Closed wwwizards closed 2 years ago
I'm also running into this, specifically in the cn-north-1 region. I'm guessing China does not support this feature yet.
@mrobinet - thanx for validating that it is not just happening to me. I didn't imagine that this could be a regional issue - but I guess that's always a possibility... For me, my target is us-gov-east-1 & my goal is just a plain-vanilla ALB which does not even require that feature. The error is by default.
@anGie44 - do you know if the test coverage for the pull request on this feature spanned multiple regions/zones???
If not, maybe I can try it in other regions in commercial cloud over the weekend...
Joe Negron ~ NYC
Hi @wwwizards @mrobinet thanks for following up on this issue! the tests themselves don't hardcode any regions but on our end they are run in us-west-2
and us-gov-west-1
regions. It's very possible there are unsupported regions.. let me see how the test added in #16393 behaves in at least us-gov-east-1
Update: Yep, looks like it's a regional support issue š When running the test in us-gov-east-1
i'm seeing the same error shared in the description:
=== RUN TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen
=== CONT TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen
load_balancer_test.go:653: Step 1/5 error: Error running apply: exit status 1
Error: failure configuring LB attributes: ValidationError: Load balancer attribute key 'waf.fail_open.enabled' is not recognized
status code: 400, request id: e2b527dc-7a96-48eb-ab3a-fba4e9c65fbc
with aws_lb.lb_test,
on terraform_plugin_test.tf line 11, in resource "aws_lb" "lb_test":
11: resource "aws_lb" "lb_test" {
--- FAIL: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen (117.10s)
Thank you @anGie44 - I appreciate your time and knowledge.
Upon further investigation, I have noticed that the ALB actually does get created. It's just that none of the additional configuration(s) that utilize(s) that ALB or more specifically its ID or ARN seem to get applied.
Looking through the console I can see the ALB, as well as the listeners, rules, SGs, and/or any other related attributes. It is almost as if the failure message and the subsequent errors are a bit misleading. The failure is not in the creation or configuration of the objects - but somewhere else - like maybe updating the state.
looking at the state that is created I see this:
$> terraform show | grep alb01
# aws_alb.alb01: (tainted)
resource "aws_alb" "alb01" {
id = "arn:aws-us-gov:elasticloadbalancing:us-gov-east-1:107xxxxxxxx95:loadbalancer/app/alb01-devops-lb/c9c0de0b9bb9ec8e"
name = "alb01-devops-lb"
# aws_cloudwatch_log_group.alb01:
resource "aws_cloudwatch_log_group" "alb01" {
arn = "arn:aws-us-gov:logs:us-gov-east-1:10xxxxxxxx95:log-group:alb01"
id = "alb01"
name = "alb01"
# aws_lb_target_group.alb01_test_tg:
resource "aws_lb_target_group" "alb01_test_tg" {
arn = "arn:aws-us-gov:elasticloadbalancing:us-gov-east-1:10xxxxxxxx95:targetgroup/alb01-devops-lb-tg/181a60a5d767acc0"
arn_suffix = "targetgroup/alb01-devops-lb-tg/181a60a5d767acc0"
id = "arn:aws-us-gov:elasticloadbalancing:us-gov-east-1:10xxxxxxxx95:targetgroup/alb01-devops-lb-tg/181a60a5d767acc0"
name = "alb01-devops-lb-tg"
# aws_security_group.alb01_sg:
resource "aws_security_group" "alb01_sg" {
name = "comm-qa-mbdt-devops-alb01_alb-sg"
"Name" = "alb01-alb-sg-devops"
# aws_security_group_rule.alb01_egress:
resource "aws_security_group_rule" "alb01_egress" {
# aws_security_group_rule.alb01_sg_rule_443:
resource "aws_security_group_rule" "alb01_sg_rule_443" {
# aws_security_group_rule.alb01_sg_rule_80:
resource "aws_security_group_rule" "alb01_sg_rule_80" {
The ALB and other objects are there - but the relationships between the subsequently created objects seem to be missing.
it seems that once the initial object is tainted, all of the other relationships that happen after that are never established.
I am not sure if my logic is valid, but I hope the additional info helps...
Joe Negron ~ NYC
Also, the same issue in both us-gov-east-1 and us-gov-west-1
ā· ā Error: failure configuring LB attributes: ValidationError: Load balancer attribute key 'waf.fail_open.enabled' is not recognized ā status code: 400, request id:
I'm going to lock this issue because it has been closed for 30 days ā³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v1.0.11 on linux_amd64
Affected Resource(s)
aws_alb
Terraform Configuration Files
Expected Behavior
ALB is created
Actual Behavior
Steps to Reproduce
terraform apply
References
service/elbv2/load_balancer: Support WAF fail open #16393 https://github.com/hashicorp/terraform-provider-aws/pull/16393
Workaround
rolling back to aws provider v3.66.0 fixes the issue
Joe Negron ~ NYC