search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.16k forks source link

TF Apply failed for WAF ACL IPset Rule. #12953

Closed aashitvyas closed 3 years ago

aashitvyas commented 4 years ago

Terraform Version

0.12.24

Terraform Configuration Files


provider "aws" {
  region  = "us-east-2"
  version = "2.58"
}
resource "aws_waf_ipset" "pwipset" {
  name = "pw_ipset"

ip_set_descriptors {
    type  = "IPV4"
    value = "205.206.20.177/32"
  }
    ip_set_descriptors {
    type  = "IPV4"
    value = "66.244.232.254/32"
}

}
resource "aws_waf_rule" "ip_match_rule" {
  depends_on  = [aws_waf_ipset.pwipset]
  name        = "edvrwafrule"
  metric_name = "edvrwafrule"

  predicates {
    data_id = aws_waf_ipset.pwipset.id
    negated = false
    type    = "IPMatch"
  }

}

resource "aws_waf_web_acl" "edvr_wafacl" {
  depends_on  = [aws_waf_ipset.pwipset, aws_waf_rule.ip_match_rule]
  name        = "edvrwafacl"
  metric_name = "edvrwafacl"

    default_action {
    type = "BLOCK"
  }

  rules {
    action {
    type = "BLOCK"
    }
    priority = 1
      rule_id  = aws_waf_rule.edvrwafrule.id
    type = "REGULAR"
  }

}

Debug Output

Crash Output

Expected Behavior

TF should create a web acl with the ip match filtering enabled

Actual Behavior

TF Apply is failing with the following error message

Error: Error Updating WAF Rule: Error Updating WAF Rule: WAFNonexistentItemException: The referenced item does not exist.

  on waf_ipmatch.tf line 14, in resource "aws_waf_rule" "ip_match_rule":
  14: resource "aws_waf_rule" "ip_match_rule" {

Steps to Reproduce

  1. Save the above tf config in a file, run the terraform init and terraform plan
  2. Once terraform initialization and plan is successful run terraform apply and it should fail with above error.
  3. The same tf config just works fine with TF 0.11.14 , after changing its interpolation syntax.

Additional Context

I am running plain terraform without any wrapper script. I have tried with two versions of TF 12 ( v0.12.21 and 0.12.24 ) and they are failing with the same error at apply level I have used the same TF config after making interpolation changes with TF v0.11.14 and it did create AWS WAF without any issues.

References

https://github.com/terraform-providers/terraform-provider-aws/issues/4078

gurchik commented 4 years ago

Your data_id and rule_id shouldn't be in quotes. E.g., change...

rules {
  action {
    type = "BLOCK"
  }
  priority = 1
  rule_id  = "aws_waf_rule.edvrwafrule.id"
  type = "REGULAR"
}

to...

rules {
  action {
    type = "BLOCK"
  }
  priority = 1
  rule_id  = aws_waf_rule.edvrwafrule.id
  type = "REGULAR"
}
anGie44 commented 4 years ago

Hi @aashitvyas, thank you for reporting this issue! Just wanted to follow-up here and see if you are still experiencing this behavior or if @gurchik's suggestion did the trick 👍

bflad commented 3 years ago

It's been a long time since we heard from you here so we're going to close this out. If you're still having this problem, please feel free to reply with answers to the question above.

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!