Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws_wafv2_web_acl] WAFInvalidParameterException after import of Web ACL #14029

Closed
sc250024 opened this issue Jul 2, 2020 · 5 comments · Fixed by #14616
Closed

[aws_wafv2_web_acl] WAFInvalidParameterException after import of Web ACL #14029

sc250024 opened this issue Jul 2, 2020 · 5 comments · Fixed by #14616
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Milestone
v3.2.0

Comments

@sc250024
Copy link

sc250024 commented Jul 2, 2020
edited
Loading

Description

Running terraform apply of a aws_wafv2_web_acl that was imported using terraform import throws an error because of an invalid configuration.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform version
Terraform v0.12.24
+ provider.aws v2.68.0
+ provider.local v1.4.0

Affected Resource(s)

  • aws_wafv2_web_acl

Terraform Configuration Files

waf.tf 
resource aws_wafv2_web_acl example {
  name        = "example-web-acl"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "AWS-AWSManagedRulesAdminProtectionRuleSet"
    priority = 2

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAdminProtectionRuleSet"
      sampled_requests_enabled   = true
    }
  }
  rule {
    name     = "AWS-AWSManagedRulesAmazonIpReputationList"
    priority = 0

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAmazonIpReputationList"
      sampled_requests_enabled   = true
    }
  }
  rule {
    name     = "AWS-AWSManagedRulesAnonymousIpList"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesAnonymousIpList"
      sampled_requests_enabled   = true
    }
  }
  rule {
    name     = "AWS-AWSManagedRulesCommonRuleSet"
    priority = 6

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }
  rule {
    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
    priority = 5

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
      sampled_requests_enabled   = true
    }
  }
  rule {
    name     = "AWS-AWSManagedRulesLinuxRuleSet"
    priority = 4

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesLinuxRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesLinuxRuleSet"
      sampled_requests_enabled   = true
    }
  }
  rule {
    name     = "AWS-AWSManagedRulesUnixRuleSet"
    priority = 3

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesUnixRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesUnixRuleSet"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "example-web-acl"
    sampled_requests_enabled   = true
  }
}

Debug Output

Trace output: https://gist.github.com/sc250024/00e7b574459e3ee5bc930cde663dc099

Note that I previously run a terraform plan -out ... command, and then ran the apply command. The above Gist is from the apply of the plan file.

Panic Output

N/A

Expected Behavior

Terraform should not complain about changing a resource it has imported. All of the rule blocks, as well as the default_action and root visibility_config blocks all came from the import.

Actual Behavior

Terraform runs a terraform plan fine, but when the apply stage comes, the following error is shown on the console:

Error: Error updating WAFv2 WebACL: WAFInvalidParameterException: Error reason: Your statement has multiple values set for a field that requires exactly one value., field: STATEMENT, parameter: Statement
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "eb27127f-e0e7-4d5d-bc6d-6f2e97acc0fb"
  },
  Field: "STATEMENT",
  Message_: "Error reason: Your statement has multiple values set for a field that requires exactly one value., field: STATEMENT, parameter: Statement",
  Parameter: "Statement",
  Reason: "Your statement has multiple values set for a field that requires exactly one value."
}

Steps to Reproduce

  • Go to the AWS console, and create a WAFv2 ACL rule with the following options:

example-aws-managed-rule-group

  • Run a terraform import of the Web ACL resource created above.

  • Run a terraform state show aws_wafv2_web_acl.common of the resource to get the rules blocks, and put it in the main definition of aws_wafv2_web_acl.

  • Change something about the aws_wafv2_web_acl, like the description field, and run a terraform apply.

  • Observe the 400 error mentioned above.

Important Factoids

I am running a terraform import because I typically do this to avoid having to manually type complicated Terraform code, such as the one created by aws_wafv2_web_acl in this case.
@ghost ghost added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Jul 2, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jul 2, 2020
@sc250024
Copy link
Author

sc250024 commented Jul 2, 2020
edited
Loading

Hmmmm ... I guess you must have the...

    override_action {
      none {}
    }

...block present in the rules block? I just tried creating a simpler ACL using IP sets with only one rule and received a similar error.

@ewbankkit ewbankkit mentioned this issue Jul 2, 2020
Closed
@breathingdust breathingdust added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 3, 2020
@anGie44 anGie44 mentioned this issue Jul 7, 2020
Closed
@ewbankkit ewbankkit mentioned this issue Jul 17, 2020
Closed
@rabidscorpio
Copy link

Hmmmm ... I guess you must have the...

    override_action {
      none {}
    }

...block present in the rules block? I just tried creating a simpler ACL using IP sets with only one rule and received a similar error.

This! I kept getting the same error except it was complaining about field: RULE, parameter: Rule instead. Putting in the override_action fixed the error. The AWS docs say that you need to use override_action when a rule references a managed_rule_group_statement or rule_group_reference_statement but the terraform docs are not explicit about this being an absolute requirement.

From https://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html:

OverrideAction

The override action to apply to the rules in a rule group. Used only for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.
Set the override action to none to leave the rule actions in effect. Set it to count to only count matches, regardless of the rule action settings.
In a Rule, you must specify either this OverrideAction setting or the rule Action setting, but not both:
    * If the rule statement references a rule group, use this override action setting and not the action setting.
    * If the rule statement does not reference a rule group, use the rule action setting and not this rule override action setting.
Type: OverrideAction object
Required: No

@anGie44 anGie44 mentioned this issue Aug 13, 2020
Merged
@anGie44 anGie44 added this to the v3.2.0 milestone Aug 13, 2020
@anGie44
Copy link
Contributor

anGie44 commented Aug 13, 2020

A fix has been merged and will release with v3.2.0 of the Terraform AWS Provider, expected out later today.

@ghost
Copy link

ghost commented Aug 14, 2020

This has been released in version 3.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Sep 13, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
v3.2.0
4 participants
@rabidscorpio @breathingdust @sc250024 @anGie44