Web_acl_association with ALB fails

Terraform
1

I’m creating an EKS cluster in AWS with an ALB ingress, then, I’m creating some AWS WAF resources and using aws_wafregional_web_acl_association to associate the WAF policies to my Kubernetes ELB.

However, aws_wafregional_web_acl_association fails with the following error:

aws_wafregional_web_acl_association.Blacklist_WACL: Creating...

Error: Error creating WAF Regional Web ACL association: WAFInvalidParameterException:
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "280afc01-d39a-4261-b74d-0087b7ca8bb9"
  },
  Field: "ResourceArn",
  Parameter: "RESOURCE_ARN",
  Reason: "ILLEGAL_ARGUMENT"
}

  on waf_webacl_association.tf line 2, in resource "aws_wafregional_web_acl_association" "Blacklist_WACL":
   2: resource "aws_wafregional_web_acl_association" "Blacklist_WACL" {

My resource looks like this:

resource "aws_wafregional_web_acl_association" "Blacklist_WACL" {
  resource_arn = "${module.find_lb_name.stdout}"
  web_acl_id   = aws_wafregional_web_acl.Blacklist_WACL.id
}

module.find_lb_name.stdout returns the ELB name. I have also tried the full ELB ARN, same error.
Example of an ELB ARN: arn:aws:elasticloadbalancing:region:accountid:loadbalancer/${module.find_lb_name.stdout}

Terraform version:

Terraform v0.13.5
+ provider registry.terraform.io/gavinbunney/kubectl v1.6.2
+ provider registry.terraform.io/hashicorp/aws v3.31.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/helm v2.0.2
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.3
+ provider registry.terraform.io/hashicorp/local v1.4.0
+ provider registry.terraform.io/hashicorp/null v2.1.2
+ provider registry.terraform.io/hashicorp/random v2.3.1
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/time v0.7.0

What am I missing? Thanks in advance!

2

Update:

I’ve migrated my code to use aws_waf2_*. Now, I get this error:

Error: WAFInvalidParameterException: Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes

Looks like the resource must be an ALB, and I am using a Classic Load Balancer. I’ll change that to an ALB and will check if it works.

Edit: The error originally posted here is definitely caused by the missing ALB. Web ACL must have an ALB (not NLB nor ELB).
However, I do not know why kubernetes_service doesn’t deploy an ALB, even when I use the below resource creation:

resource "kubernetes_service" "nginx" {
  metadata {
    name = "nginx-example"
    annotations = {
      "service.beta.kubernetes.io/aws-load-balancer-type" = "alb"
    }
  }
  spec {
    selector = {
      App = kubernetes_deployment.nginx.spec.0.template.0.metadata[0].labels.App
    }
    port {
      port = 80
      target_port = 80
    }

    type = "LoadBalancer"
  }
}

I’m investigating… If anyone has any tips, please, do share :slight_smile:

3 
When you create a Kubernetes Service of type LoadBalancer, an AWS Network Load Balancer (NLB) or Classic Load Balancer (CLB) is provisioned that load balances network traffic.

To load balance application traffic at L7, you deploy a Kubernetes Ingress, which provisions an AWS Application Load Balancer.