aws_wafv2_ip_set does not export ARN

[mstaheli]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform version
Terraform v0.12.28
+ provider.aws v2.68.0
+ provider.template v2.1.2

Use-case

Resource aws_wafv2_ip_set does not export the ARN, which is inconsistent with the documentation at https://www.terraform.io/docs/providers/aws/r/wafv2_ip_set.html.

The ARN is a required argument for aws_wafv2_web_acl>rule>statement>ip_set_reference_statement block

Proposal

Export attribute ARN on resource aws_wafv2_ip_set

Affected Resource(s)

• aws_wafv2_web_acl
• aws_wafv2_ip_set

Terraform Configuration Files

resource "aws_wafv2_ip_set" "example_ip_set" {
  name               = "example-ip-set"
  scope              = "REGIONAL"
  ip_address_version = "IPV4"
  addresses          = ["1.2.3.4/32", "5.6.7.8/32"]
}

resource "aws_wafv2_web_acl" "example_acl" {
  name = "example-acl"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "rule-deny-ipv4"
    priority = 1

    override_action {
      count {}
    }

    statement {
      ip_set_reference_statement  {
        arn = aws_wafv2_ip_set.example_ip_set.arn    <---- need arn, but it's not exported
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "some-metric-name-acl-rule-deny-ipv4"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "some-metric-name-acl"
    sampled_requests_enabled   = false
  }
}

Debug Output

n/a

[anGie44]

hi @mstaheli, thank you for creating this issue! in reproducing with your example, I can see that referencing an ip_set does seem to result in an error but b/c of the request made via the AWS SDK. Is this also what you were experiencing? If you add the following for example to your config, you should be able to see the exported ARN as expected.

output "ip_set_arn" {
    value = aws_wafv2_ip_set.example_ip_set.arn
}

Here is the relevant debug logs indicating where the error occurs and the IP_Set in reference:

{"DefaultAction":{"Allow":{}},"Name":"example-acl","Rules":[{"Name":"rule-deny-ipv4","OverrideAction":{"Count":{}},"Priority":1,"Statement":{"IPSetReferenceStatement":{"ARN":"arn:aws:wafv2:xxxxx:xxxxxxxx:regional/ipset/example-ip-set/xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"}},"VisibilityConfig":{"CloudWatchMetricsEnabled":false,"MetricName":"some-metric-name-acl-rule-deny-ipv4","SampledRequestsEnabled":false}}],"Scope":"REGIONAL","VisibilityConfig":{"CloudWatchMetricsEnabled":false,"MetricName":"some-metric-name-acl","SampledRequestsEnabled":false}}
Response WAFV2/CreateWebACL Details:
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 250
Content-Type: application/x-amz-json-1.1
Date: Mon, 29 Jun 2020 16:52:02 GMT
X-Amzn-Requestid: xxxxxxxxxxxxxxxx

[DEBUG] [aws-sdk-go] {"__type":"WAFInvalidParameterException","Field":"RULE","Parameter":"Statement","Reason":"A reference in your rule statement is not valid.","message":"Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement"}
[DEBUG] [aws-sdk-go] DEBUG: Validate Response WAFV2/CreateWebACL failed, attempt 0/25, error WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement
{
   RespMetadata: {
     StatusCode: 400,
     RequestID: xxxxxxxxxxxxxxxxx
   },
   Field: "RULE",
   Message_: "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement",
   Parameter: "Statement",
   Reason: "A reference in your rule statement is not valid."
 }

More investigation is needed but I will comment back here accordingly.

[anGie44]

ohh, the override_action block in the example config! I think that's the root of the issue. that block is reserved only for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement. so you'll need to change it to action and then the config should run smoothly 😄

[mstaheli]

@anGie44 - thanks for getting back to me. It turns out my IntelliJ for some weird reason cannot resolve the arn reference. Running terraform apply, with the output added, shows the arn. And thanks for pointing out the override_action issue, too. I'm closing this ticket since it seems to be a problem in my IDE.

[anGie44]

gotcha. yeah, from experience I've also had issues in IntelliJ when resolving resource attributes w/in modules..in any case, sounds good @mstaheli. feel free to comment back here if you're still experiencing issues with your configuration.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!