pulumi-aws: Invalid ARN when creating aws.wafv2.WebAclLoggingConfiguration

When trying to create aws.wafv2.WebAclLoggingConfiguration it fails with The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes. Thing is that the arn format its ok, spoke with AWS support and they said that all the setup was made properly for aws and api calls so it seems to be a pulumi issue.

Here is the example code from @pulumi/aws module:

const example = new aws.wafv2.WebAclLoggingConfiguration("example", {
logDestinationConfigs: [aws_kinesis_firehose_delivery_stream.example.arn],
resourceArn: aws_wafv2_web_acl.example.arn,
redactedFields: [{
singleHeader: {
name: "user-agent",
},
}],
});

And this is my code:

const waflogging = new aws.wafv2.WebAclLoggingConfiguration("model-builder-waflogging", {
logDestinationConfigs: [kinesisStream.arn], 
resourceArn: wafwebacl.arn // I tried to manually add as string but same issue. 
}, { dependsOn: kinesisStream });

When I run Pulumi, I have the following error:

* error putting WAFv2 Logging Configuration for resource (arn:aws:wafv2:us-east-1:796031763495:global/webacl/modelbuilderCF/80986c63-50d8-4775-b82e-91339616cc81): WAFInvalidParameterException: Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:wafv2:us-east-1:796031763495:global/webacl/modelbuilderCF/80986c63-50d8-4775-b82e-91339616cc81
{
RespMetadata: {
StatusCode: 400,
RequestID: "79d08de5-b145-4eb5-9f35-c67ef076f3ac"
},
Field: "RESOURCE_ARN",
Message_: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:wafv2:us-east-1:796031763495:global/webacl/modelbuilderCF/80986c63-50d8-4775-b82e-91339616cc81",
Parameter: "arn:aws:wafv2:us-east-1:796031763495:global/webacl/modelbuilderCF/80986c63-50d8-4775-b82e-91339616cc81",
Reason: "The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes."
}

For now I had to manually enable logging to my webacl v2 but It will be nice to have it all done from Pulumi. Please advise if its something I do wrong or is there any other constructor that I can use to configure logging. I tried to add the ARN as string but same outcome.

Thanks

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 22 (2 by maintainers)

Most upvoted comments

You need to ensure your delivery stream’s name begins with aws-waf-logs-.

+49
rererecursive on Aug 3, 2021

Not only for Kinesis logging, but it goes the same for CloudWatch logging.

const logGroup:aws_logs.LogGroup = new aws_logs.LogGroup(this, `logGroupWaf`, {
  retention: 30,
  logGroupName: `aws-waf-logs-abc`
});
+2
fusion27 on Jan 22, 2023

This was fixed by doing the following:

Closing issue.

+2
emiioan on Nov 19, 2021

@ricoli I am experiencing the same. It is failing even with provider = aws.us-east-1 on association resource. Aliased provider is configured for the region. Would you have any other ideas what to check?

ah no sorry, my problem was the missing alias configuration

+1
ricoli on Apr 23, 2021

Hi @emiioan - I had this same issue but when using Terraform, which led me here, and as it turns out the issue was in between the chair and the keyboard, as I forgot to set the region to us-east-1 for this resource creation, hence the ARN validation error 😃 Hopefully this helps!

+1
ricoli on Apr 19, 2021

you need to replace “global” in the arn string to “regional”

+1
achepta on Nov 11, 2020
Read more comments on GitHub
← pulumi-aws: Inconsistent behavior and unable to update `aws.ssm.Document`
pulumi-aws: New AWS regions like ap-east-1 cause aws.provider errors →