Error: List shorter than MinItems

80kk · June 22, 2021, 7:58pm

Can anyone explain me what does this error mean:
Error: List shorter than MinItems
?
I am getting this error when I am trying to deploy WAFv2:

Error: List shorter than MinItems

  on ../../modules/WAFv2/waf.tf line 25, in resource "aws_wafv2_web_acl" "main":
  25: resource "aws_wafv2_web_acl" "main" {

Attribute supports 1 item minimum, config has 0 declared

the resource code is taken from: terraform-aws-waf-webaclv2/main.tf at main · umotif-public/terraform-aws-waf-webaclv2 · GitHub

the module configuration:

module waf {
  source                      = "../../modules/WAFv2"
  name_prefix                 = "WAFv2"
  allow_default_action        = true
  region                      = var.region
  aws-account-id              = var.aws-account-id
  log_destination_configs     = [module.waf.aws_kinesis_firehose_delivery_stream]
  firehose-stream-bucket-name = var.firehose-stream-bucket-name

  redacted_fields = [
    {
      single_header = {
        name = "user-agent"
      }
    }
  ]

  logging_filter = {
    default_behavior = "DROP"

    filter = [
      {
        behavior    = "KEEP"
        requirement = "MEETS_ANY"
        condition = [
          {
            action_condition = {
              action = "ALLOW"
            }
          },
        ]
      },
      {
        behavior    = "KEEP"
        requirement = "MEETS_ALL"
        condition = [
          {
            action_condition = {
              action = "COUNT"
            }
          }
        ]
      }
    ]
  }

  visibility_config = {
    cloudwatch_metrics_enabled     = false
    metric_name                    = "WAFv2-main-metrics"
    sampled_requests_enabled       = true
  }

  rules = [
    {
      name                         = "AWSManagedRulesCommonRuleSet-rule-1"
      priority                     = "10"
      override_action              = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "AWSManagedRulesCommonRuleSet-metric"
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name                       = "AWSManagedRulesCommonRuleSet"
        vendor_name                = "AWS"
        excluded_rule              = [
          "GenericRFI_QUERYARGUMENTS"
        ]
      }
    },
    {
      name                         = "AWSManagedRulesKnownBadInputsRuleSet-rule-2"
      priority                     = "15"
      override_action              = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "AWSManagedRulesKnownBadInputsRuleSet-metric"
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name                       = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name                = "AWS"
      }
    },
    {
      name                         = "AWSManagedRulesSQLiRuleSet-rule-3"
      priority                     = "5"
      override_action              = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "AWSManagedRulesSQLiRuleSet-metric"
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name                       = "AWSManagedRulesSQLiRuleSet"
        vendor_name                = "AWS"
      }
    },
    {
      name                         = "AWSManagedRulesLinuxRuleSet-rule-4"
      priority                     = "20"
      override_action              = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "AWSManagedRulesLinuxRuleSet-metric"
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name                       = "AWSManagedRulesLinuxRuleSet"
        vendor_name                = "AWS"
      }
    },
    {
      name                         = "AWSManagedRulesAmazonIpReputationList-rule-5"
      priority                     = "25"
      override_action              = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "AWSManagedRulesAmazonIpReputationList-metric"
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name                       = "AWSManagedRulesAmazonIpReputationList"
        vendor_name                = "AWS"
      }
    },
    {
      name                         = "AWSManagedRulesBotControlRuleSet-rule-5"
      priority                     = "30"
      override_action              = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "AWSManagedRulesBotControlRuleSet-metric"
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name                       = "AWSManagedRulesBotControlRuleSet"
        vendor_name                = "AWS"
        excluded_rule              = [
          "CategoryHttpLibrary",
          "SignalNonBrowserUserAgent"
        ]
      }
    },
    {
      name                 = "ip-rate-limit"
      priority             = "35"
      action               = "count"

      rate_based_statement = {
        limit              = "500"
        aggregate_key_type = "IP"
      }

      visibility_config = {
        cloudwatch_metrics_enabled = false
        sampled_requests_enabled   = true
      }
    },
    {
      name                = "block_country_codes"
      priority            = "40"
      action              = "block"

      geo_match_statement = {
        country_codes     = []
      }

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "block_country_codes-metric"
        sampled_requests_enabled   = true
      }
    },
    {
      name     = "whitelisted-ip-set"
      priority = "60"
      action   = "allow"

      ip_set_reference_statement = {
        arn = module.waf.whitelisted_ip_set
      }

      visibility_config = {
        cloudwatch_metrics_enabled = false
        sampled_requests_enabled   = true
      }
    },
    {
      name     = "blacklisted-ip-set"
      priority = "50"
      action   = "block"

      ip_set_reference_statement = {
        arn = module.waf.blacklisted_ip_set
      }

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = join("", [var.tags.Environment, "-ip-set-block-metrics"])
        sampled_requests_enabled   = true
      }
    }
  ]
  tags = var.tags
}

jbardin · June 22, 2021, 9:34pm

Hi @80kk,

The error you see is coming from the provider, indicating that a block in the config which requires at least one value has 0. It appears however that the exact block which is missing is not indicated in the error. Are you using the latest releases of Terraform and the provider?

80kk · June 23, 2021, 9:25am

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v3.46.0...
- Installed hashicorp/aws v3.46.0 (signed by HashiCorp)

Which seems to be the latest available. I’ve tried Terraform 0.12 and 0.13 both throwing the same error.

jbardin · June 23, 2021, 12:51pm

Thanks @80kk, I didn’t expect a newer version to change the error, but was just hoping that it may be able to return a more precise location for the missing values.

Looking through the provider schema for fields with MinItems, I see country_codes requires a value and also appears in your configuration as an empty list, so that may be the source of your problem.

80kk · June 25, 2021, 12:50pm

That was it, thanks @jbardin.