aws_wafregional_web_acl_association with ALB fails
243 views
Skip to first unread message
Lucas Possamai
Mar 12, 2021, 4:18:56 AM3/12/21
to terrafo...@googlegroups.com
Hi all,
I'm creating an EKS cluster in AWS with an ALB ingress, then, I'm creating some AWS WAF resources and using aws_wafregional_web_acl_association to associate the WAF policies to my Kubernetes ELB.
However, aws_wafregional_web_acl_association fails with the following error:
---
aws_wafregional_web_acl_association.Blacklist_WACL: Creating...
Error: Error creating WAF Regional Web ACL association: WAFInvalidParameterException:
{
RespMetadata: {
StatusCode: 400,
RequestID: "280afc01-d39a-4261-b74d-0087b7ca8bb9"
},
Field: "ResourceArn",
Parameter: "RESOURCE_ARN",
Reason: "ILLEGAL_ARGUMENT"
}
on waf_webacl_association.tf line 2, in resource "aws_wafregional_web_acl_association" "Blacklist_WACL":
2: resource "aws_wafregional_web_acl_association" "AWS_Security_Blog_Blacklist_WACL" {
Error: Error creating WAF Regional Web ACL association: WAFInvalidParameterException:
{
RespMetadata: {
StatusCode: 400,
RequestID: "280afc01-d39a-4261-b74d-0087b7ca8bb9"
},
Field: "ResourceArn",
Parameter: "RESOURCE_ARN",
Reason: "ILLEGAL_ARGUMENT"
}
on waf_webacl_association.tf line 2, in resource "aws_wafregional_web_acl_association" "Blacklist_WACL":
2: resource "aws_wafregional_web_acl_association" "AWS_Security_Blog_Blacklist_WACL" {
---
My resource looks like this:
resource "aws_wafregional_web_acl_association" "Blacklist_WACL" {
resource_arn = "${module.find_lb_name.stdout}"
web_acl_id = aws_wafregional_web_acl.Blacklist_WACL.id
}
module.find_lb_name.stdout returns the ELB name. I have also tried the full ELB ARN, same error.
Example of an ELB ARN: arn:aws:elasticloadbalancing:region:accountid:loadbalancer/${module.find_lb_name.stdout}
What am I missing? Thanks in advance!
Chamila
Mar 15, 2021, 6:47:52 AM3/15/21
to terrafo...@googlegroups.com, Lucas Possamai
I haven't worked with WAF, but the documentation [1] seems to refer to
the actual ARN rather than the ALB name. Do you get the ARN of the ALB
out of the find_lb_name module?
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association#resource_arn
Regards,
Chamila
https://chamilad.github.io/
On 12/03/2021 10:18 pm, Lucas Possamai wrote:
> Hi all,
>
> I'm creating an EKS cluster in AWS with an ALB ingress, then, I'm
> creating some AWS WAF resources and using
> aws_wafregional_web_acl_association
> <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association>
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html
> <https://www.hashicorp.com/community-guidelines.html>. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> <https://github.com/hashicorp/terraform/issues>
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google
> Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to terraform-too...@googlegroups.com
> <mailto:terraform-too...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/terraform-tool/CAE_gQfXEiYy3G27TCv2fRwbwq3GSis_YoashfC6FhF3tzSi6Lw%40mail.gmail.com
> <https://groups.google.com/d/msgid/terraform-tool/CAE_gQfXEiYy3G27TCv2fRwbwq3GSis_YoashfC6FhF3tzSi6Lw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
the actual ARN rather than the ALB name. Do you get the ARN of the ALB
out of the find_lb_name module?
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association#resource_arn
Regards,
Chamila
https://chamilad.github.io/
On 12/03/2021 10:18 pm, Lucas Possamai wrote:
> Hi all,
>
> I'm creating an EKS cluster in AWS with an ALB ingress, then, I'm
> creating some AWS WAF resources and using
> aws_wafregional_web_acl_association
> to associate the WAF policies to my Kubernetes ELB.
>
> However, *aws_wafregional_web_acl_association* fails with the following
>
> error:
>
> ---
>
> aws_wafregional_web_acl_association.Blacklist_WACL: Creating...
>
> Error: Error creating WAF Regional Web ACL association:
> WAFInvalidParameterException:
> {
> RespMetadata: {
> StatusCode: 400,
> RequestID: "280afc01-d39a-4261-b74d-0087b7ca8bb9"
> },
> Field: "ResourceArn",
> Parameter: "RESOURCE_ARN",
> Reason: "ILLEGAL_ARGUMENT"
> }
>
> on waf_webacl_association.tf <http://waf_webacl_association.tf> line
>
> ---
>
> aws_wafregional_web_acl_association.Blacklist_WACL: Creating...
>
> Error: Error creating WAF Regional Web ACL association:
> WAFInvalidParameterException:
> {
> RespMetadata: {
> StatusCode: 400,
> RequestID: "280afc01-d39a-4261-b74d-0087b7ca8bb9"
> },
> Field: "ResourceArn",
> Parameter: "RESOURCE_ARN",
> Reason: "ILLEGAL_ARGUMENT"
> }
>
> 2, in resource "aws_wafregional_web_acl_association" "Blacklist_WACL":
> 2: resource "aws_wafregional_web_acl_association"
> "AWS_Security_Blog_Blacklist_WACL" {
>
> ---
>
> My resource looks like this:
> resource"aws_wafregional_web_acl_association""Blacklist_WACL"{
> resource_arn ="${module.find_lb_name.stdout}"
> web_acl_id =aws_wafregional_web_acl.Blacklist_WACL.id
> }
>
> *module.find_lb_name.stdout* returns the ELB name. I have also tried the
> 2: resource "aws_wafregional_web_acl_association"
> "AWS_Security_Blog_Blacklist_WACL" {
>
> ---
>
> My resource looks like this:
> resource"aws_wafregional_web_acl_association""Blacklist_WACL"{
> resource_arn ="${module.find_lb_name.stdout}"
> web_acl_id =aws_wafregional_web_acl.Blacklist_WACL.id
> }
>
> full ELB ARN, same error.
> Example of an ELB ARN:
> arn:aws:elasticloadbalancing:region:accountid:loadbalancer/${module.find_lb_name.stdout}
>
> What am I missing? Thanks in advance!
>
> --
> Example of an ELB ARN:
> arn:aws:elasticloadbalancing:region:accountid:loadbalancer/${module.find_lb_name.stdout}
>
> What am I missing? Thanks in advance!
>
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html
> <https://www.hashicorp.com/community-guidelines.html>. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/terraform/issues
> <https://github.com/hashicorp/terraform/issues>
> IRC: #terraform-tool on Freenode
> ---
> You received this message because you are subscribed to the Google
> Groups "Terraform" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to terraform-too...@googlegroups.com
> <mailto:terraform-too...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/terraform-tool/CAE_gQfXEiYy3G27TCv2fRwbwq3GSis_YoashfC6FhF3tzSi6Lw%40mail.gmail.com
> <https://groups.google.com/d/msgid/terraform-tool/CAE_gQfXEiYy3G27TCv2fRwbwq3GSis_YoashfC6FhF3tzSi6Lw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages