Associate WAF variable

[Rihoj]

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• No 🛑: please wait to file a request until the functionality is avaialble in the AWS provider
• Yes ✅: please list the AWS provider version which introduced this functionality

Is your request related to a problem? Please describe.

I am working on updating to use a WAF on an existing LB. However, if the WAF is not already created I get the invalid count error.

846:   count        = var.web_acl_arn != null ? 1 : 0

The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work
around this, use the -target argument to first apply only the resources that the count depends on.

Describe the solution you'd like.

I would like to see if it would be within standards for this project to switch to an "associatewaf" variable similar to the "create*" variables in this and other aws modules. The reason for this is so that count is no longer dependent on a value and therefore not cause multiple plan and applies.

Describe alternatives you've considered.

I have not been able to think of anything beyond not using the module which I would like to avoid.

[quentin9696]

Hi,

Run exactly in the same issue.

Here is a valid use case that cause trouble:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">=5"
    }
  }
}

variable "my_condition" {
  type = bool
}

locals {
  my_condition = var.my_condition
}

resource "aws_wafv2_web_acl" "this" {
  for_each = local.my_condition == true ? { 0 = 0 } : {}

  name        = "test"
  description = "test"
  scope       = "REGIONAL"

  default_action {
    block {}
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "not-used-but-required-by-tf"
    sampled_requests_enabled   = false
  }
}

data "aws_availability_zones" "default" {
  state = "available"
}

data "aws_vpc" "default" {
  default = true
}

data "aws_subnets" "default" {
  count = length(data.aws_availability_zones.default.names)

  filter {
    name   = "vpc-id"
    values = [data.aws_vpc.default.id]
  }

  filter {
    name   = "availability-zone"
    values = [element(data.aws_availability_zones.default.names, count.index)]
  }
}

data "aws_security_group" "default" {
  vpc_id = data.aws_vpc.default.id
  name   = "default"
}

module "hooks_alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = ">= 8"

  for_each = local.my_condition == true ? { 0 = 0 } : {}

  name               = "test"
  subnets            = flatten(data.aws_subnets.default[*].ids)
  internal           = false
  load_balancer_type = "application"
  vpc_id             = data.aws_vpc.default.id

  web_acl_arn = aws_wafv2_web_acl.this["0"].arn

  security_groups = [data.aws_security_group.default.id]
}

[bryantbiggs]

What is this for_each = local.my_condition == true ? { 0 = 0 } : {}

[quentin9696]

It comes form an option I put in a module that have this usecase. You can also replace by count = local.my_condition == true ? 1 : 0

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

[antonbabenko]

This issue has been resolved in version 9.0.0 :tada: