Closed dasousa closed 4 years ago
dasousa
commented
4 years ago The issue seems to be that OverrideAction was missing from the Rule. When adding "OverrideAction":{"None":{}} to the Rule, then the ACL was created. The error message could be improved.
kdaily
commented
4 years ago Hi @dasousa,
Thanks for the report. That sure doesn't look like a very informative error message to indicate the issue. Since this comes from the server side, I'll report this to the API team.
To help you fix, I looked at the Rule documentation, and it looks like either Action or OverrideAction must be specified, in specific conditions. Since you have specified a managed rule group, this applies:
If the rule statement references a rule group, use the override action setting and not this action setting.
Confirm by changing [ ] to [x] below:
Issue is about usage on:
Platform/OS/Hardware/Device aws-cli version 2.0.51, Linux
Describe the question I am using version 2.0.51 of the cli, and trying to create a v2 WAF. Running the command aws wafv2 create-web-acl --cli-input-json file://waf.json using the attached file results in the following response:
An error occurred (WAFInvalidParameterException) when calling the CreateWebACL operation: Error reason: Your statement has multiple values set for a field that requires exactly one value., field: RULE, parameter: Rule
I can't find what is wrong with the attached JSON. Can somebody confirm if this issue is a bug, or if the attached JSON is incorrect? I'll create a bug report, if necessary.
waf.txt
Logs/output 2020-09-24 10:46:27,782 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.0.51 Python/3.7.3 Linux/5.4.0-42-generic exe/x86_64.linuxmint.19 2020-09-24 10:46:27,783 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['wafv2', 'create-web-acl', '--cli-input-json', 'file://waf.json', '--debug'] 2020-09-24 10:46:27,783 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7ff7f1b3dae8> 2020-09-24 10:46:27,783 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7ff7f2484620> 2020-09-24 10:46:27,783 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7ff7f1b090d0> 2020-09-24 10:46:27,783 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7ff7f2457d08> 2020-09-24 10:46:27,783 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7ff7f243b7b8> 2020-09-24 10:46:27,784 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7ff7f1c8a598> 2020-09-24 10:46:27,784 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7ff7f1cbcea0> 2020-09-24 10:46:27,790 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.0.51/dist/botocore/data/wafv2/2019-07-29/service-2.json 2020-09-24 10:46:27,795 - MainThread - botocore.hooks - DEBUG - Event building-command-table.wafv2: calling handler <function add_waiters at 0x7ff7f1b45f28> 2020-09-24 10:46:27,802 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('name', <awscli.arguments.CLIArgument object at 0x7ff7f1922160>), ('scope', <awscli.arguments.CLIArgument object at 0x7ff7f19221d0>), ('default-action', <awscli.arguments.CLIArgument object at 0x7ff7f1922208>), ('description', <awscli.arguments.CLIArgument object at 0x7ff7f1922240>), ('rules', <awscli.arguments.ListArgument object at 0x7ff7f1922e80>), ('visibility-config', <awscli.arguments.CLIArgument object at 0x7ff7f19222b0>), ('tags', <awscli.arguments.ListArgument object at 0x7ff7f1922128>)]) 2020-09-24 10:46:27,802 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.wafv2.create-web-acl: calling handler <function add_streaming_output_arg at 0x7ff7f1b3dd90> 2020-09-24 10:46:27,802 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.wafv2.create-web-acl: calling handler <function add_cli_input_json at 0x7ff7f2447048> 2020-09-24 10:46:27,802 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.wafv2.create-web-acl: calling handler <function add_cli_input_yaml at 0x7ff7f24476a8> 2020-09-24 10:46:27,803 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.wafv2.create-web-acl: calling handler <function unify_paging_params at 0x7ff7f1cc56a8> 2020-09-24 10:46:27,809 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.0.51/dist/botocore/data/wafv2/2019-07-29/paginators-1.json 2020-09-24 10:46:27,809 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.wafv2.create-web-acl: calling handler <function add_generate_skeleton at 0x7ff7f1ba2400> 2020-09-24 10:46:27,809 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.wafv2.create-web-acl: calling handler <function add_auto_prompt at 0x7ff7f1b09048> 2020-09-24 10:46:27,809 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.wafv2.create-web-acl: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7ff7f1922358>> 2020-09-24 10:46:27,809 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.wafv2.create-web-acl: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7ff7f1922390>> 2020-09-24 10:46:27,809 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.wafv2.create-web-acl: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7ff7f1922470>> 2020-09-24 10:46:27,809 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.wafv2.create-web-acl: calling handler <bound method AutoPromptArgument.override_required_args of <awscli.customizations.autoprompt.AutoPromptArgument object at 0x7ff7f1922550>> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.name: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.scope: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.default-action: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.description: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.rules: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.visibility-config: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.tags: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.cli-input-yaml: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.wafv2.create-web-acl.cli-auto-prompt: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff7f2ba0198> 2020-09-24 10:46:27,810 - MainThread - botocore.hooks - DEBUG - Event calling-command.wafv2.create-web-acl: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7ff7f1922358>> 2020-09-24 10:46:27,811 - MainThread - botocore.hooks - DEBUG - Event calling-command.wafv2.create-web-acl: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7ff7f1922390>> 2020-09-24 10:46:27,811 - MainThread - botocore.hooks - DEBUG - Event calling-command.wafv2.create-web-acl: calling handler <bound method GenerateCliSkeletonArgument.generate_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7ff7f1922470>> 2020-09-24 10:46:27,811 - MainThread - botocore.hooks - DEBUG - Event calling-command.wafv2.create-web-acl: calling handler <bound method AutoPromptArgument.auto_prompt_arguments of <awscli.customizations.autoprompt.AutoPromptArgument object at 0x7ff7f1922550>> 2020-09-24 10:46:27,811 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env 2020-09-24 10:46:27,811 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role 2020-09-24 10:46:27,811 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity 2020-09-24 10:46:27,811 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso 2020-09-24 10:46:27,811 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file 2020-09-24 10:46:27,811 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials 2020-09-24 10:46:27,812 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.0.51/dist/botocore/data/endpoints.json 2020-09-24 10:46:27,816 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7ff7f344ad90> 2020-09-24 10:46:27,817 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.wafv2: calling handler <function add_generate_presigned_url at 0x7ff7f347e378> 2020-09-24 10:46:27,817 - MainThread - botocore.regions - DEBUG - Creating a regex based endpoint for wafv2, us-east-1 2020-09-24 10:46:27,819 - MainThread - botocore.endpoint - DEBUG - Setting wafv2 timeout as (60, 60) 2020-09-24 10:46:27,820 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.wafv2.CreateWebACL: calling handler <function base64_decode_input_blobs at 0x7ff7f1b098c8> 2020-09-24 10:46:27,820 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.wafv2.CreateWebACL: calling handler <function generate_idempotent_uuid at 0x7ff7f346dc80> 2020-09-24 10:46:27,820 - MainThread - botocore.hooks - DEBUG - Event before-call.wafv2.CreateWebACL: calling handler <function inject_api_version_header_if_needed at 0x7ff7f33f0488> 2020-09-24 10:46:27,820 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=CreateWebACL) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'X-Amz-Target': 'AWSWAF_20190729.CreateWebACL', 'Content-Type': 'application/x-amz-json-1.1', 'User-Agent': 'aws-cli/2.0.51 Python/3.7.3 Linux/5.4.0-42-generic exe/x86_64.linuxmint.19 command/wafv2.create-web-acl'}, 'body': b'{"DefaultAction": {"Allow": {}}, "Name": "test-web-acl", "Rules": [{"Name": "rule-one", "Priority": 1, "Statement": {"ManagedRuleGroupStatement": {"Name": "AWSManagedRulesUnixRuleSet", "VendorName": "AWS"}}, "VisibilityConfig": {"CloudWatchMetricsEnabled": false, "MetricName": "rule-one-metric", "SampledRequestsEnabled": false}}], "Scope": "REGIONAL", "VisibilityConfig": {"CloudWatchMetricsEnabled": false, "MetricName": "test-web-acl-metric", "SampledRequestsEnabled": false}}', 'url': 'https://wafv2.us-east-1.amazonaws.com/', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x7ff7f174bfd0>, 'has_streaming_input': False, 'auth_type': None}} 2020-09-24 10:46:27,821 - MainThread - botocore.hooks - DEBUG - Event request-created.wafv2.CreateWebACL: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7ff7f174bf98>> 2020-09-24 10:46:27,821 - MainThread - botocore.hooks - DEBUG - Event choose-signer.wafv2.CreateWebACL: calling handler <function set_operation_specific_signer at 0x7ff7f346db70> 2020-09-24 10:46:27,821 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth. 2020-09-24 10:46:27,821 - MainThread - botocore.auth - DEBUG - CanonicalRequest: POST /
content-type:application/x-amz-json-1.1 host:wafv2.us-east-1.amazonaws.com x-amz-date:20200924T144627Z x-amz-target:AWSWAF_20190729.CreateWebACL
content-type;host;x-amz-date;x-amz-target 27472dcbd2df29117266316fb5a6f4e4d88e461eebccff331a2e942f6b82e20f 2020-09-24 10:46:27,821 - MainThread - botocore.auth - DEBUG - StringToSign: AWS4-HMAC-SHA256 20200924T144627Z 20200924/us-east-1/wafv2/aws4_request c46ae234056c2b8c3a41a79f6061cbf8f7dfb4177cea1a0fa518f97f30ae790b 2020-09-24 10:46:27,821 - MainThread - botocore.auth - DEBUG - Signature: b9e71a17a47800d2d029cf2f8991cc0db0b15145a33cb7f45e91bc9b9c0f5822 2020-09-24 10:46:27,821 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://wafv2.us-east-1.amazonaws.com/, headers={'X-Amz-Target': b'AWSWAF_20190729.CreateWebACL', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'aws-cli/2.0.51 Python/3.7.3 Linux/5.4.0-42-generic exe/x86_64.linuxmint.19 command/wafv2.create-web-acl', 'X-Amz-Date': b'20200924T144627Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=AKIAS7VMB4FJAXVFOWPE/20200924/us-east-1/wafv2/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=b9e71a17a47800d2d029cf2f8991cc0db0b15145a33cb7f45e91bc9b9c0f5822', 'Content-Length': '480'}> 2020-09-24 10:46:27,822 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): wafv2.us-east-1.amazonaws.com:443 2020-09-24 10:46:27,893 - MainThread - urllib3.connectionpool - DEBUG - https://wafv2.us-east-1.amazonaws.com:443 "POST / HTTP/1.1" 400 310 2020-09-24 10:46:27,894 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '2c51db6d-3e00-4efa-a06e-0749da02eb36', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '310', 'Date': 'Thu, 24 Sep 2020 14:46:27 GMT', 'Connection': 'close'} 2020-09-24 10:46:27,894 - MainThread - botocore.parsers - DEBUG - Response body: b'{"type":"WAFInvalidParameterException","Field":"RULE","Parameter":"Rule","Reason":"Your statement has multiple values set for a field that requires exactly one value.","message":"Error reason: Your statement has multiple values set for a field that requires exactly one value., field: RULE, parameter: Rule"}' 2020-09-24 10:46:27,895 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '2c51db6d-3e00-4efa-a06e-0749da02eb36', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '310', 'Date': 'Thu, 24 Sep 2020 14:46:27 GMT', 'Connection': 'close'} 2020-09-24 10:46:27,895 - MainThread - botocore.parsers - DEBUG - Response body: b'{"type":"WAFInvalidParameterException","Field":"RULE","Parameter":"Rule","Reason":"Your statement has multiple values set for a field that requires exactly one value.","message":"Error reason: Your statement has multiple values set for a field that requires exactly one value., field: RULE, parameter: Rule"}' 2020-09-24 10:46:27,895 - MainThread - botocore.hooks - DEBUG - Event needs-retry.wafv2.CreateWebACL: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7ff7f169f780>> 2020-09-24 10:46:27,896 - MainThread - botocore.retries.standard - DEBUG - Not retrying request. 2020-09-24 10:46:27,896 - MainThread - botocore.hooks - DEBUG - Event after-call.wafv2.CreateWebACL: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7ff7f169f3c8>> 2020-09-24 10:46:27,896 - MainThread - awscli.clidriver - DEBUG - Service returned an exception Traceback (most recent call last): File "awscli/clidriver.py", line 386, in main File "awscli/clidriver.py", line 558, in call File "awscli/clidriver.py", line 738, in call File "awscli/clidriver.py", line 867, in invoke File "awscli/clidriver.py", line 879, in _make_client_call File "botocore/client.py", line 229, in _api_call File "botocore/client.py", line 548, in _make_api_call botocore.errorfactory.WAFInvalidParameterException: An error occurred (WAFInvalidParameterException) when calling the CreateWebACL operation: Error reason: Your statement has multiple values set for a field that requires exactly one value., field: RULE, parameter: Rule
An error occurred (WAFInvalidParameterException) when calling the CreateWebACL operation: Error reason: Your statement has multiple values set for a field that requires exactly one value., field: RULE, parameter: Rule