it back to X.

Actual output

module.dns.module.waf_portal.incapsula_policy_asset_association.waf_rules_policy_asset_association must be replaced

-/+ resource "incapsula_policy_asset_association" "waf_rules_policy_asset_association" { + account_id = (known after apply) ~ id = "X/N/WEBSITE" -> (known after apply) ~ policy_id = "X" -> "Y" # forces replacement # (2 unchanged attributes hidden) }

Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.

Enter a value: yes

module.dns.module.waf_portal.incapsula_policy_asset_association.waf_rules_policy_asset_association: Destroying... [id=X/N/WEBSITE] ╷ │ Error: Error status code 400 from Incapsula service when deleting Policy Asset Association: {"value":"cannot remove default policy of Type WAF_RULES","isError":true} │ │ ╵

Steps to reproduce

  1. change a site that is using the default policy to use a non-default policy in the terraform configuration.
  2. terraform apply

Additional factoids

No response

References

No response

stockmaj avatar Jun 28 '24 14:06 stockmaj