Add Waf RateBasedRule support

[bekbulatov]

Updated version of #1285.
I had to add the required type field to the rules block under aws_waf_rule. The value could be either REGULAR or RATE_BASED regarding which type of rule you are using.
The docs are updated as well.

[radeksimko]

Hey @bekbulatov
thanks for the PR - I left you some comments/questions there.

Let me know what you think.

[radeksimko]

I'm not sure it's wise to have the validation here for this field. It looks like Amazon may have some plans for expansion, otherwise they wouldn't be introducing a field with a single valid value.
The downside of the static validation is that once AWS introduces a new rate key, we'll have to loose the validation or remove it and folks will be waiting for a new release (unable to use the new key) merely because of tight static validation.

It's not a big deal - I'm just trying to think ahead.

[bekbulatov]

Agreed, anyway the value will be validated by AWS.

[radeksimko]

Yep, I think the AWS API validation is the best choice here.

[radeksimko]

This field seems to be required in per the API docs: http://docs.aws.amazon.com/waf/latest/APIReference/API_Predicate.html

[bekbulatov]

Sure, I will update the schema for Rule as well

[radeksimko]

It seems that this field isn't updatable (based on API reference), shouldn't it be marked as ForceNew then?

[bekbulatov]

Rate_key could be only IP now. Why do you think it should be recreated if changed?

[radeksimko]

well, you're right that there's no way to change it, but if the user is unaware they might try and at the moment we'd just ignore the field (in Update) and support user's assumption that the field was successfully changed.

If we instead delegate the validation work to Create then it will fail and user will also realize during plan that this can't be changed.

[radeksimko]

It might be more convenient to accept rateLimit int here instead and do all the pointer magic inside the function to reduce the repetition, but no biggie.

[radeksimko]

Is there any particular reason why this change should be included in this PR? How is it related to WAF Rate Based Rule?

[bekbulatov]

I mentioned this in #1285. By default, WebACL works with REGULAR rules and you will get an error if you pass rule_id of a RATE_BASED rule. This is documented in https://github.com/aws/aws-sdk-go/blob/master/service/waf/api.go#L5708-L5713

[radeksimko]

I see, but I think we can't just introduce a Required field - that would break it for users with existing configs which don't have this field there.
This applies to your other change in aws/resource_aws_waf_rule.go too.

[radeksimko]

Do you mind changing it to Optional?

[radeksimko]

btw. you might be able to avoid changing the updateWebAclResource if you also add the current default value as Default - that way it should just work the same way as before, yet allow users to specify type = "RATE_BASED" if they need to.

[bekbulatov]

@radeksimko Thank you for the review. I believe the Required change for aws/resource_aws_waf_rule.go is fine, as we just duplicate AWS validation, it's not a breaking change.
I made type optional and default to REGULAR as recommended.

[radeksimko]

You're right - just checked the API docs - it was probably just overlooked.

Thanks.

[radeksimko]

Thank you for making the changes. I think we're getting very close to "merge-able" state. 🙂

Just one comment left about Optional/Required.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!