Error when adding a rule to the web acl (waf)

[matt-flow]

Terraform Version

Terraform v0.11.13

Terraform Configuration Files

resource "random_id" "this" {
  byte_length = "8"
}
resource "aws_wafregional_geo_match_set" "geo_match_set" {
  name        = "aws-geo-block-${random_id.this.hex}"

  geo_match_constraint {
     type  = "Country"
     value = "GB"
   }
}
resource "aws_wafregional_rule" "aws_geo" {
  depends_on  = ["aws_wafregional_geo_match_set.geo_match_set"]
  name        = "aws-geo-block-${random_id.this.hex}"
  metric_name = "awsGeoBlock${random_id.this.hex}"

  predicate {
  type    = "GeoMatch"
  data_id = "${aws_wafregional_geo_match_set.geo_match_set.id}"
  negated = false
}
}
resource "aws_wafregional_web_acl" "aws_geo" {
  name = "${var.env}waf-GEO-${random_id.this.hex}"
  metric_name = "${var.env}wafGEO${random_id.this.hex}"
  default_action {
    type = "BLOCK"
  }

  rule {
  action {
    type = "ALLOW"
  }
    priority = "0"
    rule_id  = "${aws_wafregional_geo_match_set.geo_match_set.id}"
    type     = "REGULAR"
  }
}

Debug Output

Error: Error applying plan:

1 error(s) occurred:

• aws_wafregional_web_acl.abt_geo: 1 error(s) occurred:

• aws_wafregional_web_acl.abt_geo: Error Updating WAF Regional ACL: WAFNonexistentItemException: The referenced item does not exist.
  status code: 400, request id: bb07316c-b507-11e9-abea-651a98b64b5e

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

[terragrunt] 2019/08/02 09:27:22 Hit multiple errors:
exit status 1

MSG:

non-zero return code

Expected Behavior

The rule needs to be added to waf web acl

Actual Behavior

I'm getting an error "aws_wafregional_web_acl.abt_geo: Error Updating WAF Regional ACL: WAFNonexistentItemException: The referenced item does not exist."

Steps to Reproduce

terraform apply

Additional Context

Almost everything is working correctly, I can see that terraform is adding conditions to Geo match, conditions contains correct values, also I can see correct rule and web acl, but for some reason the rule is not getting added to new web acl and I'm getting an error that apparently the referenced item does not exist.

I'm using provider 2.13.0 but I've also tested version 1.60.0.

There was a similar issue in the ticket #4078

[bflad]

Hi @matt-flow 👋

It looks like in your configuration you have:

resource "aws_wafregional_web_acl" "aws_geo" {
  # ...

  rule {
    action {
      type = "ALLOW"
    }

    priority = "0"
    rule_id  = "${aws_wafregional_geo_match_set.geo_match_set.id}"
    type     = "REGULAR"
  }

Where rule_id is referencing the Geo Match Set resource and not the Rule resource. To fix this, you can update your configuration to:

    rule_id = "${aws_wafregional_rule.aws_geo.id}"

Hope this helps.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!