aws_wafregional_web_acl_association with ALB fails

41 views
Skip to first unread message

Lucas Possamai

unread,
Mar 12, 2021, 4:18:56 AM3/12/21
to terrafo...@googlegroups.com
Hi all,

I'm creating an EKS cluster in AWS with an ALB ingress, then, I'm creating some AWS WAF resources and using aws_wafregional_web_acl_association to associate the WAF policies to my Kubernetes ELB.

However, aws_wafregional_web_acl_association fails with the following error:

---

aws_wafregional_web_acl_association.Blacklist_WACL: Creating...

Error: Error creating WAF Regional Web ACL association: WAFInvalidParameterException:
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "280afc01-d39a-4261-b74d-0087b7ca8bb9"
  },
  Field: "ResourceArn",
  Parameter: "RESOURCE_ARN",
  Reason: "ILLEGAL_ARGUMENT"
}

  on waf_webacl_association.tf line 2, in resource "aws_wafregional_web_acl_association" "Blacklist_WACL":
   2: resource "aws_wafregional_web_acl_association" "AWS_Security_Blog_Blacklist_WACL" {

---

My resource looks like this:
resource "aws_wafregional_web_acl_association" "Blacklist_WACL" {
resource_arn = "${module.find_lb_name.stdout}"
web_acl_id = aws_wafregional_web_acl.Blacklist_WACL.id
}

module.find_lb_name.stdout returns the ELB name. I have also tried the full ELB ARN, same error.
Example of an ELB ARN: arn:aws:elasticloadbalancing:region:accountid:loadbalancer/${module.find_lb_name.stdout}

What am I missing? Thanks in advance!

Chamila

unread,
Mar 15, 2021, 6:47:52 AM3/15/21
to terrafo...@googlegroups.com, Lucas Possamai
I haven't worked with WAF, but the documentation [1] seems to refer to
the actual ARN rather than the ALB name. Do you get the ARN of the ALB
out of the find_lb_name module?

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association#resource_arn

Regards,
Chamila
https://chamilad.github.io/

On 12/03/2021 10:18 pm, Lucas Possamai wrote:
> Hi all,
>
> I'm creating an EKS cluster in AWS with an ALB ingress, then, I'm
> creating some AWS WAF resources and using
> aws_wafregional_web_acl_association
> <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association>
> to associate the WAF policies to my Kubernetes ELB.
>
> However, *aws_wafregional_web_acl_association* fails with the following
> error:
>
> ---
>
> aws_wafregional_web_acl_association.Blacklist_WACL: Creating...
>
> Error: Error creating WAF Regional Web ACL association:
> WAFInvalidParameterException:
> {
>   RespMetadata: {
>     StatusCode: 400,
>     RequestID: "280afc01-d39a-4261-b74d-0087b7ca8bb9"
>   },
>   Field: "ResourceArn",
>   Parameter: "RESOURCE_ARN",
>   Reason: "ILLEGAL_ARGUMENT"
> }
>
>   on waf_webacl_association.tf <http://waf_webacl_association.tf> line
> 2, in resource "aws_wafregional_web_acl_association" "Blacklist_WACL":
>    2: resource "aws_wafregional_web_acl_association"
> "AWS_Security_Blog_Blacklist_WACL" {
>
> ---
>
> My resource looks like this:
> resource"aws_wafregional_web_acl_association""Blacklist_WACL"{
> resource_arn ="${module.find_lb_name.stdout}"
> web_acl_id =aws_wafregional_web_acl.Blacklist_WACL.id
> }
>
> *module.find_lb_name.stdout* returns the ELB name. I have also tried the
> full ELB ARN, same error.
> Example of an ELB ARN:
> arn:aws:elasticloadbalancing:region:accountid:loadbalancer/${module.find_lb_name.stdout}
>
> What am I missing? Thanks in advance!
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html
> <https://www.hashicorp.com/community-guidelines.html>. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> <https://github.com/hashicorp/terraform/issues>
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google
> Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to terraform-too...@googlegroups.com
> <mailto:terraform-too...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/terraform-tool/CAE_gQfXEiYy3G27TCv2fRwbwq3GSis_YoashfC6FhF3tzSi6Lw%40mail.gmail.com
> <https://groups.google.com/d/msgid/terraform-tool/CAE_gQfXEiYy3G27TCv2fRwbwq3GSis_YoashfC6FhF3tzSi6Lw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages