community.aws icon indicating copy to clipboard operation
community.aws copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

WAFv2 integration tests consistently failing

Open tremble opened this issue 2 years ago • 2 comments

Summary

When trying to attach the WAF to an ALB the integration tests are consistently failing in CI

I've attempted to fix the tests, but I'm not familiar enough with AWS WAF to identify and fix the problem

Issue Type

Bug Report

Component Name

wafv2

Ansible Version

CI

Collection Versions

CI

AWS SDK versions

Successfully installed PyYAML-5.3.1 awscli-1.19.0 boto3-1.17.0 botocore-1.20.0 colorama-0.4.3 distlib-0.3.4 docutils-0.15.2 filelock-3.6.0 jmespath-0.10.0 netaddr-0.8.0 platformdirs-2.5.1 pycrypto-2.6.1 python-dateutil-2.8.2 rsa-4.5 s3transfer-0.3.7 virtualenv-20.13.3

Configuration

CI

OS / Environment

CI

Steps to Reproduce

Run integration tests

Expected Results

Tests pass

Actual Results

TASK [wafv2 : add test alb to test waf] ***************************************************************************************************************************************************************************
task path: /root/ansible_collections/community/aws/tests/output/.tmp/integration/wafv2-y7rwey2x-ÅÑŚÌβŁÈ/tests/integration/targets/wafv2/tasks/waf_resources.yml:19
Using module file /root/ansible_collections/community/aws/plugins/modules/wafv2_resources.py
Pipelining is enabled.
<testhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<testhost> EXEC /bin/sh -c 'ANSIBLE_DEBUG_BOTOCORE_LOGS=True /usr/bin/python3.10 && sleep 0'
FAILED - RETRYING: [testhost]: add test alb to test waf (20 retries left).Result was: {
...
Using module file /root/ansible_collections/community/aws/plugins/modules/wafv2_resources.py
Pipelining is enabled.
<testhost> EXEC /bin/sh -c 'ANSIBLE_DEBUG_BOTOCORE_LOGS=True /usr/bin/python3.10 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_wafv2_resources_payload_pxyy0uar/ansible_wafv2_resources_payload.zip/ansible_collections/community/aws/plugins/modules/wafv2_resources.py", line 97, in add_wafv2_resources
  File "/usr/lib/python3.10/dist-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python3.10/dist-packages/botocore/client.py", line 676, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.WAFUnavailableEntityException: An error occurred (WAFUnavailableEntityException) when calling the AssociateWebACL operation: AWS WAF couldn’t retrieve the resource that you requested. Retry your request.
fatal: [testhost]: FAILED! => {
    "attempts": 20,
    "boto3_version": "1.17.0",
    "botocore_version": "1.20.0",
    "changed": false,
    "error": {
        "code": "WAFUnavailableEntityException",
        "message": "AWS WAF couldn’t retrieve the resource that you requested. Retry your request."
    },
    "invocation": {
        "module_args": {
            "arn": "arn:aws:elasticloadbalancing:us-east-1:966509639900:loadbalancer/app/my-alb-e7715efcd1bd/93425d2b81a1b8a8",
            "aws_access_key": "ASIA6CCDWXDOLLGNE37D",
            "aws_ca_bundle": null,
            "aws_config": null,
            "aws_secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "debug_botocore_endpoint_logs": true,
            "ec2_url": null,
            "name": "e7715efcd1bd-web-acl",
            "profile": null,
            "region": "us-east-1",
            "scope": "REGIONAL",
            "security_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "state": "present",
            "validate_certs": true
        }
    },
    "message": "AWS WAF couldn’t retrieve the resource that you requested. Retry your request.",
    "msg": "Failed to add wafv2 web acl.: An error occurred (WAFUnavailableEntityException) when calling the AssociateWebACL operation: AWS WAF couldn’t retrieve the resource that you requested. Retry your request.",
    "resource_actions": [
        "wafv2:ListWebACLs",
        "wafv2:AssociateWebACL",
        "wafv2:ListResourcesForWebACL",
        "wafv2:GetWebACL"
    ],
    "response_metadata": {
        "http_headers": {
            "connection": "close",
            "content-length": "135",
            "content-type": "application/x-amz-json-1.1",
            "date": "Sat, 12 Mar 2022 19:41:23 GMT",
            "x-amzn-requestid": "b796fe71-676e-4ee1-884e-43fc65aea2ee"
        },
        "http_status_code": 400,
        "request_id": "b796fe71-676e-4ee1-884e-43fc65aea2ee",
        "retry_attempts": 0
    }
}

Code of Conduct

  • [X] I agree to follow the Ansible Code of Conduct

tremble avatar Mar 13 '22 13:03 tremble

Files identified in the description:

  • [plugins/modules/wafv2_ip_set.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/wafv2_ip_set.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot avatar Mar 13 '22 13:03 ansibullbot

cc @jillr @markuman @s-hertel click here for bot help

ansibullbot avatar Mar 13 '22 13:03 ansibullbot

I've also experienced this via the AWS console when trying to integrate a WAF to an ALB. Especially for WAFs that were just created. After I've given the WAF some time to sit and contemplate its existence for some time does it finally properly integrate.

I'm not sure if this is strictly tied to the Ansible module.

jlosito avatar Jan 24 '23 16:01 jlosito

@jlosito yes, that's the nature of many aws services.
the wafv2 modules lack on waiters.
Are you motivated to implement them?

markuman avatar Jan 24 '23 20:01 markuman