Terraform-provider-aws: Error on Apply when creating a WAF rule group and attaching to WebACL

Created on 5 Apr 2018  ·  8Comments  ·  Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.11.5

  • provider.aws v1.13.0

Affected Resource(s)

  • aws_waf_web_acl
  • aws_wafregional_web_acl

Terraform Configuration Files

resource "aws_waf_web_acl" "waf_acl" {
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rules {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_waf_rule_group.example.id}"
    type     = "REGULAR"
  }
}

resource "aws_wafregional_web_acl" "waf_acl" {
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rule {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_wafregional_rule_group.example.id}"
  }
}

resource "aws_waf_rule" "example" {
  name        = "example"
  metric_name = "example"
}

resource "aws_waf_rule_group" "example" {
  name        = "example"
  metric_name = "example"

  activated_rule {
    action {
      type = "COUNT"
    }

    priority = 50
    rule_id  = "${aws_waf_rule.example.id}"
  }
}

resource "aws_wafregional_rule" "example" {
  name        = "example"
  metric_name = "example"
}

resource "aws_wafregional_rule_group" "example" {
  name        = "example_group"
  metric_name = "example"

  activated_rule {
    action {
      type = "COUNT"
    }

    priority = 50
    rule_id  = "${aws_wafregional_rule.example.id}"
  }
}

Debug Output

https://gist.github.com/erikpaasonen/035ca50b9ba05f74cc814a28884b608d

Panic Output

N/A

Expected Behavior

Terraform should attach the Rule Group object to the WebACL object in both Global and Regional contexts.

Actual Behavior

Error message:

2 error(s) occurred:

* aws_waf_web_acl.waf_acl: 1 error(s) occurred:

* aws_waf_web_acl.waf_acl: Error Updating WAF ACL: Error Updating WAF ACL: WAFNonexistentItemException: The referenced item does not exist.
    status code: 400, request id: bb46863e-38fe-11e8-8e90-559f01c77452
* aws_wafregional_web_acl.waf_acl: 1 error(s) occurred:

* aws_wafregional_web_acl.waf_acl: Error Updating WAF Regional ACL: Error Updating WAF Regional ACL: WAFNonexistentItemException: The referenced item does not exist.
    status code: 400, request id: bc85e4b1-38fe-11e8-8077-2d567cf5aa85

Checking the WebACL in the AWS Console shows the rule set is empty, i.e. the rule group was not actually attached to the WebACL.

Steps to Reproduce

  1. terraform apply with the above code

Important Factoids

Support for rule groups was very recently added to the AWS Provider. Fairly certain that this is simply an oversight during initial implementation.

References

  • #4052
  • #3898
bug servicwaf
Source
picture erikpaasonen
👍3

Most helpful comment

Same issue here. I'm using only the aws_wafregional_* variants of rules, match sets, ACLs and associations. Applying multiple times does not help (at least on my tests). I'm using the following versions:

Terraform v0.11.7

  • provider.aws v1.17.0
  • provider.null v1.0.0
  • provider.random v1.2.0
  • provider.template v1.0.0
picture millenc on 13 May 2018
👍4

All 8 comments

Should also mention, in the case of waf, subsequent Apply runs succeed, but in the case of waf-regional it will always output this error message (no clean Apply).

erikpaasonen picture erikpaasonen on 5 Apr 2018
👍2

This is because you are mixing aws_waf_web_acl with regional waf resources. You should use aws_wafregional_web_acl instead of aws_waf_web_acl

Releng-InventiveDesigners picture Releng-InventiveDesigners on 10 Apr 2018
👍1

I was able to replicate the error even after using aws_wafregional_* for the rule, rule group and webacl. I face the below error as explained above during Tf apply. Tf plan just works fine!

  • aws_wafregional_rule.rule1: Error Updating WAF Rule: Error Updating WAF Rule: WAFNonexistentItemException: The referenced item does not exist.
    status code: 400, request id: XXXX

rule1 is clearly defined as aws_wafregional_rule rule.

umeshruk picture umeshruk on 3 May 2018
👍3

Same issue here. I'm using only the aws_wafregional_* variants of rules, match sets, ACLs and associations. Applying multiple times does not help (at least on my tests). I'm using the following versions:

Terraform v0.11.7

  • provider.aws v1.17.0
  • provider.null v1.0.0
  • provider.random v1.2.0
  • provider.template v1.0.0
millenc picture millenc on 13 May 2018
👍4

Same here, using only aws_wafregional_*, not mixing.

Versions used:
Terraform: v0.11.7
provider.aws: v1.25.0, v1.24.0, v1.23.0 and v1.22.0 (didn't try earlier versions since people seem to be complaining about this anyway)

jordimolesblanco picture jordimolesblanco on 3 Jul 2018

This should be fixed with #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 👍 

# Implementation is similar for aws_wafregional_web_acl resource
resource "aws_waf_web_acl" "example" {
 # ... other configuration ...
  rules {
    # ... other configuration ...
    override_action {
       type = "NONE"
    }
    type = "GROUP"
    rule_id = "${aws_waf_rule_group.example.id}"
  }
}
bflad picture bflad on 9 Jul 2018

This has been released in version 1.27.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad picture bflad on 11 Jul 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 4 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  ·  3Comments
modax picture modax  ·  3Comments
hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
hazmeister picture hazmeister  ·  3Comments