Error creating WAFv2 WebACL WAFInvalidParameterException

Asked 15/4, 2021 at 21:35 Answered 1/9, 2022 at 18:38

amazon-web-services terraform amazon-waf

Error: Error creating WAFv2 WebACL: WAFInvalidParameterException: Error reason: You have used none or multiple values for a field that requires exactly one value., field: RULE_ACTION, parameter: RuleAction(block=null, allow=null, count=null)
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "24106754-b0db-4497-8e19-e72f8908dc19"
  },
  Field: "RULE_ACTION",
  Message_: "Error reason: You have used none or multiple values for a field that requires exactly one value., field: RULE_ACTION, parameter: RuleAction(block=null, allow=null, count=null)",
  Parameter: "RuleAction(block=null, allow=null, count=null)",
  Reason: "You have used none or multiple values for a field that requires exactly one value."
}

  on .terraform/modules/wafv2/main.tf line 18, in resource "aws_wafv2_web_acl" "main":
  18: resource "aws_wafv2_web_acl" "main" {

I am having this error while trying to deploy a WAFV2 with terraform any help is appreciated please.

Here is a little portion of the WAFv2 code:

resource "aws_wafv2_web_acl" "main" {
  name        = var.name
  description = "WAFv2 ACL for ${var.name}"

  scope = var.scope

  default_action {
    allow {}
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    sampled_requests_enabled   = true
    metric_name                = var.name
  }

  dynamic "rule" {
    for_each = var.managed_rules
    content {
      name     = rule.value.name
      priority = rule.value.priority

      override_action {
        dynamic "none" {
          for_each = rule.value.override_action == "none" ? [1] : []
          content {}
        }

I am trying to figure out why the error is still reflecting maybe a problem with my WAFV2?

Bots answered 15/4, 2021 at 21:35 Comment(2)

What is your code that generates the error? – Inspissate 16/4, 2021 at 1:26

@Inspissate I added the WAFV2 code – Bots 16/4, 2021 at 13:26

There may be a number of reasons why this error happens, so without seeing the full Terraform it is a bit hard to tell what is going on.

I've seen this happen where my ACL contained two rules: a rule_group_reference_statement and a rate_based_statement.

My problem was the rule group reference needed an override_action:

override_action {
  none {}
}

I didn't realize either that or an action was required, but I found out about that here: https://github.com/hashicorp/terraform-provider-aws/issues/14094#issuecomment-655625254

Adios answered 7/6, 2021 at 19:48 Comment(0)

I was using the Java version of the CDK and the way to get the "none {}" override action is unclear from the documentation. But this works:

  .overrideAction(CfnWebACL.OverrideActionProperty.builder()
    .none(new HashMap<String, Object>())
    .build())

Triciatrick answered 1/9, 2022 at 18:38 Comment(1)

It worked. I was struggling. How did you find this? – Telepathy 3/2, 2023 at 7:1

resource "aws_wafv2_ip_set" "ip_whitelist" {
  name               = "ip-whitelist"
  scope              = "REGIONAL"
  ip_address_version = "IPV4"
  addresses          = ["100.12.10.20/32"] # your ip
}


resource "aws_wafv2_web_acl" "web_acl" {
  name        = "waf-rules"
  description = "waf rules"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }
  
  # ipsets
  rule {
    name     = "ip-whitelist"
    priority = 0
    action {
      allow {}
    }
    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.ip_whitelist.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Whitelist-ip"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "white-list-ip"
    sampled_requests_enabled   = true
  }

  dynamic "rule" {
    for_each = var.rules
    content {
      name     = rule.value.name
      priority = rule.value.priority

      override_action {
        none {}
      }

      statement {
        managed_rule_group_statement {
          name        = rule.value.managed_rule_group_statement_name
          vendor_name = rule.value.managed_rule_group_statement_vendor_name
        }
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = rule.value.metric_name
        sampled_requests_enabled   = true
      }
    }
  }
} 

# variables.tf
variable "rules" {
  type = list(any)
  default = [
    {
      name                                     = "AWS-AWSManagedRulesAdminProtectionRuleSet"
      priority                                 = 1
      managed_rule_group_statement_name        = "AWSManagedRulesAdminProtectionRuleSet"
      managed_rule_group_statement_vendor_name = "AWS"
      metric_name                              = "foo_name"
    },
    {
      name                                     = "AWS-AWSManagedRulesPHPRuleSet"
      priority                                 = 2
      managed_rule_group_statement_name        = "AWSManagedRulesPHPRuleSet"
      managed_rule_group_statement_vendor_name = "AWS"
      metric_name                              = "foo_name"
    },
    {
      name                                     = "AWS-AWSManagedRulesLinuxRuleSet"
      priority                                 = 3
      managed_rule_group_statement_name        = "AWSManagedRulesLinuxRuleSet"
      managed_rule_group_statement_vendor_name = "AWS"
      metric_name                              = "foo_name"
    },
    {
      name                                     = "AWS-AWSManagedRulesAmazonIpReputationList"
      priority                                 = 4
      managed_rule_group_statement_name        = "AWSManagedRulesAmazonIpReputationList"
      managed_rule_group_statement_vendor_name = "AWS"
      metric_name                              = "foo_name"
    },
    {
      name                                     = "AWS-AWSManagedRulesSQLiRuleSet"
      priority                                 = 5
      managed_rule_group_statement_name        = "AWSManagedRulesSQLiRuleSet"
      managed_rule_group_statement_vendor_name = "AWS"
      metric_name                              = "foo_name"
    },
    {
      name                                     = "AWS-AWSManagedRulesUnixRuleSet"
      priority                                 = 6
      managed_rule_group_statement_name        = "AWSManagedRulesUnixRuleSet"
      managed_rule_group_statement_vendor_name = "AWS"
      metric_name                              = "foo_name"
    },
    {
      name                                     = "AWS-AWSManagedRulesCommonRuleSet"
      priority                                 = 7
      managed_rule_group_statement_name        = "AWSManagedRulesCommonRuleSet"
      managed_rule_group_statement_vendor_name = "AWS"
      metric_name                              = "foo_name"
    }
  ]
}

Astto answered 26/8, 2022 at 12:38 Comment(0)

Recommended topics

Hot tags