service/elbv2/load_balancer: Support WAF fail open

[shuheiktgw]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #16372

Release note for CHANGELOG:

resoure/aws_lb: Support WAF fial open

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSLB_applicationLoadBalancer_updateWafFailOpen'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSLB_applicationLoadBalancer_updateWafFailOpen -timeout 120m
=== RUN   TestAccAWSLB_applicationLoadBalancer_updateWafFailOpen
=== PAUSE TestAccAWSLB_applicationLoadBalancer_updateWafFailOpen
=== CONT  TestAccAWSLB_applicationLoadBalancer_updateWafFailOpen
--- PASS: TestAccAWSLB_applicationLoadBalancer_updateWafFailOpen (639.39s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	641.383s

Support WAF fail open for ALBs. Thank you for your review! 👍

[nunofernandes]

Just some copy paste error...

[nunofernandes]

The resource name doesn't seem right

[shuheiktgw]

Whoops, thank you!

[nunofernandes]

Any news on this PR? Is there anything that needs to be addressed for this to be merged?

[zhelding]

Pull request #21306 has significantly refactored the AWS Provider codebase. As a result, most PRs opened prior to the refactor now have merge conflicts that must be resolved before proceeding.

Specifically, PR #21306 relocated the code for all AWS resources and data sources from a single aws directory to a large number of separate directories in internal/service, each corresponding to a particular AWS service. This separation of code has also allowed for us to simplify the names of underlying functions -- while still avoiding namespace collisions.

We recognize that many pull requests have been open for some time without yet being addressed by our maintainers. Therefore, we want to make it clear that resolving these conflicts in no way affects the prioritization of a particular pull request. Once a pull request has been prioritized for review, the necessary changes will be made by a maintainer -- either directly or in collaboration with the pull request author.

For a more complete description of this refactor, including examples of how old filepaths and function names correspond to their new counterparts: please refer to issue #20000.

For a quick guide on how to amend your pull request to resolve the merge conflicts resulting from this refactor and bring it in line with our new code patterns: please refer to our Service Package Refactor Pull Request Guide.

[breathingdust]

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

[anGie44]

Thanks so much for this PR @shuheiktgw ! I've merged in the main branch and made some updates to align with the new service package structure"

Output of acceptance tests:

--- SKIP: TestAccELBV2LoadBalancer_ALB_outpost (1.43s)
--- PASS: TestAccELBV2LoadBalancer_LoadBalancerTypeGateway_enableCrossZoneLoadBalancing (164.59s)
--- PASS: TestAccELBV2LoadBalancer_namePrefix (174.79s)
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen (281.58s)
--- PASS: TestAccELBV2LoadBalancer_noSecurityGroup (173.68s)
--- PASS: TestAccELBV2LoadBalancer_ALB_basic (185.24s)
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDeletionProtection (285.21s)
--- PASS: TestAccELBV2LoadBalancer_generatedName (175.06s)
--- PASS: TestAccELBV2LoadBalancer_networkLoadBalancerEIP (316.98s)
--- PASS: TestAccELBV2LoadBalancer_NLB_privateIPv4Address (671.40s)
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancerSubnet_change (702.42s)
--- PASS: TestAccELBV2LoadBalancer_generatesNameForZeroValue (735.59s)
--- PASS: TestAccELBV2LoadBalancer_backwardsCompatibility (473.36s)
--- PASS: TestAccELBV2LoadBalancer_NetworkLoadBalancer_updateCrossZone (629.43s)
--- PASS: TestAccELBV2LoadBalancer_NLB_basic (275.09s)
--- PASS: TestAccELBV2LoadBalancer_ipv6SubnetMapping (549.97s)
--- PASS: TestAccELBV2LoadBalancer_updatedSubnets (1083.24s)
--- PASS: TestAccELBV2LoadBalancer_updatedSecurityGroups (1122.58s)
--- PASS: TestAccELBV2LoadBalancer_updatedIPAddressType (1176.44s)
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateHTTP2 (1220.89s)
--- PASS: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateDropInvalidHeaderFields (1253.31s)
--- PASS: TestAccELBV2LoadBalancer_ALBAccessLogs_prefix (1314.52s)
--- PASS: TestAccELBV2LoadBalancer_NLBAccessLogs_prefix (1315.63s)
--- PASS: TestAccELBV2LoadBalancer_ALB_accessLogs (1350.83s)
--- PASS: TestAccELBV2LoadBalancer_tags (833.49s)
--- PASS: TestAccELBV2LoadBalancer_NLB_accessLogs (1427.57s)
--- PASS: TestAccELBV2LoadBalancer_LoadBalancerType_gateway (132.21s)

--- SKIP: TestAccELBV2LoadBalancerDataSource_outpost (1.45s)
--- PASS: TestAccELBV2LoadBalancerDataSource_basic (245.26s)
--- PASS: TestAccELBV2LoadBalancerDataSource_backwardsCompatibility (253.76s)

[github-actions]

This functionality has been released in v3.67.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[wwwizards]

beginning in v3.67 and continuing in v3.68 there are intermittent errors when creating an ALB

╷
│ Error: failure configuring LB attributes: ValidationError: Load balancer attribute key 'waf.fail_open.enabled' is not recognized
│       status code: 400, request id: b51c6db6-4da1-4727-859f-8666663dc153
│
│   with aws_alb.alb01,
│   on alb01.tf line 4, in resource "aws_alb" "alb01":
│    4: resource "aws_alb" "alb01" {
│

I say "intermittent" because there have been some successful runs but I cannot discern any pattern. Here is some more info from the TRACE log.

-----------------------------------------------------: timestamp=2021-12-02T11:07:32.818Z
2021-12-02T11:07:32.818Z [INFO]  provider.terraform-provider-aws_v3.68.0_x5: 2021/12/02 11:07:32 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<DescribeNetworkInterfacesResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>965736a9-2de3-48b8-8588-c19d61d01834</requestId>
    <networkInterfaceSet/>
</DescribeNetworkInterfacesResponse>: timestamp=2021-12-02T11:07:32.818Z
2021-12-02T11:07:32.818Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for aws_alb.alb01
2021-12-02T11:07:32.818Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for aws_alb.alb01
2021-12-02T11:07:32.819Z [TRACE] vertex "aws_alb.alb01 (destroy)": visit complete
2021-12-02T11:07:32.819Z [TRACE] vertex "aws_alb.alb01": starting visit (*terraform.NodeApplyableResourceInstance)
2021-12-02T11:07:32.819Z [TRACE] readDiff: Read DeleteThenCreate change from plan for aws_alb.alb01
2021-12-02T11:07:32.819Z [TRACE] readResourceInstanceState: reading state for aws_alb.alb01
2021-12-02T11:07:32.819Z [TRACE] readResourceInstanceState: no state present for aws_alb.alb01
2021-12-02T11:07:32.819Z [TRACE] readDiff: Read DeleteThenCreate change from plan for aws_alb.alb01
2021-12-02T11:07:32.821Z [TRACE] Re-validating config for "aws_alb.alb01"
2021-12-02T11:07:32.821Z [TRACE] GRPCProvider: ValidateResourceConfig
2021-12-02T11:07:32.822Z [TRACE] GRPCProvider: PlanResourceChange
2021-12-02T11:07:32.825Z [WARN]  Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for aws_alb.alb01, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .drop_invalid_header_fields: planned value cty.False for a non-computed attribute
      - .idle_timeout: planned value cty.NumberIntVal(60) for a non-computed attribute
      - .enable_deletion_protection: planned value cty.False for a non-computed attribute
      - .load_balancer_type: planned value cty.StringVal("application") for a non-computed attribute
      - .desync_mitigation_mode: planned value cty.StringVal("defensive") for a non-computed attribute
      - .enable_http2: planned value cty.True for a non-computed attribute
      - .enable_waf_fail_open: planned value cty.False for a non-computed attribute
      - .subnet_mapping: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
2021-12-02T11:07:32.825Z [TRACE] plan: aws_alb.alb01 treating Create change as DeleteThenCreate change to match with earlier plan
2021-12-02T11:07:32.825Z [TRACE] checkPlannedChange: Verifying that actual change (action DeleteThenCreate) matches planned change (action DeleteThenCreate)
2021-12-02T11:07:32.825Z [TRACE] readResourceInstanceState: reading state for aws_alb.alb01
2021-12-02T11:07:32.825Z [TRACE] readResourceInstanceState: no state present for aws_alb.alb01
2021-12-02T11:07:32.825Z [TRACE] reducePlan: aws_alb.alb01 change simplified from DeleteThenCreate to Create for apply node
2021-12-02T11:07:32.825Z [INFO]  Starting apply for aws_alb.alb01
2021-12-02T11:07:32.827Z [DEBUG] aws_alb.alb01: applying the planned Create change
2021-12-02T11:07:32.828Z [TRACE] GRPCProvider: ApplyResourceChange

the workaround is rolling back to v3.66
Joe Negron ~ NYC

[anGie44]

Hi @wwwizards, do you mind opening a new github issue with more configuration details regarding the errors you are seeing related to waf.fail_open.enabled? thank you!

[wwwizards]

hi @anGie44 - as requested, I created a new issue #22037 for this. Thanks.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.