Invalid ARN when creating aws.wafv2.WebAclLoggingConfiguration

[emiioan]

When trying to create aws.wafv2.WebAclLoggingConfiguration it fails with The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes.
Thing is that the arn format its ok, spoke with AWS support and they said that all the setup was made properly for aws and api calls so it seems to be a pulumi issue.

Here is the example code from @pulumi/aws module:

const example = new aws.wafv2.WebAclLoggingConfiguration("example", {
logDestinationConfigs: [aws_kinesis_firehose_delivery_stream.example.arn],
resourceArn: aws_wafv2_web_acl.example.arn,
redactedFields: [{
singleHeader: {
name: "user-agent",
},
}],
});

And this is my code:

const waflogging = new aws.wafv2.WebAclLoggingConfiguration("model-builder-waflogging", {
logDestinationConfigs: [kinesisStream.arn], 
resourceArn: wafwebacl.arn // I tried to manually add as string but same issue. 
}, { dependsOn: kinesisStream });

When I run Pulumi, I have the following error:

* error putting WAFv2 Logging Configuration for resource (arn:aws:wafv2:us-east-1:796031763495:global/webacl/modelbuilderCF/80986c63-50d8-4775-b82e-91339616cc81): WAFInvalidParameterException: Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:wafv2:us-east-1:796031763495:global/webacl/modelbuilderCF/80986c63-50d8-4775-b82e-91339616cc81
{
RespMetadata: {
StatusCode: 400,
RequestID: "79d08de5-b145-4eb5-9f35-c67ef076f3ac"
},
Field: "RESOURCE_ARN",
Message_: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:wafv2:us-east-1:796031763495:global/webacl/modelbuilderCF/80986c63-50d8-4775-b82e-91339616cc81",
Parameter: "arn:aws:wafv2:us-east-1:796031763495:global/webacl/modelbuilderCF/80986c63-50d8-4775-b82e-91339616cc81",
Reason: "The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes."
}

For now I had to manually enable logging to my webacl v2 but It will be nice to have it all done from Pulumi.
Please advise if its something I do wrong or is there any other constructor that I can use to configure logging. I tried to add the ARN as string but same outcome.

Thanks

[emiioan]

Just want to add that aws.kinesis.FirehoseDeliveryStream("aws-waf-logs-modelbuilderStream") was created in us-east-1 for waf logging as the waf is assigned to CloudFront and the name is prefixed with 'aws-waf-logs-' as aws recommends (https://docs.aws.amazon.com/waf/latest/developerguide/logging.html)

[achepta]

you need to replace "global" in the arn string to "regional"

[emiioan]

Can't do that as that's the ARN for for webacl. Since the webacl is assigned to a CloudFront distribution you can have only global scope waf.

[achepta]

The issue is on the AWS side though. There is no resources for WebACLs when whether I used CloudFront or AppSync

[emiioan]

Nop, if I enable logging to webacl from aws console I can see the kinesis stream. And all logs are saved by kinesis to s3 bucket. So the aws setup it's ok.

[mikhailshilkov]

@emiioan Could you take a look at hashicorp/terraform-provider-aws#13955 (comment) and see if this helps?

[emiioan]

Hello, saw that closed issue before opening mine. I'm afraid that there is no explanation there regarding the fix. The only notable thing was regarding kinesis stream name which needs to start with aws-waf-logs-* and mine does start with this prefix.

[emiioan]

Hello, can you please advise if there are any updates on this? I implemented kinesis delivery stream in other projects with pulumi and still doing this step manually.

[mikhailshilkov]

I haven't had the capacity to look into this issue, unfortunately.

If you run TF_LOG=1 pulumi up -v=9 --debug --logtostderr --logflow you should be able to see the exact values that we send to AWS somewhere in the long text output. Maybe that would help identify the issue?

[emiioan]

Thanks for reply, I used the debug you provided and my guess is that aws-sdk-go it's not parsing/validating ARN format properly:

debug: [aws-sdk-go] DEBUG: Request WAFV2/PutLoggingConfiguration Details:
debug: ---[ REQUEST POST-SIGN ]-----------------------------
debug: POST / HTTP/1.1
debug: Host: wafv2.eu-west-1.amazonaws.com
debug: User-Agent: aws-sdk-go/1.36.0 (go1.15.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11+compatible (+https://www.terraform.io)
debug: Content-Length: 276
debug: Authorization: AWS4-HMAC-SHA256 Credential=ASIAXUXFLJ6OCTSWC4H7/20210115/eu-west-1/wafv2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=e88f91a9ebdb65636ccea82bb5655a588857dcfad4a922c4a9be7f65599d33ff
debug: Content-Type: application/x-amz-json-1.1
debug: X-Amz-Date: 20210115T074742Z
debug: X-Amz-Security-Token: FwoGZXIvYXdzEEkaDPCDq43uMRQREuD1nSLoARJGOBU/X4RZa0FTWbDlS972z9J/SgvnBIAzz0gWOjsiI/fMKnpW1kt/7Io1TpOBQ3qCt1/WpNHwsVmH6uyacAvG5ZwXWIjeo2uF8V25WEIctDDAmKXrrjqn+rIP79DTiabMmpSBgOmBPPniTRfLr5yd4joj2B1rN3PaH61mKlzOjSyx5L1dB/DUFqpwrvgJhukvBreUckWhsSa05xPAQFeTju2UkA5IpezuPdLfSQLJsD6MapC7cU2vH/fUtz7ua/blN5IbmXQFAKp6dxdGzgZWuDUclQTh92v2IN93vWLq+iFRUd58Axco7oWFgAYyK+C68YdaqielLMHmhZpVL6nBwZm9M6M4ZGq/dWTPjpVQBSv95iPcX+kOmCw=
debug: X-Amz-Target: AWSWAF_20190729.PutLoggingConfiguration
debug: Accept-Encoding: gzip
debug:
debug: {"LoggingConfiguration":{"LogDestinationConfigs":["arn:aws:firehose:us-east-1:525540741020:deliverystream/aws-waf-logs-wordpress-0cf21a0"],"RedactedFields":[],"ResourceArn":"arn:aws:wafv2:us-east-1:525540741020:global/webacl/wordpressCF/f213acb2-8a3b-4598-ae33-d5bbec971e43"}}
debug: -----------------------------------------------------
debug: [aws-sdk-go] DEBUG: Response WAFV2/PutLoggingConfiguration Details:
debug: ---[ RESPONSE ]--------------------------------------
debug: HTTP/1.1 400 Bad Request
debug: Connection: close
debug: Content-Length: 574
debug: Content-Type: application/x-amz-json-1.1
debug: Date: Fri, 15 Jan 2021 07:47:42 GMT
debug: X-Amzn-Requestid: bdc752c5-9eae-4d17-a46e-408804f72d69
debug:
debug:
debug: -----------------------------------------------------
debug: [aws-sdk-go] {"__type":"WAFInvalidParameterException","Field":"RESOURCE_ARN","Parameter":"arn:aws:wafv2:us-east-1:525540741020:global/webacl/wordpressCF/f213acb2-8a3b-4598-ae33-d5bbec971e43","Reason":"The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes.","message":"Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:wafv2:us-east-1:525540741020:global/webacl/wordpressCF/f213acb2-8a3b-4598-ae33-d5bbec971e43"}
debug: [aws-sdk-go] DEBUG: Validate Response WAFV2/PutLoggingConfiguration failed, attempt 0/25, error WAFInvalidParameterException: Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:wafv2:us-east-1:525540741020:global/webacl/wordpressCF/f213acb2-8a3b-4598-ae33-d5bbec971e43
debug: {
debug:   RespMetadata: {
debug:     StatusCode: 400,
debug:     RequestID: "bdc752c5-9eae-4d17-a46e-408804f72d69"
debug:   },
debug:   Field: "RESOURCE_ARN",
debug:   Message_: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: arn:aws:wafv2:us-east-1:525540741020:global/webacl/wordpressCF/f213acb2-8a3b-4598-ae33-d5bbec971e43",
debug:   Parameter: "arn:aws:wafv2:us-east-1:525540741020:global/webacl/wordpressCF/f213acb2-8a3b-4598-ae33-d5bbec971e43",
debug:   Reason: "The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes."
debug: }

[ricoli]

Hi @emiioan - I had this same issue but when using Terraform, which led me here, and as it turns out the issue was in between the chair and the keyboard, as I forgot to set the region to us-east-1 for this resource creation, hence the ARN validation error :) Hopefully this helps!

[james64]

@ricoli I am experiencing the same. It is failing even with provider = aws.us-east-1 on association resource. Aliased provider is configured for the region. Would you have any other ideas what to check?

[ricoli]

@ricoli I am experiencing the same. It is failing even with provider = aws.us-east-1 on association resource. Aliased provider is configured for the region. Would you have any other ideas what to check?

ah no sorry, my problem was the missing alias configuration

[emiioan]

@ricoli Yep, I can confirm another issue between the chair and the keyboard :)) . I works by mentioning the us-east-1 region as you advised.

[rererecursive]

You need to ensure your delivery stream's name begins with aws-waf-logs-.

[rsmets]

@rererecursive, firstly thanks! Curious where in the docs it states the delivery stream's name must begin with aws-waf-logs? I was having the same issue described in this issue until a read your comment. Ensuring the naming convention was the fix.

[marxjohnson]

@rererecursive Thanks! I've been tearing my hair out over this all day. For anyone else looking, this is mentioned on https://docs.aws.amazon.com/waf/latest/developerguide/logging.html

Create an Amazon Kinesis Data Firehose using a name starting with the prefix aws-waf-logs-.

You must choose a firehose that begins with aws-waf-logs-.

[emiioan]

This was fixed by doing the following:

• set terraform/pulumi provider region to us-east-1
• prefix the name for firehose with 'aws-waf-logs-' as aws recommends. (https://docs.aws.amazon.com/waf/latest/developerguide/logging.html)

Closing issue.

[rosehgal]

@ricoli I am experiencing the same. It is failing even with provider = aws.us-east-1 on association resource. Aliased provider is configured for the region. Would you have any other ideas what to check?

Even I was facing the same issue with TF, dropped by here. Tried adding region under provider section and this worked.

[fusion27]

Not only for Kinesis logging, but it goes the same for CloudWatch logging.

const logGroup:aws_logs.LogGroup = new aws_logs.LogGroup(this, `logGroupWaf`, {
  retention: 30,
  logGroupName: `aws-waf-logs-abc`
});

[rupertbg]

@fusion27 the Cloudformation return value for ARN of a Cloudwatch Log Group includes the * on the end. You'll need to use the name instead and build an ARN string

[yasmin-11]

I got this error:

│ Error: putting WAFv2 Logging Configuration for resource (arn:aws:wafv2:us-west-1:937188154488:regional/webacl/lf-dev-alb-acl/8f5cda88-eb7b-4e8b-b282-b9305e01c175): WAFInvalidParameterException: Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: LOG_DESTINATION, parameter: arn:aws:logs:us-west-1:937188154488:log-group:WAF-logs-alb
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "68de46b8-3fc2-41f5-9fd3-9bd759da47ff"
│   },
│   Field: "LOG_DESTINATION",
│   Message_: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: LOG_DESTINATION, parameter: arn:aws:logs:us-west-1:937188154488:log-group:WAF-logs-alb",
│   Parameter: "arn:aws:logs:us-west-1:937188154488:log-group:WAF-logs-alb",
│   Reason: "The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes."
│ }
│ 
│   with module.infra.aws_wafv2_web_acl_logging_configuration.waf_log,
│   on ../stack/waf.tf line 180, in resource "aws_wafv2_web_acl_logging_configuration" "waf_log":
│  180: resource "aws_wafv2_web_acl_logging_configuration" "waf_log" {

I fix this issue, for CloudWatch logging by adding at the beginning, in the name of the aws_cloudwatch_log_group, the prefix aws-waf-logs

resource "aws_cloudwatch_log_group" "alb-waf-log" {
    //FOR WAF name must start with aws-waf-logs
    name = "aws-waf-logs-alb"
}

resource "aws_wafv2_web_acl_logging_configuration" "waf_log" {
  log_destination_configs = [aws_cloudwatch_log_group.alb-waf-log.arn]
  resource_arn            = aws_wafv2_web_acl.waf-acl.arn
  }

[ryanleecode]

What an absolute scam

[maksymyaremko]

It's been 4 years and this problem still hasn't been fixed 😒

[t0yv0]

@maksymyaremko can you open a new ticket with repro steps? We look at incoming tickets with repro steps but we're out of capacity to all the closed tickets.