error getting WAF Regional Web ACL for resource (<api gw stage arn>): empty response

andreafalzetti commented 5 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform Version: 0.11.11
provider "aws" 2.17.0

Affected Resource(s)

aws_wafregional_web_acl_association

Terraform Configuration Files

resource "aws_wafregional_web_acl_association" "restrict" {
  resource_arn = "arn:aws:apigateway:${var.region}::/restapis/${aws_api_gateway_rest_api.api.id}/stages/${var.env}"
  web_acl_id   = "${aws_wafregional_web_acl.restrict.id}"
}

Expected Behavior

Terraform apply should attach a regional WAF ACL to an API GW stage.

Actual Behavior

Terraform apply fails because it cannot find the resource (empty response).

Error: Error refreshing state: 1 error(s) occurred:

* aws_wafregional_web_acl_association.restrict: 1 error(s) occurred:

* aws_wafregional_web_acl_association.restrict: aws_wafregional_web_acl_association.restrict: error getting WAF Regional Web ACL for resource (<stage id>): empty response

Steps to Reproduce

Create an API Gateway
Create a regional WAF ACL
Attach the regional WAF ACL to the API Gateway stage
Terraform init
Terraform plan
Terraform apply -> Fails

References

Using the AWS cli, this operation is possible:

aws waf-regional associate-web-acl \                                                                                                                                                                                 
  --web-acl-id '<acl id> \
  --resource-arn '<stage id>'

eestolano commented 5 years ago

I just saw this error in a different scenario. I had a web ACL association with an ALB. Manually removing the association outside of Terraform caused terraform plan to fail in the refresh phase with:

error getting WAF Regional Web ACL for resource (<ALB ARN>): empty response

Manually recreating the association fixed the error.

ChildOfTheCron commented 5 years ago

Ran into a similar issue as above on terraform 0.12.5 with aws provider 2.23.0:

error getting WAF Regional Web ACL for resource (<ALB ARN>): empty response

After deleting all WAF resources in my test environment and running terraform plan to recreate. Tried terraform reset to update state, but this did not help. As mentioned above, had to manually recreate WAF ACL and associate ALBs before re-running terraform plan.

bflad commented 5 years ago

Hi folks 👋 Thanks for the report and sorry for the trouble. Fix submitted here: https://github.com/terraform-providers/terraform-provider-aws/pull/10216

bflad commented 5 years ago

The fix for this has been merged and will release with version 2.31.0 of the Terraform AWS Provider, later this week. 👍

ghost commented 5 years ago

This has been released in version 2.31.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashicorp / terraform-provider-aws