search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.6k stars 9.55k forks source link

AWS WAF - Can't add rule to Web ACL (The referenced item does not exist) #22304

Closed matt-flow closed 5 years ago

matt-flow commented 5 years ago

Terraform Version

Terraform v0.11.13

Terraform Configuration Files

resource "random_id" "this" {
  byte_length = "8"
}
resource "aws_wafregional_geo_match_set" "geo_match_set" {
  name        = "aws-geo-block-${random_id.this.hex}"

  geo_match_constraint {
     type  = "Country"
     value = "GB"
   }
}
resource "aws_wafregional_rule" "aws_geo" {
  depends_on  = ["aws_wafregional_geo_match_set.geo_match_set"]
  name        = "aws-geo-block-${random_id.this.hex}"
  metric_name = "awsGeoBlock${random_id.this.hex}"

  predicate {
  type    = "GeoMatch"
  data_id = "${aws_wafregional_geo_match_set.geo_match_set.id}"
  negated = false
}
}
resource "aws_wafregional_web_acl" "aws_geo" {
  name = "${var.env}waf-GEO-${random_id.this.hex}"
  metric_name = "${var.env}wafGEO${random_id.this.hex}"
  default_action {
    type = "BLOCK"
  }

  rule {
  action {
    type = "ALLOW"
  }
    priority = "0"
    rule_id  = "${aws_wafregional_geo_match_set.geo_match_set.id}"
    type     = "REGULAR"
  }
}

Debug Output

Error: Error applying plan:

1 error(s) occurred:

Terraform does not automatically rollback in the face of errors. Instead, your Terraform state file has been partially updated with any resources that successfully completed. Please address the error above and apply again to incrementally change your infrastructure.

[terragrunt] 2019/08/02 09:27:22 Hit multiple errors: exit status 1

MSG:

non-zero return code

Expected Behavior

The rule needs to be added to waf web acl

Actual Behavior

I'm getting an error "aws_wafregional_web_acl.abt_geo: Error Updating WAF Regional ACL: WAFNonexistentItemException: The referenced item does not exist."

Additional Context

Almost everything is working correctly, I can see that terraform is adding conditions to Geo match, conditions contains correct values, also I can see correct rule and web acl, but for some reason the rule is not getting added to new web acl and I'm getting an error that apparently the referenced item does not exist.

ghost commented 5 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.