[aws_wafv2_web_acl] Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement

[iramello]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.25
+ provider.aws v2.69.0
+ provider.datadog v2.11.0
+ provider.template v2.1.2

Affected Resource(s)

• aws_wafv2_web_acl

Terraform Configuration Files

resource "aws_wafv2_ip_set" "ipset_v4" {
  name               = "v4-whitelist-dev"
  description        = "IPV4 cell whitelist"
  scope              = "REGIONAL"
  ip_address_version = "IPV4"
  addresses          = ["192.0.2.1"]
}

resource "aws_wafv2_web_acl" "ca-whitelist" {
  name        = "allow-cloudauth"
  description = "Only permit certain IPs"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "ipv4-whitelist"
    priority = 0

    override_action {
      count {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.ipset_v4.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "rule-ipv4-whitelist"
      sampled_requests_enabled   = false
    }
  }

  tags = {
    Name = "test"
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "acl-allow-ips"
    sampled_requests_enabled   = false
  }

}

Expected Behavior

Terraform should create wafv2 web acl

Actual Behavior

Terraform throws an error when trying to create it using the code block as above:

Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "f7e26319-e005-41e9-9184-eb9dd3d0d392"
  },
  Field: "RULE",
  Message_: "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement",
  Parameter: "Statement",
  Reason: "A reference in your rule statement is not valid."
}

Steps to Reproduce

1. terraform apply using the HCL above

[evanspaeder]

I'm having the same issue doing a managed_rule_group_statement
My HCL:

  name        = "cf-rule"
  scope       = "CLOUDFRONT"
  default_action {
    allow {}
  }
  rule {
    name     = "common"
    priority = 1
    action {
      block {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "waf-blocks"
      sampled_requests_enabled   = false
    }
  }
  visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "waf-hits"
      sampled_requests_enabled   = false
    }
}

And getting the same error:

{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "01abf998-632f-4ce2-b8d7-a217c457a832"
  },
  Field: "RULE",
  Message_: "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement",
  Parameter: "Statement",
  Reason: "A reference in your rule statement is not valid."
}

[anGie44]

Hi @iramello, thank you for reporting this issue and apologies the error returned from the AWS API isn't very clear about what part of the rule needs adjustment.

I believe the error documented in the description stems from the rule's override_action block. This block only applies to rules with rule_group_reference_statement or managed_rule_group_statement blocks, while the rule defined in the config contains the statement of type ip_set_reference_statement. Instead of this override_action block, the rule needs the action block which contains either allow, block or count arguments; more info can be found in this section of the docs (https://www.terraform.io/docs/providers/aws/r/wafv2_web_acl.html#rules).

@evanspaeder, in your case the override_action block (instead of action) should be the fix since the rule's statement is of type managed_rule_group_statement :)

Hope this helps! If any further questions arise please let me know!

[anGie44]

Related to #14094

[iramello]

@anGie44 Thanks A LOT for your reply, changing override_action for action did the trick 🤦

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!