[Bug]: Field: RESOURCE_ARN, Message_: Error reason: The ARN isn't valid

[cesarmsk]

Terraform Core Version

1.3.6

AWS Provider Version

4.22.0

Affected Resource(s)

AWS, Cloudfront distribution, WAF ACL with IP set and rule to block all but the listed IPs

Expected Behavior

Web ACL should be associated with the Cloudfront distribution

Actual Behavior

I am trying to configure the whitelist rule for the flashdata waf acl but I am getting this error below which I haven't been able to find any solution on the web yet. The problem is that when the IP Set is created it receives an ARN name that contains slashes ('/') but terraform do not allow this and this arn is required in the ip_set_reference_statement. Please let me know if you know how to solve it:

Message_: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:wafv2:XX-XXXXXX-X:XXXXXXXX:regional/ipset/XXX-XXXXXXX-dev/XXDDDDDD-XXXX-DDDD-XXDD-XXXXXXXDDDD", Parameter: "arn:aws:wafv2:XX-XXXXXX-X:XXXXXXXX:regional/ipset/XXX-XXXXXXX-dev/XXDDDDDD-XXXX-DDDD-XXDD-XXXXXXXDDDD", Reason: "The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes."

Relevant Error/Panic Output Snippet

resource "aws_wafv2_web_acl" "waf_cf_01" {
  name        = "waf_cf_01"
  description = "WAF for cloudfront distribution"
  scope       = "CLOUDFRONT"
  provider    = aws.us-east-1

  ...

  rule {
      name          = "WafBlockOtherIps"
      priority      = 7
      statement {
        ip_set_reference_statement {
          arn       = aws_wafv2_ip_set.ipset.arn
        }
      }
      action {
        block {}
      }
      visibility_config {
        sampled_requests_enabled    = true
        cloudwatch_metrics_enabled  = true
        metric_name                = "WafBlockOtherIps"
      }
    }
}

# IP Set tp be defined in AWS WAF (whitelist)
resource "aws_wafv2_ip_set" "ipset" {
   name = "waf-trustedip"
   description        = "Flashdata WAF ACL IP set"
   scope              = "REGIONAL"
   ip_address_version = "IPV4"
   addresses          = var.IPlist

}

Terraform Configuration Files

Steps to Reproduce

terraform apply

Debug Output

#####################

Panic Output

#####################

Important Factoids

#####################

References

I saw a similiar issue (https://github.com/hashicorp/terraform-provider-aws/issues/28753) but I couldn't solve with that solution or didn't get it right

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[cesarmsk]

I could fix the problem. The problem was with the region which was incorrect

[justinretzolk]

Hey @cesarmsk 👋 Thank you for taking the time to raise this, as well as for following up with the solution! Given that you've resolved the issue, we'll close this issue.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.