Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot associate an aws_wafregional_rate_based_rule with an aws_wafregional_web_acl resouce #4184

Closed
exNewbie opened this issue Apr 12, 2018 · 11 comments · Fixed by #4978
Closed

Cannot associate an aws_wafregional_rate_based_rule with an aws_wafregional_web_acl resouce #4184

exNewbie opened this issue Apr 12, 2018 · 11 comments · Fixed by #4978
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/waf Issues and PRs that pertain to the waf service.
Milestone
v1.25.0

Comments

@exNewbie
Copy link

Terraform Version

Terraform v0.11.7

  • provider.aws v1.14.1

Affected Resource(s)

  • aws_wafregional_rate_based_rule
  • aws_wafregional_web_acl

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "aws_wafregional_ipset" "ipset" {
  name = "tfIPSet"

  ip_set_descriptor {
    type  = "IPV4"
    value = "192.0.7.0/24"
  }
}

resource "aws_wafregional_rate_based_rule" "wafrule" {
  depends_on  = ["aws_wafregional_ipset.ipset"]
  name        = "tfWAFRule"
  metric_name = "tfWAFRule"

  rate_key = "IP"
  rate_limit = 2000

  predicate {
    data_id = "${aws_wafregional_ipset.ipset.id}"
    negated = false
    type    = "IPMatch"
  }
}

resource "aws_wafregional_web_acl" "wafacl" {
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rule {
    action {
       type = "BLOCK"
    }

    priority = 1
    rule_id = "${aws_wafregional_rate_based_rule.wafrule.id}"
  }
}

Debug Output

https://github.com/terraform-providers/terraform-provider-aws/files/1901714/terraform-debug.log

Expected Behavior

Terraform should associate aws_wafregional_rate_based_rule resource with aws_wafregional_web_acl one.

Actual Behavior

Terraform throws errors

  • aws_wafregional_web_acl.wafacl: 1 error(s) occurred:

  • aws_wafregional_web_acl.wafacl: Error Updating WAF Regional ACL: Error Updating WAF Regional ACL: WAFNonexistentItemException: The referenced item does not exist.
    status code: 400, request id: 5468cd42-3e20-11e8-8d2f-774c6f8a4408

Steps to Reproduce

terraform apply
@radeksimko radeksimko added enhancement Requests to existing resources that expand the functionality or scope. service/waf Issues and PRs that pertain to the waf service. labels Apr 24, 2018
@mvankrieken
Copy link

Hello Terraform, This might be double from the old ticket #4078 but is there any view on when this will be fixed or is there maybe a work around to get the aws_wafregional_rate_based_rule linked some other way?

@exNewbie
Copy link
Author

@mvankrieken I have retried and the problem still hasn't been resolved. My work-around is to attach rate based rule manually to WebACL.

Also, my bug is different from #4078 . It occurs particularly against rate based rule.

@mvankrieken
Copy link

@exNewbie I also tried it for aws.version 1.22 but indeed i also still get the error. For now i manually added the rule i wanted. I did place
lifecycle {
ignore_changes = ["rule"]
}
To avoid a update loop, so the template as a whole does not get stuck.

@keldush
Copy link

keldush commented Jun 13, 2018

@mvankrieken @exNewbie
Same issue applies to aws_wafregional_size_constraint_set, can not attach to a web acl

@mvankrieken
Copy link

mvankrieken commented Jun 13, 2018
edited
Loading

@keldush hmm i did not had trouble with that. You should make a set, connect that to a rule and then connect the rule to the web acl.

  resource "aws_wafregional_size_constraint_set" "size_constraint_uri" {
  name                  = "SomeNameMaxUriSet"

  size_constraints {
    text_transformation = "URL_DECODE"
    comparison_operator = "GT"
    size                = "100"


    field_to_match {
      type = "URI"
    }
  }
}

resource "aws_wafregional_rule" "size_constraint_uri_rule" {
  name                  = "SomeNameMaxUriRule"
  metric_name           = "SomeNameMaxUriRule"

  predicate {
    data_id = "${aws_wafregional_size_constraint_set.size_constraint_uri.id}"
    negated = false
    type    = "SizeConstraint"
  }

  depends_on  = ["aws_wafregional_size_constraint_set.size_constraint_uri"]
}

resource "aws_wafregional_web_acl" "main_alb_acl" {
  name                  = "SomeNameCsAcl"
  metric_name           = "SomeNameCsAcl"

  default_action {
    type = "ALLOW"
  }

  rule {
    action {
      type = "BLOCK"
    }
    priority = 1
    rule_id = "${aws_wafregional_rule.size_constraint_uri_rule.id}"
  }
  depends_on = ["aws_wafregional_rule.size_constraint_uri_rule"]
}

Something like above should work.

@keldush
Copy link

keldush commented Jun 13, 2018

@mvankrieken you are absolutely correct sir, my bad.
its working for me.

@svenwltr
Copy link
Contributor

I guess this is happening, because the provider currently ignores the Type field.

See:

From the GoDocs:

// The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined
// by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR.
// Although this field is optional, be aware that if you try to add a RATE_BASED
// rule to a web ACL without setting the type, the UpdateWebACL request will
// fail because the request tries to add a REGULAR rule with the specified ID,
// which does not exist.

@svenwltr svenwltr mentioned this issue Jun 25, 2018
Merged
@bflad bflad added this to the v1.25.0 milestone Jun 25, 2018
@bflad
Copy link
Contributor

bflad commented Jun 25, 2018

The aws_wafregional_web_acl resource support for rule type has been merged into master via #4978 and will release with version 1.25.0 of the AWS provider, likely middle of this week. Please note you must configure this new attribute for RATE_BASED rules.

@bflad
Copy link
Contributor

bflad commented Jun 27, 2018

This has been released in version 1.25.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@YadavPriya
Copy link

I was getting the same error when trying to attach 'aws_wafregional_rate_based_rule' to an web ACL. This was due 2 reason: 1. The rule type and 2. adding the depends_on parameter in web ACL for rate based rule.
You can see on AWS console that when you attach rate based rule to web ACL manually - rule type is 'Rate-based' unlike for other rules where it shows 'Regular'.
So when I defined the rule type explicitly in Terraform, it worked. something like this -

WAF Web ACL

#===========================
resource "aws_wafregional_web_acl" "test" {
name = "test"
metric_name = "test"
depends_on = ["aws_wafregional_rate_based_rule.rate-rule-example"]

default_action {
type = "BLOCK"
}

rule {
action {
type = "ALLOW"
}
type = "RATE_BASED"
priority = 1
rule_id = "${aws_wafregional_rate_based_rule.rate-rule-example.id}"
}

}

@ghost
Copy link

ghost commented Nov 1, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/waf Issues and PRs that pertain to the waf service.
Projects
None yet
Milestone
v1.25.0
Development

Successfully merging a pull request may close this issue.

add association type for aws_wafregional_web_acl rules
7 participants
@bflad @radeksimko @svenwltr @keldush @exNewbie @mvankrieken @YadavPriya