terraform-provider-aws: aws_wafv2_web_acl resource dependency wrong way around
Terraform Version: 0.13.5 AWS provider version: v3.27.0 I have the following TF, when I run this after having run it before with a list of IP addresses it tries to delete the IP set before it removes the rule which was created including that IP set. I am unsure if this is due to me adding the for_each and making it a dynamic block though. In that case which config is correct? It results in the following error:
Error deleting WAFv2 IPSet: WAFAssociatedItemException: AWS WAF couldn’t perform the operation because your resource is being used by another resource or it’s associated with another resource.
resource "aws_wafv2_web_acl" "waf" {
name = "${local.name}-${var.environment}-WAF"
description = "${local.name}-${var.environment}-WAF"
scope = "REGIONAL"
default_action {
allow {}
}
dynamic "rule" {
for_each = var.waf_whitelist_ips != null ? [1] : []
content {
name = "WAFWhitelistIPs"
priority = 0
action {
allow {}
}
statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.ipset[0].arn
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${local.name}-${var.environment}-WHITELISTIps"
sampled_requests_enabled = true
}
}
}
rule {
name = "AWSManagedIpReputation"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${local.name}-${var.environment}-WAF-IP-Bad-Rep"
sampled_requests_enabled = true
}
}
// WAF whitelist IP set
resource "aws_wafv2_ip_set" "ipset" {
count = var.waf_whitelist_ips != null ? 1 : 0
name = "WAFWhitelistIPs"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = var.waf_whitelist_ips
}
About this issue
- Original URL
- State: open
- Created 3 years ago
- Reactions: 30
- Comments: 21 (3 by maintainers)
Hello, I had similar issue when
aws_wafv2_regex_pattern_setcouldn’t be destroyed as it was used byaws_wafv2_web_acl. I addeddepends_on = [aws_wafv2_regex_pattern_set.custom_allow_regex]toaws_wafv2_web_aclresource and it still did not help exactly like in cases described above.What DID help was to add
to both
aws_wafv2_regex_pattern_setandaws_wafv2_web_aclresources so now terraform is firstly create newaws_wafv2_regex_pattern_set, update it inaws_wafv2_web_acland then it is free to destroy previousaws_wafv2_regex_pattern_setresource. Hope it will help you 😃It is still a problem when updating WAF: Terraform v1.4.6 and AWS provider 4.66.1
Hello! I am facing with the same issue (Terraform v0.15.1 + provider registry.terraform.io/hashicorp/aws v3.37.0). In order to reproduce:
aws_wafv2_ip_setoraws_wafv2_regex_pattern_setand link inaws_wafv2_web_aclviarule. 1 acl with 2 rules.aws_wafv2_ip_setoraws_wafv2_regex_pattern_setand the relatedrule.Result: Terraform starts to delete
aws_wafv2_ip_setfirst not therulewhich is not possible. Expected: Terraform should start to remove rule first.The issue is the same if the resource name changes and acl rule to be updated. The lifecycle does not have an impact.
We are hitting this too, in our case the create_before_destroy does not work because the existing waf is just being updated not replaced
To workaround this we had to do a two step decomm First update the waf to remove the rules that no longer use the other resources. Then apply that Then we can decome the regex/ipset resources in a second apply
Still a problem when updating an existing WAF with Terraform 1.3.2 and AWS provider 4.56.0.
Lifecycle block did not help.
I tried to use the
lifecycleblock but Terraform expectedly failed to create a WAF rule group (in my case) because of the already existing one. We use Terraform v1.0.0 and terraform-provider-aws v4.15.1.Hi @jmeridth , my current version is v3.62.0. today I get the same error and it worked for me when I try with “lifecycle”.