Closed mkielar closed 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
@mkielar Thanks for raising this issue π. Does the same error occur if you use v4.33.0 of the Terraform AWS Provider?
Possibly related:
@ewbankkit, yup, v4.33.0 also fails. I haven't verified if its exactly the same error but it looks similar after a brief review. Attached: out_4_33.zip
It look as the same problem as #23936, #27175, #23390, #23992
I try with 4.34.0, 4.10.0 and 4.0.0 and I have the same issue, if I rollback to 3.74.0 It did not have this issue.
FYI: This issues with WAFv2 has been reported multiple times:
A frustrating issue... I am encountering it as well.
I ended up creating it manually and simply ignoring it for now. I wish that this is will be resolved.
Is this being worked on? Just started happening for me. Adding any new block and attempting apply gives a huge provider error.
This started happening after upgrading to version 4.52.0, even with no changes in the configuration. After the provider is upgraded, terraform plan
shows a huge diff for the resource (even if nothing is really changing), then when it tries to apply it fails with this error.
Staying on 4.51.0 isn't a viable workaround because oversize_handling
will become required soon.
Same thing is happening after upgrading to version 4.52.0.
Workaround to pin version to 4.51.0 did not do the trick here. Any other workarounds?
The workaround for me was to taint the resource and then apply. It recreates the WAFv2. Another option that I did and worked was to use aws console to delete a few of the rules in the WAF and then doing an apply. That also worked (sometimes).
NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim).
@YakDriver, thanks for looking into the issue.
I have tested some configurations this morning, mostly the ones I currently have + the ones I'm planning to migrate to:
1.4.2 + 4.67.0: worked!
1.4.6 + 4.67.0: worked!
1.5.3 + 5.8.0: worked! # Needed to refactor excluded_rule => rule_action_override for this to work.
I can also say I've introduced some (sometimes significant) changes to my WAF deployment scripts since this ticket was raised, and all of them worked without issues. Looks like this is indeed resolved, at least for my case.
@mkielar Thank you for your response! Some of the issues in this family were related to Terraform core fixes (yours, I believe) and provider fixes (such as tag-related problems).
Hi all :wave: As was mentioned above, this issue appears to be fixed when using a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later). If you experience additional unexpected behaviors with versions that meet these parameters, please open a new issue so that we can investigate further.
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Related:
23390
23423
23936
23992
24386
27175
27479
28191
28672
29012
29304
30858
Terraform Core Version
1.3.1
AWS Provider Version
4.34.
Affected Resource(s)
aws_wafv2_web_acl
Expected Behavior
Running
terraform apply
should finish successfullyActual Behavior
Running
terraform apply
fails, and outputs a ~2.5MB Go StackTrace.Relevant Error/Panic Output Snippet
Terraform Configuration Files
See attached: tf-waf-custom-response-bug.zip
Steps to Reproduce
terraform init
terraform apply -var='v=1'
This will deploy all resources and will provisionv1
of the Custom Response we configure for WAF WebACL to display a Maintenance Page. This should pass correctly.terraform apply -var='v=2' --auto-approve > out.log 2>&1
This will mimic making modification to the HTML in Custom Response (terraform will use a differenf file to generate a change in WebACL Custom Response Configuration). You should see a very long exception logged.
Debug Output
N/A
Panic Output
See
_expected/out.log
in attached ZIP file.Important Factoids
dynamic
section operating onlocal.managed_rules
) the error no longer occurs. This would suggest that the error is a result of overall complexity (or perhaps size?) of the change to apply, or a combination of settings, rather than a single setting. But that's just my impression.website
rule to returning a307
response withLocation
header, and that would still fail when trying to apply the change 2.2. I also tried to remove thecustom response
forapi
rule, and make it also only respond with status and headers, and terraform failed to remove custom response in this case as well (in this case the reponse is just a simple JSON, so it seems the content is irrelevant).TF_LOG=debug
(unfortunately don't have that log anymore) and I remember seeing several "Produced inconsistent plan, but we don't care because it's using legacy SDK" sort of messages around all WAFv2 resource (not just WebACL). Perhaps that's related?References
No response
Would you like to implement a fix?
No