Creating resource aws_wafv2_web_acl_association in same config as aws_wafv2_web_acl often raises WAFUnavailableEntityException

[Carlovo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.2
aws 3.8.0
I didn't see any relevant changes between then and the current version, though.

Affected Resource(s)

• aws_wafv2_web_acl_association

Terraform Configuration Files

resource "aws_wafv2_web_acl_association" "example" {
  resource_arn = aws_lb.example.arn
  web_acl_arn  = aws_wafv2_web_acl.example.arn
}

resource "aws_wafv2_web_acl" "example" {
  name  = "alb-example"
  scope = "REGIONAL"

  # some more irrelevant config goes here
}

resource "aws_lb" "example" {
  name = "example"
  
  # some more irrelevant config goes here
}

Expected Behavior

Deploy a Load Balancer with a WAF ACL in front of it.

Actual Behavior

Almost half of the time (I tried around 10 times) Terraform errors with WAFUnavailableEntityException. This is already a RetryError in the TF AWS provider code, but presumably the time between ACL creation and load balancer association is still not long enough to get this reproducibly correct.

Steps to Reproduce

See Actual behavior.

[anGie44]

hi @Carlovo, thank you for raising this issue. as you've suggested, it's possible the RetryError timeout in the WebACL association resource of 2minutes isn't sufficient, and actually in the WebACL resource we use 5 minutes, so it's possible increasing that value could help out here. it's tricky though to validate as the error isn't consistent but if you (or anyone following this issue) would like to make that small change in the code, we'd be happy to review it.

[Carlovo]

Sure, I created a pull request.

Also, I think I found a slightly hacky way make this problem occur less often:

resource "aws_wafv2_web_acl_association" "example" {
  resource_arn = aws_lb.example.arn
  web_acl_arn  = aws_wafv2_web_acl.example.arn
}

resource "aws_wafv2_web_acl" "example" {
  name  = "alb-example"
  scope = "REGIONAL"

  # some more irrelevant config goes here
}

resource "aws_lb" "example" {
  name = "example"

  depends_on = [aws_wafv2_web_acl.example]
  
  # some more irrelevant config goes here
}

This ensures there is additional time between the ACL and association creation, but I think this depends_on trickery should not be necessary.

This has been released in version 3.28.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!