|
1 | | -## [Unreleased] - v2.3.7 |
| 1 | +## [v2.3.7] - 2026-04-28 |
2 | 2 |
|
3 | | -### Bug Fixes |
| 3 | +> Rule lifecycle stability: 45 schema fields go mutable so `plan` reports update-in-place instead of destroy+recreate, several long-standing false-diff sources are fixed, and counter / empty-body destroy semantics are clarified. |
4 | 4 |
|
5 | | -* Fixed `data.wallarm_rules` double-counting `wallarm_rule_credential_stuffing_regex` and `wallarm_rule_credential_stuffing_point` rules when Create and the data source read happen in the same `terraform apply`. The v2.3.2 dedup fix added the `isCredentialStuffingType` filter at three cache-population sites but missed `HintCache.Insert`; this completes the fix at the fourth site so credential_stuffing rules never enter the generic hint cache. |
6 | | -* `terraform destroy` of `wallarm_rule_bruteforce_counter`, `wallarm_rule_dirbust_counter`, and `wallarm_rule_bola_counter` is now state-only. The Wallarm API rejects on-demand counter deletes (returns HTTP 200 with empty body) and counters auto-clean ~30 seconds after their last trigger reference is removed; the previous Delete implementation issued a no-op API call and falsely reported destroy success while the counter persisted server-side. The new behavior drops the resource from state and emits an `[INFO]` log line directing operators to the auto-clean lifecycle. |
7 | | -* `terraform destroy` on every other rule resource now emits a `[WARN]` log line when the API returns an empty response body — the rule was already absent server-side (deleted out-of-band, never existed, or silently rejected). The destroy still succeeds, but operators get a signal that their delete may not have changed anything. Previously this case was indistinguishable from a successful delete because wallarm-go discarded the response body. |
| 5 | +### Upgrade Steps |
8 | 6 |
|
9 | | -* Fixed perpetual destroy+recreate plan diff for `iequal`-typed action conditions with mixed-case values. The Wallarm API downcases `iequal` values server-side, so any mixed-case literal in HCL would drift against the lowercased state on every plan. The fix covers both shapes the matched string can take: |
10 | | - - **`value` field** for paired-element points (`header`, `query`): e.g. `point = { header = "HOST" }, value = "Example.com"`. |
11 | | - - **point map value** for value-bearing points (`action_name`, `action_ext`, `method`, `instance`, `proto`, `scheme`, `uri`): e.g. `point = { action_name = "TEST" }`. |
12 | | - The action TypeSet hash now lowercases iequal values in both shapes (set membership stable), and `DiffSuppressFunc`s on `action.value` and `action.point` treat case-only differences as equivalent when the sibling `type` is `iequal`. Affects every rule resource using `ScopeActionSchema` / `ScopeActionSchemaMutable`. |
| 7 | +* Bump the provider to `v2.3.7`. No HCL migration required. |
| 8 | +* [ACTION REQUIRED] Provider developers consuming `wallarm-go` directly: `wallarm.API.HintDelete(...)` now returns `*HintDeleteResp{Status, Body}` (was `error` only). Update call sites. End users writing only HCL are unaffected. |
13 | 9 |
|
14 | | -* `terraform plan` now reports **update-in-place** (instead of destroy+recreate) for many rule schema fields whose API supports PUT updates. Previously every non-`comment`/`variativity_disabled` change required replacement because the schema declared the field `ForceNew` or the provider's shared Update path never sent it. The audit at `.claude/manual-testing/audit-update-fields/results.md` enumerates all 45 field/resource pairs migrated from `ForceNew` to mutable, plus 8 fields explicitly kept `ForceNew` (where PUT is rejected or silently no-op). Affected resources: `wallarm_rule_mode`, `wallarm_rule_api_abuse_mode`, `wallarm_rule_vpatch`, `wallarm_rule_disable_stamp`, `wallarm_rule_disable_attack_type`, `wallarm_rule_regex`, `wallarm_rule_parser_state`, `wallarm_rule_set_response_header`, `wallarm_rule_uploads`, `wallarm_rule_overlimit_res_settings`, `wallarm_rule_graphql_detection`, `wallarm_rule_file_upload_size_limit`, `wallarm_rule_rate_limit`, `wallarm_rule_rate_limit_enum`, `wallarm_rule_bola`, `wallarm_rule_brute`, `wallarm_rule_enum`, `wallarm_rule_forced_browsing`, `wallarm_rule_credential_stuffing_regex`, `wallarm_rule_credential_stuffing_point`. Existing state files keep working — the schema change is purely additive (drops `ForceNew`). |
| 10 | +### Bug Fixes |
15 | 11 |
|
16 | | -* `wallarm_rule_overlimit_res_settings` now blocks `terraform apply` when a same-scope rule of the same type already exists, returning the canonical `ImportAsExistsError` directing the user to import the existing resource. Previously a second resource block with the same `action {}` scope would silently bind to the existing API hint, producing post-apply state divergence. The guard matches the behavior already in place on `wallarm_rule_mode` and `wallarm_rule_api_abuse_mode`. Other rule types are not affected — they have additional discriminators (`point`, `enumerated_parameters`, `arbitrary_conditions`) that legitimately allow multiple rules per action scope. |
| 12 | +* **fix(rule):** `terraform plan` reports update-in-place (instead of destroy+recreate) for 45 rule fields whose API supports PUT updates. Existing state remains compatible. |
| 13 | +* **fix(action_scope):** `iequal` action conditions no longer perpetually drift on mixed-case values; covers both `value` field and value-bearing point keys (`action_name`, `action_ext`, `method`, `instance`, `proto`, `scheme`, `uri`). |
| 14 | +* **fix(action_scope):** action conditions no longer perpetually drift on header-name case (API uppercases header names regardless of `type`). |
| 15 | +* **fix(rule_overlimit_res_settings):** Create now returns `ImportAsExistsError` when a same-scope rule already exists, matching `wallarm_rule_mode` / `_api_abuse_mode` behaviour. |
| 16 | +* **fix(rule_credential_stuffing):** `data.wallarm_rules` no longer double-counts credential_stuffing rules within the same `terraform apply` — completes the v2.3.2 dedup at the missed `HintCache.Insert` site. |
| 17 | +* **fix(rule_counters):** `terraform destroy` of `bruteforce_counter` / `dirbust_counter` / `bola_counter` is state-only; counters auto-clean ~30s after their last trigger reference is removed. |
| 18 | +* **fix(rule_counters):** `title`, `active`, `set` are now `Computed` so counters don't surface phantom diffs after Create. |
| 19 | +* **fix(rule):** Delete emits a `[WARN]` when the API returns an empty body (rule already absent server-side). |
17 | 20 |
|
18 | 21 | ### Other Changes |
19 | 22 |
|
20 | | -* Bumped `wallarm-go` to `v0.12.0` for the new `HintDelete` response surface (`*HintDeleteResp{Status, Body []ActionBody}`) and the extended `HintUpdateV3Params` (~30 new pointer fields covering the full mutable rule surface). End users writing only HCL are unaffected; downstream Go consumers calling `wallarm.API.HintDelete(...)` see the breaking signature change documented in the wallarm-go changelog. |
21 | | -* Extracted shared `resourcerule.Delete` factory used by 21 rule resources (replaces ~17 lines of identical Delete boilerplate per resource). The 2 `wallarm_rule_credential_stuffing_*` resources keep custom Deletes because they additionally invalidate `CredentialStuffingCache` after the API call. |
22 | | -* Extended `resourcerule.Update` with variadic `UpdateCustomizer` parameters and a library of `With*` helpers (one per mutable field). Per-resource Update wiring is now a one-liner like `UpdateContext: resourcerule.Update(apiClient, resourcerule.WithMode, resourcerule.WithThreshold, resourcerule.WithReaction)`. |
| 23 | +* **build(deps):** bump `wallarm-go` to `v0.12.0` (typed `HintDelete` response, extended `HintUpdateV3Params` with ~30 mutable-field pointers). |
| 24 | +* **refactor(rule):** shared `resourcerule.Delete` factory (21 rule resources). |
| 25 | +* **refactor(rule):** `resourcerule.Update` accepts variadic `UpdateCustomizer`s; new `With*` helper library wires per-resource Update in one line. |
| 26 | +* **test(rule):** in-place Update acceptance tests for every mutable rule resource; ported pinterest-scope (`api_abuse_mode`) and multi-vpatch-per-action smokes to acc; unit tests for Update customizers and `HintCache.LoadAll` / `All`. |
| 27 | +* **docs(api_spec):** moved `wallarm_api_spec` and `wallarm_api_spec_policy` to the `Common` subcategory. |
| 28 | +* **build(makefile):** dropped `-race` from `make testacc` until remaining rule tests migrate to the v2.3.5 pattern (`ProtoV5ProviderFactories` + `testAccNewAPIClient`); unit tests still run under `-race`. |
23 | 29 |
|
24 | 30 | ## [v2.3.6] - 2026-04-24 |
25 | 31 |
|
|
0 commit comments