aws_wafv2_web_acl_association bug attaching multiple AWS resources to ACLs

aditya-inapp commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

aws_wafv2_web_acl_association

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_wafv2_web_acl" "F5-acl" {
  count       = length(var.managed-rule-groups)
  name        = "${var.managed-rule-groups[count.index].vendor}-${var.managed-rule-groups[count.index].name}-${var.environment}"
  description = "${var.managed-rule-groups[count.index].vendor}-${var.managed-rule-groups[count.index].name} -  ${var.environment}"
  scope       = "REGIONAL"
  default_action {
    allow {}
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "${var.managed-rule-groups[count.index].vendor}-${var.managed-rule-groups[count.index].name}-${var.environment}"
    sampled_requests_enabled   = true
  }

  rule {
    name     = "${var.managed-rule-groups[count.index].vendor}-${var.managed-rule-groups[count.index].name}"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = var.managed-rule-groups[count.index].name
        vendor_name = var.managed-rule-groups[count.index].vendor
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.managed-rule-groups[count.index].vendor}-${var.managed-rule-groups[count.index].name}-${var.environment}"
      sampled_requests_enabled   = true
    }
  }
}

resource "aws_wafv2_web_acl_association" "ingress-controller" {
  count        = length(var.managed-rule-groups)
  web_acl_arn  = aws_wafv2_web_acl.F5-acl[count.index].arn
  resource_arn = "${var.ingress-apigw.arn}/stages/${var.environment}"
  depends_on   = [aws_wafv2_web_acl.F5-acl]
}

resource "aws_wafv2_web_acl_association" "api-gw" {
  count        = length(var.managed-rule-groups)
  web_acl_arn  = aws_wafv2_web_acl.F5-acl[count.index].arn
  resource_arn = "${var.api-gw.arn}/stages/${var.environment}"
  depends_on   = [aws_wafv2_web_acl.F5-acl, aws_wafv2_web_acl_association.ingress-controller]
}

resource "aws_wafv2_web_acl_association" "alb-wss" {
  count        = length(var.managed-rule-groups)
  web_acl_arn  = aws_wafv2_web_acl.F5-acl[count.index].arn
  resource_arn = var.alb-ingress-wss-data.arn
  depends_on   = [aws_wafv2_web_acl.F5-acl, aws_wafv2_web_acl_association.api-gw]
}

Debug Output

https://gist.github.com/aditya-inapp/71f63542d390e43dd1d871a429504d17

https://gist.github.com/aditya-inapp/c3532e4d9d7dc18ef82fee07d54e0692

Panic Output

Expected Behavior

All 3 API GW/ALB attached to each ACL

Actual Behavior

Each API GW/ALB is getting attached to any ONE ACL without error in TF scripts

Steps to Reproduce

terraform apply

Important Factoids

References

0000

aditya-inapp commented 3 years ago

The issue seems to be that, only one ACL can be associated with these resources. Hence the last ACL to be attached remains associated. As for Terraform, the resources are created, I think the removal of association is done implicitly by aws

anGie44 commented 3 years ago

Hi @aditya-inapp, thank you for raising this issue. While the WebACL to resource relationship is one-to-many, looks like AWS unfortunately has some restrictions as you've come across. So with the configuration you've provided, the resources cannot be re-used across the multiple webACLs.

You can associate each AWS resource with only one web ACL. The relationship between web ACL and AWS resources is one-to-many.

You can associate a web ACL with one or more CloudFront distributions. You can't associate a web ACL that you've associated with a CloudFront distribution with any other AWS resource type.

Ref: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashicorp / terraform-provider-aws