Open xyfleet opened 7 months ago
Voting for Prioritization
Volunteering to Work on This Issue
This seems unrelated to the Terraform configuration since the disassociation happens after the configuration is applied successfully. The CloudTrail record that you mention should have more details to help determine the source. I would recommend further checking the userIdentity
, sourceIPAddress
, and userAgent
attributes.
Terraform Core Version
Terraform v1.5.6
AWS Provider Version
5.30
Affected Resource(s)
aws_wafv2_web_acl_association
Expected Behavior
All of ALBs are associated with the WAF
Actual Behavior
One of ALBs got dissociated accidentally. Once you put it back through terraform apply, this issue will happen again. In general the dissociation will happen time by time. You have to run terraform apply to update the WAF association when you see it. This will bring security risk to us since the ALB got dissociated from WAF.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
I put the ARNs of three ALBs into a list as a variable:
Steps to Reproduce
1: follow the configuration 2: and wait 3: someday, one of ALBs will be dissociated without any notification or code changing.
Debug Output
No response
Panic Output
No response
Important Factoids
When one ALB got dissociated, I checked the terraform state file, all of ALBs are listed there(I am sure there is no one to change this code). And when you run terraform plan, it will tell you that one association will be created. Once you run terraform apply this change, you will see the ALB got associated on AWS WAF console.
Below is the state file when I found the ALB got dissociated.
I checked the log from CloudTrail and found that the DisassociateWebACL command was triggered via the ALB SDK as per the user agent.
I am not quiet sure why this command got triggered. How it was triggered. Any idea will be appreciated.
References
No response
Would you like to implement a fix?
None