WAFv2 Logging Configuration issue applying

marcincuber commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.27
provider.aws v2.68.0

Affected Resource(s)

aws_wafv2_web_acl_logging_configuration

Terraform Configuration Files

resource "aws_wafv2_web_acl_logging_configuration" "main" {
  count = var.enabled && var.create_logging_configuration ? 1 : 0

  log_destination_configs = var.log_destination_configs #["${aws_kinesis_firehose_delivery_stream.example.arn}"]
  resource_arn            = aws_wafv2_web_acl.main[0].arn

  redacted_fields {
    single_query_argument {
      name = "user-agent"
    }
  }
}

Debug Output

Error: error putting WAFv2 Logging Configuration for resource (arn:aws:wafv2:eu-west-1:23895604:regional/webacl/test-waf-setup/a1d08edd-af66-43f8-bdc1-697d4554b2ec): WAFInvalidParameterException: Error reason: The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: null, parameter: arn:aws:firehose:eu-west-1:238957866604:deliverystream/terraform-kinesis-firehose-test-stream
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "7dc4b79d-ff35-4fae-8ff4-f8bfba0049ab"
  },
  Message_: "Error reason: The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: null, parameter: arn:aws:firehose:eu-west-1:23895604:deliverystream/terraform-kinesis-firehose-test-stream",
  Parameter: "arn:aws:firehose:eu-west-1:23895604:deliverystream/terraform-kinesis-firehose-test-stream",
  Reason: "The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes."
}

Actual Behavior

Failing to create logging configuration

Steps to Reproduce

terraform apply

Addionally

Example provided in https://www.terraform.io/docs/providers/aws/r/wafv2_web_acl_logging_configuration.html is incorrect.

resource "aws_wafv2_web_acl_logging_configuration" "example" {
  log_destination_configs = ["${aws_kinesis_firehose_delivery_stream.example.arn}"]
  resource_arn            = "${aws_wafv2_web_acl.example.arn}"
  redacted_fields {
    single_query {
      name = "user-agent"
    }
  }
}

should be changed to

resource "aws_wafv2_web_acl_logging_configuration" "example" {
  log_destination_configs = ["${aws_kinesis_firehose_delivery_stream.example.arn}"]
  resource_arn            = "${aws_wafv2_web_acl.example.arn}"
  redacted_fields {
    single_query_argument {
      name = "user-agent"
    }
  }
}

NixM0nk3y commented 4 years ago

We encountered the same issue today.

AWS support helpfully pointed us towards the prefix naming requirement for the kinesis firehose for wafv2 i.e. it needs to begin "aws-waf-logs-". I see your example is named terraform-kinesis-firehose-test-stream

https://docs.aws.amazon.com/waf/latest/developerguide/logging.html

marcincuber commented 4 years ago

I have it working. Thank you

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashicorp / terraform-provider-aws