community.aws
community.aws copied to clipboard
WAFv2 integration tests consistently failing
Summary
When trying to attach the WAF to an ALB the integration tests are consistently failing in CI
I've attempted to fix the tests, but I'm not familiar enough with AWS WAF to identify and fix the problem
Issue Type
Bug Report
Component Name
wafv2
Ansible Version
CI
Collection Versions
CI
AWS SDK versions
Successfully installed PyYAML-5.3.1 awscli-1.19.0 boto3-1.17.0 botocore-1.20.0 colorama-0.4.3 distlib-0.3.4 docutils-0.15.2 filelock-3.6.0 jmespath-0.10.0 netaddr-0.8.0 platformdirs-2.5.1 pycrypto-2.6.1 python-dateutil-2.8.2 rsa-4.5 s3transfer-0.3.7 virtualenv-20.13.3
Configuration
CI
OS / Environment
CI
Steps to Reproduce
Run integration tests
Expected Results
Tests pass
Actual Results
TASK [wafv2 : add test alb to test waf] ***************************************************************************************************************************************************************************
task path: /root/ansible_collections/community/aws/tests/output/.tmp/integration/wafv2-y7rwey2x-ÅÑŚÌβŁÈ/tests/integration/targets/wafv2/tasks/waf_resources.yml:19
Using module file /root/ansible_collections/community/aws/plugins/modules/wafv2_resources.py
Pipelining is enabled.
<testhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<testhost> EXEC /bin/sh -c 'ANSIBLE_DEBUG_BOTOCORE_LOGS=True /usr/bin/python3.10 && sleep 0'
FAILED - RETRYING: [testhost]: add test alb to test waf (20 retries left).Result was: {
...
Using module file /root/ansible_collections/community/aws/plugins/modules/wafv2_resources.py
Pipelining is enabled.
<testhost> EXEC /bin/sh -c 'ANSIBLE_DEBUG_BOTOCORE_LOGS=True /usr/bin/python3.10 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/tmp/ansible_wafv2_resources_payload_pxyy0uar/ansible_wafv2_resources_payload.zip/ansible_collections/community/aws/plugins/modules/wafv2_resources.py", line 97, in add_wafv2_resources
File "/usr/lib/python3.10/dist-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python3.10/dist-packages/botocore/client.py", line 676, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.WAFUnavailableEntityException: An error occurred (WAFUnavailableEntityException) when calling the AssociateWebACL operation: AWS WAF couldn’t retrieve the resource that you requested. Retry your request.
fatal: [testhost]: FAILED! => {
"attempts": 20,
"boto3_version": "1.17.0",
"botocore_version": "1.20.0",
"changed": false,
"error": {
"code": "WAFUnavailableEntityException",
"message": "AWS WAF couldn’t retrieve the resource that you requested. Retry your request."
},
"invocation": {
"module_args": {
"arn": "arn:aws:elasticloadbalancing:us-east-1:966509639900:loadbalancer/app/my-alb-e7715efcd1bd/93425d2b81a1b8a8",
"aws_access_key": "ASIA6CCDWXDOLLGNE37D",
"aws_ca_bundle": null,
"aws_config": null,
"aws_secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"debug_botocore_endpoint_logs": true,
"ec2_url": null,
"name": "e7715efcd1bd-web-acl",
"profile": null,
"region": "us-east-1",
"scope": "REGIONAL",
"security_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"state": "present",
"validate_certs": true
}
},
"message": "AWS WAF couldn’t retrieve the resource that you requested. Retry your request.",
"msg": "Failed to add wafv2 web acl.: An error occurred (WAFUnavailableEntityException) when calling the AssociateWebACL operation: AWS WAF couldn’t retrieve the resource that you requested. Retry your request.",
"resource_actions": [
"wafv2:ListWebACLs",
"wafv2:AssociateWebACL",
"wafv2:ListResourcesForWebACL",
"wafv2:GetWebACL"
],
"response_metadata": {
"http_headers": {
"connection": "close",
"content-length": "135",
"content-type": "application/x-amz-json-1.1",
"date": "Sat, 12 Mar 2022 19:41:23 GMT",
"x-amzn-requestid": "b796fe71-676e-4ee1-884e-43fc65aea2ee"
},
"http_status_code": 400,
"request_id": "b796fe71-676e-4ee1-884e-43fc65aea2ee",
"retry_attempts": 0
}
}
Code of Conduct
- [X] I agree to follow the Ansible Code of Conduct
Files identified in the description:
- [
plugins/modules/wafv2_ip_set.py
](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/wafv2_ip_set.py)
If these files are inaccurate, please update the component name
section of the description or use the !component
bot command.
cc @jillr @markuman @s-hertel click here for bot help
I've also experienced this via the AWS console when trying to integrate a WAF to an ALB. Especially for WAFs that were just created. After I've given the WAF some time to sit and contemplate its existence for some time does it finally properly integrate.
I'm not sure if this is strictly tied to the Ansible module.
@jlosito yes, that's the nature of many aws services.
the wafv2 modules lack on waiters.
Are you motivated to implement them?