Closed mstaheli closed 4 years ago
hi @mstaheli, thank you for creating this issue! in reproducing with your example, I can see that referencing an ip_set does seem to result in an error but b/c of the request made via the AWS SDK. Is this also what you were experiencing? If you add the following for example to your config, you should be able to see the exported ARN as expected.
output "ip_set_arn" {
value = aws_wafv2_ip_set.example_ip_set.arn
}
Here is the relevant debug logs indicating where the error occurs and the IP_Set in reference:
{"DefaultAction":{"Allow":{}},"Name":"example-acl","Rules":[{"Name":"rule-deny-ipv4","OverrideAction":{"Count":{}},"Priority":1,"Statement":{"IPSetReferenceStatement":{"ARN":"arn:aws:wafv2:xxxxx:xxxxxxxx:regional/ipset/example-ip-set/xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"}},"VisibilityConfig":{"CloudWatchMetricsEnabled":false,"MetricName":"some-metric-name-acl-rule-deny-ipv4","SampledRequestsEnabled":false}}],"Scope":"REGIONAL","VisibilityConfig":{"CloudWatchMetricsEnabled":false,"MetricName":"some-metric-name-acl","SampledRequestsEnabled":false}}
Response WAFV2/CreateWebACL Details:
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 250
Content-Type: application/x-amz-json-1.1
Date: Mon, 29 Jun 2020 16:52:02 GMT
X-Amzn-Requestid: xxxxxxxxxxxxxxxx
[DEBUG] [aws-sdk-go] {"__type":"WAFInvalidParameterException","Field":"RULE","Parameter":"Statement","Reason":"A reference in your rule statement is not valid.","message":"Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement"}
[DEBUG] [aws-sdk-go] DEBUG: Validate Response WAFV2/CreateWebACL failed, attempt 0/25, error WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement
{
RespMetadata: {
StatusCode: 400,
RequestID: xxxxxxxxxxxxxxxxx
},
Field: "RULE",
Message_: "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement",
Parameter: "Statement",
Reason: "A reference in your rule statement is not valid."
}
More investigation is needed but I will comment back here accordingly.
ohh, the override_action
block in the example config! I think that's the root of the issue. that block is reserved only for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.
so you'll need to change it to action
and then the config should run smoothly 😄
@anGie44 - thanks for getting back to me. It turns out my IntelliJ for some weird reason cannot resolve the arn reference. Running terraform apply, with the output added, shows the arn. And thanks for pointing out the override_action issue, too. I'm closing this ticket since it seems to be a problem in my IDE.
gotcha. yeah, from experience I've also had issues in IntelliJ when resolving resource attributes w/in modules..in any case, sounds good @mstaheli. feel free to comment back here if you're still experiencing issues with your configuration.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
Community Note
Terraform Version
Use-case
Resource aws_wafv2_ip_set does not export the ARN, which is inconsistent with the documentation at https://www.terraform.io/docs/providers/aws/r/wafv2_ip_set.html.
The ARN is a required argument for aws_wafv2_web_acl>rule>statement>ip_set_reference_statement block
Proposal
Export attribute ARN on resource aws_wafv2_ip_set
Affected Resource(s)
Terraform Configuration Files
Debug Output
n/a