output of "Attach WAF to ALBs:
TASK [Attach WAF to ALBs] *
**************************************************************************************************************
**
Thursday 24 August 2023 12:34:47 -0700 (0:00:00.305) 0:00:33.257 *
********
failed: [localhost] (item=us-east-1) => {"ansible_loop_var": "item",
"changed": true, "cmd": "for alb_arn in
['arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447',
'arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Service-QAtest/1c8cde570dbc2c98',
'arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1'];
do\n echo \"ALB ARN: $alb_arn\"\n echo \"WAF ARN:
arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee\"\n
aws wafv2 associate-web-acl --web-acl-arn
\"arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee\"
--resource-arn $alb_arn --profile \"<>\" --region
\"us-east-1\"\ndone\n", "delta": "0:00:12.982311", "end": "2023-08-24
12:35:01.526408", "item": "us-east-1", "msg": "non-zero return code", "rc":
255, "start": "2023-08-24 12:34:48.544097", "stderr": "\nAn error occurred
(WAFInvalidParameterException) when calling the AssociateWebACL operation:
Error reason: The ARN isn't valid. A valid ARN begins with arn: and
includes other information separated by colons or slashes., field:
RESOURCE_ARN, parameter:
[arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447,\n\nAn
error occurred (WAFNonexistentItemException) when calling the
AssociateWebACL operation: AWS WAF couldn’t perform the operation because
your resource doesn’t exist.\n\nAn error occurred
(WAFNonexistentItemException) when calling the AssociateWebACL operation:
AWS WAF couldn’t perform the operation because your resource doesn’t
exist.", "stderr_lines": ["", "An error occurred
(WAFInvalidParameterException) when calling the AssociateWebACL operation:
Error reason: The ARN isn't valid. A valid ARN begins with arn: and
includes other information separated by colons or slashes., field:
RESOURCE_ARN, parameter:
[arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447,",
"", "An error occurred (WAFNonexistentItemException) when calling the
AssociateWebACL operation: AWS WAF couldn’t perform the operation because
your resource doesn’t exist.", "", "An error occurred
(WAFNonexistentItemException) when calling the AssociateWebACL operation:
AWS WAF couldn’t perform the operation because your resource doesn’t
exist."], "stdout": "ALB ARN:
[arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447,\nWAF
ARN:
arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee\nALB
ARN:
arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Service-QAtest/1c8cde570dbc2c98,\nWAF
ARN:
arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee\nALB
ARN:
arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1]\nWAF
ARN:
arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee",
"stdout_lines": ["ALB ARN:
[arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447,",
"WAF ARN:
arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee",
"ALB ARN:
arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Service-QAtest/1c8cde570dbc2c98,",
"WAF ARN:
arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee",
"ALB ARN:
arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1]",
"WAF ARN:
arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee"]}
On Friday, August 25, 2023 at 11:26:35 AM UTC+5:30 Dick Visser wrote:
> And the output of "Attach WAF to ALBs"?
>
> Sent from Gmail Mobile
>
>
> On Fri, 25 Aug 2023 at 06:52, Shivani Arora <[email protected]> wrote:
>
>> Hey Dick,
>>
>> Thanks for responding.
>>
>> Please find the attached debug output as requested
>>
>> TASK [Display ALB ARNs]
>> ************************************************************************************
>> Thursday 24 August 2023 13:04:34 -0700 (0:00:00.338) 0:00:24.776
>> *******
>> ok: [localhost] => {
>> "alb_map_arns": {
>> "eu-central-1": [
>>
>> "arn:aws:elasticloadbalancing:eu-central-1:<profile>:loadbalancer/app/Web-QAtest/78c12741885fcfbb",
>>
>> "arn:aws:elasticloadbalancing:eu-central-1:<profile>:loadbalancer/app/Service-QAtest/a22b43074f64f9d7",
>>
>> "arn:aws:elasticloadbalancing:eu-central-1:<profile>:loadbalancer/app/ServiceInt-QAtest/2f7fff2fb7d354a7"
>> ],
>> "us-east-1": [
>>
>> "arn:aws:elasticloadbalancing:us-east-1:<profile>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447",
>>
>> "arn:aws:elasticloadbalancing:us-east-1:<profile>:loadbalancer/app/Service-QAtest/1c8cde570dbc2c98",
>>
>> "arn:aws:elasticloadbalancing:us-east-1:<profile>:loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1"
>> ]
>> }
>> }
>>
>> On Friday, August 25, 2023 at 3:06:14 AM UTC+5:30 Dick Visser wrote:
>>
>>> Hii
>>>
>>> You left out important information. For instance the output of the
>>> "Display ALB ARNs" debug task.
>>> That is used in your shell command at " for alb_arn in {{
>>> alb_map_arns[item] }}; do", so that is important.
>>> Post that debug output.
>>> Or, post the output of the "Attach WAF to ALBs" task with -vv.
>>>
>>>
>>> On Thu, 24 Aug 2023 at 21:45, Shivani Arora <[email protected]> wrote:
>>>
>>>> Hi Team,
>>>>
>>>> I'm trying the below code to attach region-specific waf to
>>>> region-specific alb's. But the below code doesn't seem to be working for
>>>> associating the waf to alb's. The last shell module is having issues,
>>>> "$alb_arn" value is not getting interpreted and getting the error
>>>> mentioned
>>>> below.
>>>>
>>>> tasks:
>>>>
>>>> - block:
>>>> - name: Get service alb info
>>>> community.aws.elb_application_lb_info:
>>>> profile: "{{ aws_profile_name }}"
>>>> region: "{{ region }}"
>>>> names:
>>>> - "Service-{{ ec2_tag_environment }}"
>>>> - "ServiceInt-{{ ec2_tag_environment }}"
>>>> - "Web-{{ ec2_tag_environment }}"
>>>> register: alb_info
>>>> loop: "{{ aws_cloud_regions }}"
>>>> loop_control:
>>>> loop_var: region
>>>>
>>>> - debug:
>>>> var=alb_info
>>>>
>>>> - name: Extract ALB ARNs
>>>> set_fact:
>>>> alb_arns: "{{ alb_arns | default([]) + item.load_balancers
>>>> | map(attribute='load_balancer_arn') | list }}"
>>>> loop: "{{ alb_info.results }}"
>>>>
>>>> - name: Extract ALB map ARNs
>>>> set_fact:
>>>> alb_map_arns: "{{ alb_map_arns | default({}) |
>>>> combine({item.region: item.load_balancers |
>>>> map(attribute='load_balancer_arn') | list}) }}"
>>>> loop: "{{ alb_info.results }}"
>>>>
>>>>
>>>> - name: Display ALB ARNs
>>>> debug:
>>>> var: alb_map_arns
>>>>
>>>> - name: Get WAF WebACL ARN
>>>> shell: |
>>>> aws wafv2 list-web-acls --scope REGIONAL --profile "{{
>>>> aws_profile_name }}" --region "{{ region }}" --query 'WebACLs[?Name==`{{
>>>> ec2_tag_environment }}-ALB`].ARN' --output text
>>>> register: waf_acl
>>>> changed_when: false
>>>> loop: "{{ aws_cloud_regions }}"
>>>> loop_control:
>>>> loop_var: region
>>>>
>>>> - debug:
>>>> var=waf_acl
>>>>
>>>> - name: Print WebACL ARN
>>>> set_fact:
>>>> waf_arn: "{{ waf_arn | default({}) | combine({item.region:
>>>> item.stdout}) }}"
>>>> loop: "{{ waf_acl.results }}"
>>>>
>>>> - debug:
>>>> var=waf_arn
>>>>
>>>> - name: Attach WAF to ALBs
>>>> shell: |
>>>> for alb_arn in {{ alb_map_arns[item] }}; do
>>>> aws wafv2 associate-web-acl \
>>>> --web-acl-arn "{{ waf_arn[item] }}" \
>>>> --resource-arn "$alb_arn" \
>>>> --profile "{{ aws_profile_name }}" \
>>>> --region "{{ item }}"
>>>> done
>>>> loop: "{{ waf_arn.keys() | list }}"
>>>> when: item in alb_map_arns
>>>>
>>>>
>>>> below $alb_arn is not getting interpreted
>>>>
>>>> do\n aws wafv2 associate-web-acl --web-acl-arn
>>>> \"arn:aws:wafv2:eu-central-1:<profile>:regional/webacl/QAtest-ALB/a6dda4d3-9973-4b88-bc49-a7cbad91a302\"
>>>>
>>>> --resource-arn \"$alb_arn\"
>>>>
>>>> error reason: The ARN isn't valid. A valid ARN begins with arn: and
>>>> includes other information separated by colons or slashes., field:
>>>> RESOURCE_ARN
>>>> An error occurred (WAFNonexistentItemException) when calling the
>>>> AssociateWebACL operation: AWS WAF couldn’t perform the operation because
>>>> your resource doesn’t exist
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Ansible Project" group.
>>>>
>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ansible-project/72172b94-528b-4828-b586-836160a318a3n%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/ansible-project/72172b94-528b-4828-b586-836160a318a3n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>>
> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/dd7b503e-267e-496c-a8bf-bdba785850adn%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/dd7b503e-267e-496c-a8bf-bdba785850adn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/c6dfe688-ed4f-49db-96da-618c4e48ef3fn%40googlegroups.com.
