search

hashicorp / terraform-provider-awscc

Terraform AWS Cloud Control provider
https://registry.terraform.io/providers/hashicorp/awscc/latest/docs
Mozilla Public License 2.0
264 stars 121 forks source link

awscc_wafv2_web_acl_association required resource_arn but awscc_apigateway_stage doesn't have arn #1041

Closed jackywong-amazon closed 1 year ago

jackywong-amazon commented 1 year ago

Community Note

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

This bug report example: wafv2 web acl association with awscc_apigateway_stage does not work because awscc_apigateway_stage does not have arn.

Other example I have tested: wafv2 web acl association with aws_api_gateway_stage work because aws_api_gateway_stage does have arn

resource "awscc_apigateway_rest_api" "example" {
  name = "exampleAPI"
  description = "Rest API Gateway"
  endpoint_configuration = {
    types = ["REGIONAL"]
  }

  body = jsonencode({
    openapi = "3.0.1"
    info = {
      title   = "example"
      version = "1.0"
    }

    paths = {
      "/path1" = {
        get = {
          x-amazon-apigateway-integration = {
            httpMethod           = "GET"
            payloadFormatVersion = "1.0"
            type                 = "HTTP_PROXY"
            uri                  = "https://ip-ranges.amazonaws.com/ip-ranges.json"
          }
        }
      }
    }
  })
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]

}

resource "awscc_apigateway_deployment" "example" {
  rest_api_id = awscc_apigateway_rest_api.example.id
}

/*
resource "aws_api_gateway_stage" "example" {
  deployment_id = awscc_apigateway_deployment.example.deployment_id
  rest_api_id   = awscc_apigateway_rest_api.example.id
  stage_name    = "example_stage"
}*/

resource "awscc_apigateway_stage" "example" {
  deployment_id = awscc_apigateway_deployment.example.deployment_id
  rest_api_id   = awscc_apigateway_rest_api.example.id
  stage_name    = "example_stage"

}

resource "aws_wafv2_web_acl" "example" {
  name        = "managed-rule-example"
  description = "example of a managed rule."
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "example-metric-name"
    sampled_requests_enabled   = false
  }
}

/*
resource "awscc_wafv2_web_acl_association" "example" {
  resource_arn = aws_api_gateway_stage.example.arn
  web_acl_arn  = aws_wafv2_web_acl.example.arn
}

*/

resource "awscc_wafv2_web_acl_association" "example" {
  resource_arn = awscc_apigateway_stage.example.id
  web_acl_arn  = aws_wafv2_web_acl.example.arn
}
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

awscc_wafv2_web_acl_association.example: Creating... ╷ │ Error: AWS SDK Go Service Operation Incomplete │ │ with awscc_wafv2_web_acl_association.example, │ on wafv2_web_acl_assoication.tf line 82, in resource "awscc_wafv2_web_acl_association" "example": │ 82: resource "awscc_wafv2_web_acl_association" "example" { │ │ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned │ to FAILED. StatusMessage: Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other │ information separated by colons or slashes., field: RESOURCE_ARN, parameter: cusryjficj|example_stage │ (Service: Wafv2, Status Code: 400, Request ID: 143144e2-8526-4488-b636-998fe4577b4d). ErrorCode: │ InvalidRequest ╵

Expected Behavior

able to create the wafv2 association

Actual Behavior

throw an error because api gateway stage doesn't even have arn.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

state file for awscc_apigateway_stage

 {
      "mode": "managed",
      "type": "awscc_apigateway_stage",
      "name": "example",
      "provider": "provider[\"registry.terraform.io/hashicorp/awscc\"]",
      "instances": [
        {
          "schema_version": 1,
          "attributes": {
            "access_log_setting": null,
            "cache_cluster_enabled": false,
            "cache_cluster_size": null,
            "canary_setting": null,
            "client_certificate_id": null,
            "deployment_id": "2f5cdd",
            "description": null,
            "documentation_version": null,
            "id": "cusryjficj|example_stage",
            "method_settings": null,
            "rest_api_id": "cusryjficj",
            "stage_name": "example_stage",
            "tags": null,
            "tracing_enabled": false,
            "variables": null
          },
          "sensitive_attributes": [],
          "dependencies": [
            "awscc_apigateway_deployment.example",
            "awscc_apigateway_rest_api.example"
          ]
        }
      ]
    },

state file for aws_api_gateway_stage

{
  "version": 4,
  "terraform_version": "1.5.0",
  "serial": 4,
  "lineage": "78723431-8f19-769d-f3e8-8ee26b5ccec5",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "aws_api_gateway_stage",
      "name": "example",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "access_log_settings": [],
            "arn": "arn:aws:apigateway:us-east-1::/restapis/sinh2s2o6l/stages/example_stage",
            "cache_cluster_enabled": false,
            "cache_cluster_size": "",
            "canary_settings": [],
            "client_certificate_id": "",
            "deployment_id": "e11o7s",
            "description": "",
            "documentation_version": "",
            "execution_arn": "arn:aws:execute-api:us-east-1:******************:sinh2s2o6l/example_stage",
            "id": "ags-sinh2s2o6l-example_stage",
            "invoke_url": "https://sinh2s2o6l.execute-api.us-east-1.amazonaws.com/example_stage",
            "rest_api_id": "sinh2s2o6l",
            "stage_name": "example_stage",
            "tags": null,
            "tags_all": {},
            "variables": null,
            "web_acl_arn": "",
            "xray_tracing_enabled": false
          },
          "sensitive_attributes": [],
          "private": "bnVsbA==",
          "dependencies": [
            "awscc_apigateway_deployment.example",
            "awscc_apigateway_rest_api.example"
          ]
        }
      ]
    }
kadrach commented 1 year ago

This does "work" in the provider, although the experience is not the best. The awscc_apigateway_stage resource does not have an arn property (it is not part of the schema of this resource, and not returned by CloudControl APIs). You have to create this ARN manually.

resource "awscc_wafv2_web_acl_association" "example" {
  resource_arn = "arn:aws:apigateway:ap-southeast-2::/restapis/${awscc_apigateway_stage.example.rest_api_id}/stages/${awscc_apigateway_stage.example.stage_name}"
  web_acl_arn  = aws_wafv2_web_acl.example.arn
}
jackywong-amazon commented 1 year ago

Thanks for providing the workaround and i believe it would work.

do we know whyawscc_apigateway_stage resource doesn't have that schema? I mean what's the purpose or advantage not to contain the arn based on the design etc. Would it be aiming faster migration to awscc ? I don't know just be curious.

wellsiau-aws commented 1 year ago

Select AWS resources may return non-ARN ID properties and the underlying API implementation details is beyond the scope of the awscc provider. I am going to close this issue, feel free to re-open if the problem persisted