Terraform-provider-aws: Error when adding a rule to the web acl (waf)
Terraform Version
Terraform v0.11.13
Terraform Configuration Files
resource "random_id" "this" {
byte_length = "8"
}
resource "aws_wafregional_geo_match_set" "geo_match_set" {
name = "aws-geo-block-${random_id.this.hex}"
geo_match_constraint {
type = "Country"
value = "GB"
}
}
resource "aws_wafregional_rule" "aws_geo" {
depends_on = ["aws_wafregional_geo_match_set.geo_match_set"]
name = "aws-geo-block-${random_id.this.hex}"
metric_name = "awsGeoBlock${random_id.this.hex}"
predicate {
type = "GeoMatch"
data_id = "${aws_wafregional_geo_match_set.geo_match_set.id}"
negated = false
}
}
resource "aws_wafregional_web_acl" "aws_geo" {
name = "${var.env}waf-GEO-${random_id.this.hex}"
metric_name = "${var.env}wafGEO${random_id.this.hex}"
default_action {
type = "BLOCK"
}
rule {
action {
type = "ALLOW"
}
priority = "0"
rule_id = "${aws_wafregional_geo_match_set.geo_match_set.id}"
type = "REGULAR"
}
}
Debug Output
Error: Error applying plan:
1 error(s) occurred:
aws_wafregional_web_acl.abt_geo: 1 error(s) occurred:
aws_wafregional_web_acl.abt_geo: Error Updating WAF Regional ACL: WAFNonexistentItemException: The referenced item does not exist.
status code: 400, request id: bb07316c-b507-11e9-abea-651a98b64b5e
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
[terragrunt] 2019/08/02 09:27:22 Hit multiple errors:
exit status 1
MSG:
non-zero return code
Expected Behavior
The rule needs to be added to waf web acl
Actual Behavior
I'm getting an error "aws_wafregional_web_acl.abt_geo: Error Updating WAF Regional ACL: WAFNonexistentItemException: The referenced item does not exist."
Steps to Reproduce
terraform apply
Additional Context
Almost everything is working correctly, I can see that terraform is adding conditions to Geo match, conditions contains correct values, also I can see correct rule and web acl, but for some reason the rule is not getting added to new web acl and I'm getting an error that apparently the referenced item does not exist.
I'm using provider 2.13.0 but I've also tested version 1.60.0.
There was a similar issue in the ticket #4078
matt-flow
All 2 comments
Hi @matt-flow 👋
It looks like in your configuration you have:
resource "aws_wafregional_web_acl" "aws_geo" {
# ...
rule {
action {
type = "ALLOW"
}
priority = "0"
rule_id = "${aws_wafregional_geo_match_set.geo_match_set.id}"
type = "REGULAR"
}
Where rule_id is referencing the Geo Match Set resource and not the Rule resource. To fix this, you can update your configuration to:
rule_id = "${aws_wafregional_rule.aws_geo.id}"
Hope this helps.
bflad
on 2 Aug 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 2 Nov 2019
Related issues
blaltarriba
·
3Comments
ghost
·
3Comments
hashibot
·
3Comments
reedloden
·
3Comments
gothrek22
·
3Comments
Most helpful comment
Hi @matt-flow 👋
It looks like in your configuration you have:
Where
rule_idis referencing the Geo Match Set resource and not the Rule resource. To fix this, you can update your configuration to:Hope this helps.