function associate_web_acl in class- "WAFRegional.Client"- is not working.

boto / boto3

AWS SDK for Python

https://aws.amazon.com/sdk-for-python/

Apache License 2.0

8.87k stars 1.85k forks source link

function associate_web_acl in class- "WAFRegional.Client"- is not working. #989

Closed BhanuCh closed 7 years ago

BhanuCh commented 7 years ago

I have written python program to attach Web Acl to Application load balancer. function always fails and returns "botocore.errorfactory.WAFUnavailableEntityException: An error occurred (WAFUnavailableEntityException) when calling the AssociateWebACL operation: An entity is unavailable for modification or display. Please retry." code in my program: waf.associate_web_acl(WebACLId=web_acl_id,ResourceArn=alb_arn)

when i do the same operation using AWS CLI, it is success.

aws waf-regional associate-web-acl --web-acl-id XXXXXXX --resource-arn XXXXXXX

dstufft commented 7 years ago

Can you paste a snippet that is able to reproduce this error as well as a debug log (you can enable it with boto3.set_stream_logger(name='botocore')).

BhanuCh commented 7 years ago

Hello, see the python program that is throwing error. See the attached log file as you requested.

#!/usr/bin/python
import boto3
AWS_PROFILE = "XXXXXXXXXXX"
ENV         = "Dev"
ALB_NAME    = "XXXXXXXXXXX"

WEB_ACL_NAME='R-{}-alb-web-acl'.format(ENV)
WEB_ACL_RULE_NAME='R-{}-alb-web-acl-rule'.format(ENV)
WEB_ACL_IP_SET_NAME='R{}AlbWebAclIpSetBlackList'.format(ENV)

boto3.set_stream_logger(name='botocore')
session = boto3.Session(profile_name=AWS_PROFILE)
waf = session.client('waf-regional')
alb = session.client('elbv2')

alb_response = alb.describe_load_balancers(Names=[ALB_NAME])
alb_arn=alb_response["LoadBalancers"][0]["LoadBalancerArn"]
print alb_arn
web_acl_id="XXXXXXXXX"

waf.associate_web_acl(WebACLId=web_acl_id,ResourceArn=alb_arn)

waf-debug-log.txt

JordonPhillips commented 7 years ago

I'm seeing the following error in your debug log:

botocore.errorfactory.WAFNonexistentItemException: An error occurred (WAFNonexistentItemException) when calling the AssociateWebACL operation: The referenced item does not exist.

Looks like the way you're generating the arn and/or id may not be the same in your script as you're doing for the CLI.

If you need any further assistance I would recommend making use of our community resources.

danbf commented 6 years ago

just FYI, we found that we had to wait a substantial amount of time before we could connect up a webacl to a newly created ALB. specifically it seems that we needed to wait until the ALB was active, in some cases 2.5 minutes, before calling on the AssociateWebACL would associate without an entity error being thrown.

shout out to @loganmeetsworld for these findings

sushant-pradhan commented 6 years ago

I am having the same issue with BOTO3 while associating an existing ALB with newly created Web ACL. The documentation doesn't say anything else other than to retry.