AWS WAFv2 Web ACL resource doesn't exist

Terraform Providers AWS
1

Hello,

I am trying to use the new WAFv2 Terraform module for configuration a Web ACL with attached AWS managed rules.

I am getting an error that resource doesn’t exist although I want Terraform to actually create it.

Error: Error creating WAFv2 WebACL: WAFNonexistentItemException: AWS WAF couldn’t perform the operation because your resource doesn’t exist.
  on ../../../../../tmp/terraform/modules/wafv2/main.tf line 1, in resource "aws_wafv2_web_acl" 
  "waf_web_acl":
  1: resource "aws_wafv2_web_acl" "waf_web_acl" {

My resource definition looks something like this, with a bunch more AWS managed rule groups :

  resource "aws_wafv2_web_acl" "waf_web_acl" {
  name        = var.web_acl_name
  description = "AWS Managed rules configured on Web ACL"
  scope       = var.web_acl_scope # REGIONAL

  default_action {
    allow {}
  }

  rule {
    name     = "AWS-AWSManagedRulesAdminProtectionRuleSet"
    priority = 1

    action {
      block {}
    }

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWS-AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = var.web_acl_enable_cloudwatch
      metric_name                = "AWS-AWSManagedRulesAdminProtectionRuleSet"
      sampled_requests_enabled   = var.sampled_requests_enabled
    }
  }
  visibility_config {
    cloudwatch_metrics_enabled = var.web_acl_enable_cloudwatch   ## true
    metric_name                = var.web_acl_name     ## same as web acl name
    sampled_requests_enabled   = var.sampled_requests_enabled    ## true
  }
}

Any ideas ?

1 Like
2

I found the issue. It was due to incorrect reference to the AWS managed rules. In their JSON export the names appear as - “AWS-AWSManagedRulesAdminProtectionRuleSet”, but in Terraform they need to be referenced as “AWSManagedRulesAdminProtectionRuleSet”

6 Likes
3

Thanks for sharing this. In my case, the name of the managed rule was correct as you’ve stated above, but I was trying to specify a version on “AWSManagedRulesAmazonIpReputationList” which does not support versions.

To check if a managed rule group supports versions check out the docs here. Click into the rule of your choosing and search for “version”. If the contents does not mention “version” anywhere, then the managed rule group does not support versions.

4

Nice one!!! That would have taken me a good hour or more to figure out!
Many thanks!