Error: failure configuring LB attributes: ValidationError: Load balancer attribute key 'waf.fail_open.enabled' is not recognized - in v3.67 & v3.68

[wwwizards]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.11
on linux_amd64

• provider registry.terraform.io/hashicorp/aws v3.68.0

Affected Resource(s)

aws_alb

Terraform Configuration Files

#----------------------------------------------------------------------
# Primary ALB - AWS Application Load Balancer
#----------------------------------------------------------------------
resource "aws_alb" "alb01" {
  name = "alb01-${var.indicated_workspace}-lb"
  internal        = true
  subnets         = [data.aws_subnet.selected[1].id, data.aws_subnet.selected[0].id]
  security_groups = [aws_security_group.alb01_sg.id]
  tags            = module.label.tags

  lifecycle {
    ignore_changes = [
      tags,
      tags_all,
      access_logs
    ]
  }
}

Expected Behavior

ALB is created

Actual Behavior

╷
│ Error: failure configuring LB attributes: ValidationError: Load balancer attribute key 'waf.fail_open.enabled' is not recognized
│       status code: 400, request id: e671a925-2172-47e0-8bae-10a10a37a75a
│
│   with aws_alb.alb01,
│   on alb01.tf line 4, in resource "aws_alb" "alb01":
│    4: resource "aws_alb" "alb01" {
│
╵

Steps to Reproduce

1. terraform apply

References

service/elbv2/load_balancer: Support WAF fail open #16393
#16393

Workaround

rolling back to aws provider v3.66.0 fixes the issue

Joe Negron ~ NYC

[mrobinet]

I'm also running into this, specifically in the cn-north-1 region. I'm guessing China does not support this feature yet.

[wwwizards]

@mrobinet - thanx for validating that it is not just happening to me. I didn't imagine that this could be a regional issue - but I guess that's always a possibility... For me, my target is us-gov-east-1 & my goal is just a plain-vanilla ALB which does not even require that feature. The error is by default.

@anGie44 - do you know if the test coverage for the pull request on this feature spanned multiple regions/zones???

If not, maybe I can try it in other regions in commercial cloud over the weekend...

Joe Negron ~ NYC

[anGie44]

Hi @wwwizards @mrobinet thanks for following up on this issue! the tests themselves don't hardcode any regions but on our end they are run in us-west-2 and us-gov-west-1 regions. It's very possible there are unsupported regions.. let me see how the test added in #16393 behaves in at least us-gov-east-1

Update: Yep, looks like it's a regional support issue 😞 When running the test in us-gov-east-1 i'm seeing the same error shared in the description:

=== RUN   TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen
=== PAUSE TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen
=== CONT  TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen
    load_balancer_test.go:653: Step 1/5 error: Error running apply: exit status 1

        Error: failure configuring LB attributes: ValidationError: Load balancer attribute key 'waf.fail_open.enabled' is not recognized
        	status code: 400, request id: e2b527dc-7a96-48eb-ab3a-fba4e9c65fbc

          with aws_lb.lb_test,
          on terraform_plugin_test.tf line 11, in resource "aws_lb" "lb_test":
          11: resource "aws_lb" "lb_test" {

--- FAIL: TestAccELBV2LoadBalancer_ApplicationLoadBalancer_updateWafFailOpen (117.10s)

[wwwizards]

Thank you @anGie44 - I appreciate your time and knowledge.

Upon further investigation, I have noticed that the ALB actually does get created. It's just that none of the additional configuration(s) that utilize(s) that ALB or more specifically its ID or ARN seem to get applied.

1. Looking through the console I can see the ALB, as well as the listeners, rules, SGs, and/or any other related attributes. It is almost as if the failure message and the subsequent errors are a bit misleading. The failure is not in the creation or configuration of the objects - but somewhere else - like maybe updating the state.

2. looking at the state that is created I see this:

$> terraform show | grep alb01

# aws_alb.alb01: (tainted)
resource "aws_alb" "alb01" {
    id                         = "arn:aws-us-gov:elasticloadbalancing:us-gov-east-1:107xxxxxxxx95:loadbalancer/app/alb01-devops-lb/c9c0de0b9bb9ec8e"
    name                       = "alb01-devops-lb"

# aws_cloudwatch_log_group.alb01:
resource "aws_cloudwatch_log_group" "alb01" {
    arn               = "arn:aws-us-gov:logs:us-gov-east-1:10xxxxxxxx95:log-group:alb01"
    id                = "alb01"
    name              = "alb01"

# aws_lb_target_group.alb01_test_tg:
resource "aws_lb_target_group" "alb01_test_tg" {
    arn                                = "arn:aws-us-gov:elasticloadbalancing:us-gov-east-1:10xxxxxxxx95:targetgroup/alb01-devops-lb-tg/181a60a5d767acc0"
    arn_suffix                         = "targetgroup/alb01-devops-lb-tg/181a60a5d767acc0"
    id                                 = "arn:aws-us-gov:elasticloadbalancing:us-gov-east-1:10xxxxxxxx95:targetgroup/alb01-devops-lb-tg/181a60a5d767acc0"
    name                               = "alb01-devops-lb-tg"

# aws_security_group.alb01_sg:
resource "aws_security_group" "alb01_sg" {
    name                   = "comm-qa-mbdt-devops-alb01_alb-sg"
        "Name"                = "alb01-alb-sg-devops"

# aws_security_group_rule.alb01_egress:
resource "aws_security_group_rule" "alb01_egress" {

# aws_security_group_rule.alb01_sg_rule_443:
resource "aws_security_group_rule" "alb01_sg_rule_443" {

# aws_security_group_rule.alb01_sg_rule_80:
resource "aws_security_group_rule" "alb01_sg_rule_80" {

The ALB and other objects are there - but the relationships between the subsequently created objects seem to be missing.

it seems that once the initial object is tainted, all of the other relationships that happen after that are never established.

I am not sure if my logic is valid, but I hope the additional info helps...

Joe Negron ~ NYC

[bigbluechicken]

Also, the same issue in both us-gov-east-1 and us-gov-west-1

╷ │ Error: failure configuring LB attributes: ValidationError: Load balancer attribute key 'waf.fail_open.enabled' is not recognized │ status code: 400, request id:

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.