[Bug]: WAFv2 WebACL Association failing for resource aws_wafv2_web_acl_association

[choudhary-sa]

Terraform Core Version

Terraform v0.14.8

AWS Provider Version

registry.terraform.io/hashicorp/aws v5.51.0

Affected Resource(s)

resoure aws_wafv2_web_acl_association

Expected Behavior

When trying to associate an application load-balancer(in ap-southeast-1) to web-acl(in us-east-1) with below resource block, it should just do without error.

Actual Behavior

Terraform apply is failing with error mentioned below. Note that details are redacted from resource arn but while applying, the arns were copied from aws console.

Relevant Error/Panic Output Snippet

Error: creating WAFv2 WebACL Association 
(arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:regional/webacl/webacl-name/webacl-ID,
arn:aws:elasticloadbalancing:region:XXXXXXXXXXXX:loadbalancer/app/load-balancer-name/loadbalancer-id): 
operation error WAFV2: AssociateWebACL, https response error StatusCode: 400, RequestID: request-id, WAFInvalidParameterException: Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:elasticloadbalancing:region:XXXXXXXXXXXX:loadbalancer/app/loadbalancer-name/loadbalancer-id

Terraform Configuration Files

resource "aws_wafv2_web_acl_association" "acl_lb_association" {
  for_each = toset(var.alb) # list of arns

  resource_arn = each.value
  web_acl_arn  = aws_wafv2_web_acl.web_acl.arn
}

Steps to Reproduce

1. create a web-acl first in us-east-1:

resource "aws_wafv2_web_acl" "web_acl" {
  name        = "web-acl"
  description = "test web-acl"
  scope       = "REGIONAL"
  tags = {
    Name        = "web-acl"
  }
  default_action {
    allow {}
  }

  rule {
    name     = "web-acl-rule-group"
    priority = 1
    override_action {
      none {}
    }
    statement {
      rule_group_reference_statement {
        arn = aws_wafv2_rule_group.rule_group.arn
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "web-acl-rule"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "web-acl"
    sampled_requests_enabled   = true
  }
}

2. Then try associating an application load-balancer of different region:

   resource "aws_wafv2_web_acl_association" "acl_lb_association" {
   for_each = toset(var.alb) # var.alb is list of arns string type
   
   resource_arn = each.value
   web_acl_arn  = aws_wafv2_web_acl.web_acl.arn
   }

Debug Output

No response

Panic Output

No response

Important Factoids

Creating web-acl in one region(us-east-1) and associating application-load-balancer of other region(ap-southeast-1). Association is working via aws console.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[choudhary-sa]

just tested and tf apply works fine for web-acl and application lb of same region. Since the UI allows for cross region association too, it does feel like its a bug in provider. Looking forward for some feedback on this.

[choudhary-sa]

I had to update the provider in the code with correct region. It is now working as expected.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.