Skip to content

Error when referencing AWS WAFv2 IP set ARN in WebACL Rule #35903

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Error when referencing AWS WAFv2 IP set ARN in WebACL Rule#35903
Labels
bugAddresses a defect in current functionality.service/wafv2Issues and PRs that pertain to the wafv2 service.
@Viswajenny

Description

@Viswajenny
Viswajenny
opened on Feb 21, 2024

Description

WAF web acl rule fails when created by aws_wafv2_web_acl resource. Works well from the aws console.

  • Terraform Core Version: ~>1.6.0

  • AWS Provider Version: >= 5.25.0

  • Affected Resource(s): aws_wafv2_web_acl, aws_wafv2_ip_set

Expected Behavior

The WebACL rule that refers the AWS WAFv2 IP set ARN should be successfully created or updated and AWS resources (WebACL and IP set)should be provisioned in AWS with the terraform configuration, and manually creating the same resources in the AWS Management Console works without issues.

Actual Behavior

experiencing the below issue while referencing an AWS WAFv2 IP set ARN in a WebACL rule

Error: updating WAFv2 WebACL (XXXXXXX): WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement { RespMetadata: { StatusCode: 400, RequestID: "XXXXX" }, Field: "RULE", Message_: "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement", Parameter: "Statement", Reason: "A reference in your rule statement is not valid." }

Relevant Error/Panic Output Snippet

image

Terraform Configuration Files

Title: Error when referencing AWS WAFv2 IP set ARN in WebACL rule

Description:
I am encountering an issue when referencing an AWS WAFv2 IP set ARN in a WebACL rule using Terraform. The ARN is valid, and the same configuration works when manually set up in the AWS Management Console, but it fails during Terraform apply.

Terraform Configuration:

resource "aws_wafv2_web_acl" "rate-limiter" {
  # ... other configurations
  

  rule {
    name     = "allow-from-yaxxa"
    priority = 3
    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.yaxxa_ip_set.arn
      }
    }
    # ... other configurations
  }

  # ... other configurations
}

resource "aws_wafv2_ip_set" "yaxxa_ip_set" {
  # ... other configurations
}

Steps to Reproduce

  • Created a resource(aws_wafv2_ip_set) using the above code
  • Referencing the ip_set arn in WebACL rule
  • Run Terraform Apply
  • Observe the above Issue

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

Metadata

Assignees

No one assigned

    Labels

    bugAddresses a defect in current functionality.service/wafv2Issues and PRs that pertain to the wafv2 service.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions