error getting WAF Regional Web ACL for resource (<api gw stage arn>): empty response

[andreafalzetti]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

• Terraform Version: 0.11.11
• provider "aws" 2.17.0

Affected Resource(s)

• aws_wafregional_web_acl_association

Terraform Configuration Files

resource "aws_wafregional_web_acl_association" "restrict" {
  resource_arn = "arn:aws:apigateway:${var.region}::/restapis/${aws_api_gateway_rest_api.api.id}/stages/${var.env}"
  web_acl_id   = "${aws_wafregional_web_acl.restrict.id}"
}

Expected Behavior

Terraform apply should attach a regional WAF ACL to an API GW stage.

Actual Behavior

Terraform apply fails because it cannot find the resource (empty response).

Error: Error refreshing state: 1 error(s) occurred:

* aws_wafregional_web_acl_association.restrict: 1 error(s) occurred:

* aws_wafregional_web_acl_association.restrict: aws_wafregional_web_acl_association.restrict: error getting WAF Regional Web ACL for resource (<stage id>): empty response

Steps to Reproduce

1. Create an API Gateway
2. Create a regional WAF ACL
3. Attach the regional WAF ACL to the API Gateway stage
4. Terraform init
5. Terraform plan
6. Terraform apply -> Fails

References

Using the AWS cli, this operation is possible:

aws waf-regional associate-web-acl \                                                                                                                                                                                 
  --web-acl-id '<acl id> \
  --resource-arn '<stage id>'

[eestolano]

I just saw this error in a different scenario. I had a web ACL association with an ALB. Manually removing the association outside of Terraform caused terraform plan to fail in the refresh phase with:

error getting WAF Regional Web ACL for resource (<ALB ARN>): empty response

Manually recreating the association fixed the error.

[ChildOfTheCron]

Ran into a similar issue as above on terraform 0.12.5 with aws provider 2.23.0:

error getting WAF Regional Web ACL for resource (<ALB ARN>): empty response

After deleting all WAF resources in my test environment and running terraform plan to recreate. Tried terraform reset to update state, but this did not help. As mentioned above, had to manually recreate WAF ACL and associate ALBs before re-running terraform plan.

[bflad]

Hi folks 👋 Thanks for the report and sorry for the trouble. Fix submitted here: #10216

[bflad]

The fix for this has been merged and will release with version 2.31.0 of the Terraform AWS Provider, later this week. 👍

[ghost]

This has been released in version 2.31.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!