WAF get disassociated from ALB automatically

[sichiba]

Hello there. I got a very strange behaviour of WAF v2 as well. its association with alb get removed automatically. we couldn't find what's wrong and how to prevent that from happening. any clues about this please

JSON view { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/aws-load-balancer-controller/1691507478437619764", "accountId": "xxxxxxxx", "accessKeyId": "xxxxxxxxxxxxxxxx", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "xxxxxxxxxxxxx", "arn": "arn:aws:iam::xxxxxxxxxx:role/aws-load-balancer-controller", "accountId": "xxxxxxxxx", "userName": "aws-load-balancer-controller" }, "webIdFederationData": { "federatedProvider": "arn:aws:iam::xxxxxxxxx:oidc-provider/oidc.eks.eu-west-3.amazonaws.com/id/xxxxxxxx", "attributes": {} }, "attributes": { "creationDate": "2023-08-08T15:11:22Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-08-08T15:11:37Z", "eventSource": "wafv2.amazonaws.com", "eventName": "DisassociateWebACL", "awsRegion": "eu-west-3", "sourceIPAddress": "xxxxxxx", "userAgent": "elbv2.k8s.aws/v2.4.2 aws-sdk-go/1.42.27 (go1.17.10; linux; amd64)", "requestParameters": { "resourceArn": "arn:aws:elasticloadbalancing:eu-west-3:xxxxxxxx:loadbalancer/app/k8s-alb-xxx/xxx" }, "responseElements": null, "requestID": "6d50xxxxxxxxxxxxx1", "eventID": "xxxxxxxxxxx", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "managementEvent": true, "recipientAccountId": "xxxxx", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "xxxxxxx", "clientProvidedHostHeader": "wafv2.eu-west-3.amazonaws.com" }

[oliviassss]

@sichiba, Hi is this WAF associated to your ALB via ingress annotation alb.ingress.kubernetes.io/wafv2-acl-arn or it got added to the ALB manually from console, or by other third-party like AWS firewall manager? And what's the version of the AWS LBC?

The controller will reconcile based on the manifest, so if the WAF is not associated by annotation it will get removed during controller reconciliation. If you don't want the controller to manage the WAF addons you can disable via command line flag --enable-wafv2=false. For more info you can check our live doc:

• https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/ingress/annotations/#addons
• https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/deploy/configurations/#waf-addons

[sichiba]

@oliviassss thankyou for your reply. indeed this alb got attached to WAF via terraform. just found out today morning the annotation of alb and tried it. will be using it. Thank you for your valuable insight. i'll check the flag as well.

[oliviassss]

@sichiba, I'm closing the issue as for now, please feel free to reach out if you have any questions. Thanks