search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.83k stars 9.17k forks source link

aws_wafregion_rule invalid country code #12525

Closed ghost closed 1 month ago

ghost commented 4 years ago

This issue was originally opened by @wburn-sierra-cedar as hashicorp/terraform#24457. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.12.24
+ provider.aws v2.51.0
+ provider.null v2.1.2
+ provider.random v2.1.2
+ provider.template v2.1.2

Terraform Configuration Files

variable iplist_autoblock = [
      { value = "192.168.255.1/32", type="IPV4"},
      { value = "192.68.255.2/32", type="IPV4"},
   ]

resource "aws_wafregional_ipset" "waf-auto-block-set" {
  name     = "Auto Block Set"

  dynamic "ip_set_descriptor" {
    for_each = var.iplist_autoblock
    content {
      type  = ip_set_descriptor.value.type
      value = ip_set_descriptor.value.value
    }
  }
}

resource "aws_wafregional_rule" "waf-auto-block-rule" {
    name        = "Auto Block Rule"
  metric_name = "SecurityAutomationsAutoBlockRule"

  predicate {
    data_id = aws_wafregional_ipset.waf-auto-block-set.id
    negated = false
    type    = "IPMatch"
  }
}

Debug Output

Crash Output

Error: error listing tags for WAF Regional Rule (arn:aws:waf-regional:us-east-1::rule/e611db7b--b4c9-15fb322bcf63): WAFInvalidParameterException: { Field: "GEO_MATCH_LOCATION_VALUE", Parameter: "Invalid Country Code", Reason: "INVALID_OPTION" }

Expected Behavior

waf rules build as normal.

Actual Behavior

the aws_wafregional_ipset builds as expected

when adding the aws_wafregional_rule the above error appears

Steps to Reproduce

terraform init terraform apply

Additional Context

References

bauteb-sci commented 4 years ago

This error is causing issues for our .12 upgrade. I set up a simple test module with the following as rules.tf:

resource "aws_wafregional_ipset" "blacklisted_ips" { name = "${var.client_code}-generic-match-blacklisted-ips" dynamic "ip_set_descriptor" { for_each = [for ip_set in var.iplist_blacklist : { type = ip_set.type value = ip_set.value }] content { type = ip_set_descriptor.value.type value = ip_set_descriptor.value.value } } }

resource "aws_wafregional_rule" "detect_blacklisted_ips" { name = "${var.client_code}-generic-detect-blacklisted-ips" metric_name = "${var.client_code}genericdetectblacklistedips"

predicate { data_id = aws_wafregional_ipset.blacklisted_ips.id negated = false type = "IPMatch" } }

main.tf is passing the variable value as: iplist_blacklist = [ {value = "192.168.255.1/32", type="IPV4"}, {value = "192.68.255.2/32", type="IPV4"}, ]

This results in: module.main.module.waf-test.aws_wafregional_ipset.blacklisted_ips: Creation complete after 3s [id=a8a18ef9-b722-4755-bf84-09eebe79fce8] module.main.module.waf-test.aws_wafregional_rule.detect_blacklisted_ips: Creating...

Error: error listing tags for WAF Regional Rule (arn:aws:waf-regional:us-east-1::rule/dadeb464-d268-4ac3-91fa-5e379acc65a2): WAFInvalidParameterException: { RespMetadata: { StatusCode: 400, RequestID: "28c85df2-539e-4323-bc1b-3e72645ae027" }, Field: "GEO_MATCH_LOCATION_VALUE", Parameter: "Invalid Country Code", Reason: "INVALID_OPTION" }

on customer\waf-test\rules.tf line 16, in resource "aws_wafregional_rule" "detect_blacklisted_ips": 16: resource "aws_wafregional_rule" "detect_blacklisted_ips" {

This is our version info: Terraform v0.12.24

Please advise on a solution. Thanks

torresfred commented 4 years ago

This error appears to be related to changes made in the 2.37.0 provider upgrade. Specifically changes made in https://github.com/terraform-providers/terraform-provider-aws/pull/10895/files. Changing the provider back to 2.36.0 from 2.58 resolves the error. Code uploaded above by @bauteb-sci can recreate the issue. @DrFaust92 developed the original solution for adding tags to WAF regional rules.

Code to recreate issue:

variable "iplist_blacklist" { type = list description = "One or more pairs specifying the IP address type (IPV4 or IPV6) and the IP address range (in CIDR notation) from which web requests originate" default = [ {value = "192.168.255.1/32", type="IPV4"}, {value = "192.68.255.2/32", type="IPV4"}, ] }

variable "iplist_whitelist" { type = list description = "One or more pairs specifying the IP address type (IPV4 or IPV6) and the IP address range (in CIDR notation) from which web requests originate" default = [ {value = "192.168.255.11/32", type="IPV4"}, {value = "192.68.255.22/32", type="IPV4"}, ] } resource "aws_wafregional_ipset" "blacklisted_ips" { provider = aws.useast1 name = "tfIPSet"

ip_set_descriptor { type = "IPV4" value = "192.0.7.0/24" }

ip_set_descriptor { type = "IPV4" value = "10.0.0.1/32" } }

resource "aws_wafregional_rule" "detect_blacklisted_ips" { provider = aws.useast1 name = "generic-detect-blacklisted-ips" metric_name = "genericdetectblacklistedips"

predicate { data_id = aws_wafregional_ipset.blacklisted_ips.id negated = false type = "IPMatch" }

}

mresetar commented 4 years ago

Hi, I had the exact same issue when configuring regional WAF to associate it with LB. To resolve this I had to comment out skip_credentials_validation = true from my provider.tf where provider "aws" is configured. To me, it looks like this bug surface when this option is turned on. As soon I have commented it out I was able to run exactly the same script without issues. In the same provider.tf I have other options turned on and it with them script runs OK. Those are:

  skip_requesting_account_id  = true
  skip_get_ec2_platforms      = true
  skip_metadata_api_check     = true
  skip_region_validation      = true
justinretzolk commented 3 years ago

Hi all 👋 Thank you for reporting this, and for the continued discussion. Given that there's been a number of AWS provider releases since the original report, the most recent comment, and now, is anyone still experiencing this behavior?

github-actions[bot] commented 2 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] commented 5 days ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.