Terraform-provider-aws: [aws_wafv2_web_acl] Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement

Created on 9 Jul 2020  ·  5Comments  ·  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.25
+ provider.aws v2.69.0
+ provider.datadog v2.11.0
+ provider.template v2.1.2

Affected Resource(s)

  • aws_wafv2_web_acl

Terraform Configuration Files

resource "aws_wafv2_ip_set" "ipset_v4" {
  name               = "v4-whitelist-dev"
  description        = "IPV4 cell whitelist"
  scope              = "REGIONAL"
  ip_address_version = "IPV4"
  addresses          = ["192.0.2.1"]
}

resource "aws_wafv2_web_acl" "ca-whitelist" {
  name        = "allow-cloudauth"
  description = "Only permit certain IPs"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "ipv4-whitelist"
    priority = 0

    override_action {
      count {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.ipset_v4.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "rule-ipv4-whitelist"
      sampled_requests_enabled   = false
    }
  }

  tags = {
    Name = "test"
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "acl-allow-ips"
    sampled_requests_enabled   = false
  }

}

Expected Behavior

Terraform should create wafv2 web acl

Actual Behavior

Terraform throws an error when trying to create it using the code block as above:

Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "f7e26319-e005-41e9-9184-eb9dd3d0d392"
  },
  Field: "RULE",
  Message_: "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement",
  Parameter: "Statement",
  Reason: "A reference in your rule statement is not valid."
}

Steps to Reproduce

  1. terraform apply using the HCL above
servicwafv2
Source
picture iramello
👍1

Most helpful comment

@anGie44 Thanks A LOT for your reply, changing override_action for action did the trick :facepalm:

picture iramello on 13 Jul 2020
🎉4

All 5 comments

I'm having the same issue doing a managed_rule_group_statement
My HCL:
```resource "aws_wafv2_web_acl" "cf" {
name = "cf-rule"
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name = "common"
priority = 1
action {
block {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "waf-blocks"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "waf-hits"
sampled_requests_enabled = false
}
}

And getting the same error: 
```Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "01abf998-632f-4ce2-b8d7-a217c457a832"
  },
  Field: "RULE",
  Message_: "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement",
  Parameter: "Statement",
  Reason: "A reference in your rule statement is not valid."
}
evanspaeder picture evanspaeder on 9 Jul 2020

Hi @iramello, thank you for reporting this issue and apologies the error returned from the AWS API isn't very clear about what part of the rule needs adjustment.

I believe the error documented in the description stems from the rule's override_action block. This block only applies to rules with rule_group_reference_statement or managed_rule_group_statement blocks, while the rule defined in the config contains the statement of type ip_set_reference_statement. Instead of this override_action block, the rule needs the action block which contains either allow, block or count arguments; more info can be found in this section of the docs (https://www.terraform.io/docs/providers/aws/r/wafv2_web_acl.html#rules).

@evanspaeder, in your case the override_action block (instead of action) should be the fix since the rule's statement is of type managed_rule_group_statement :)

Hope this helps! If any further questions arise please let me know!

anGie44 picture anGie44 on 10 Jul 2020
1

Related to #14094

anGie44 picture anGie44 on 10 Jul 2020

@anGie44 Thanks A LOT for your reply, changing override_action for action did the trick :facepalm:

iramello picture iramello on 13 Jul 2020
🎉4

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 12 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
joelittlejohn picture joelittlejohn  ·  3Comments
hashibot picture hashibot  ·  3Comments