WebACL get's disassociated right after association

[smitb]

Hi,

Evaluating the aws-alb-ingress-controller. Great work! Using beta4 an associated webacl gets disassociated right after associating:

I0726 16:00:59.013823 1 loadbalancer.go:751] [ALB-INGRESS] [test/website] [DEBUG]: WAF needs to be changed: ( != "9006a537-1905-416d-a098-7a35bfc7bdfb")
I0726 16:00:59.013939 1 loadbalancer.go:573] [ALB-INGRESS] [test/website] [INFO]: Associating 0xc0003c7550 Web ACL.
I0726 16:00:59.014099 1 session.go:35] [ALB-INGRESS] [session] [INFO]: Request: waf-regional/AssociateWebACL, Payload: { ResourceArn: "arn:aws:elasticloadbalancing:eu-central-1:434116275719:loadbalancer/app/c3a2dacb-test-website-3002/18281268ec7b94ea", WebACLId: "9006a537-1905-416d-a098-7a35bfc7bdfb"}
I0726 16:01:00.185582 1 loadbalancer.go:584] [ALB-INGRESS] [test/website] [INFO]: Disassociating Web ACL.
I0726 16:01:00.185959 1 session.go:35] [ALB-INGRESS] [session] [INFO]: Request: waf-regional/DisassociateWebACL, Payload: { ResourceArn: "arn:aws:elasticloadbalancing:eu-central-1:434116275719:loadbalancer/app/c3a2dacb-test-website-3002/18281268ec7b94ea"}

With the AWS API keys I can do lookups of the webacl with the aws commandline tool, and I'm able to associate the ACL to the ALB via the AWS API, so it looks like it it's not an acl issue.

Any idea what is missing?

Thanks in advance.

Bas

[smitb]

I can confirm that this is working now, thanks @bigkraig!

Bas

[sichiba]

Hello @smitb @bigkraig @kishorj

I got a very strange behaviour of WAF v2 as well. its association with alb get removed automatically. we couldn't find what's wrong and how to prevent that from happening. any clues about this please. We're newbies and we're going on production very soon. need to figure it out. your help will be highly appreciated.

JSON view
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/aws-load-balancer-controller/1691507478437619764",
"accountId": "xxxxxxxx",
"accessKeyId": "xxxxxxxxxxxxxxxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "xxxxxxxxxxxxx",
"arn": "arn:aws:iam::xxxxxxxxxx:role/aws-load-balancer-controller",
"accountId": "xxxxxxxxx",
"userName": "aws-load-balancer-controller"
},
"webIdFederationData": {
"federatedProvider": "arn:aws:iam::xxxxxxxxx:oidc-provider/oidc.eks.eu-west-3.amazonaws.com/id/xxxxxxxx",
"attributes": {}
},
"attributes": {
"creationDate": "2023-08-08T15:11:22Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-08-08T15:11:37Z",
"eventSource": "wafv2.amazonaws.com",
"eventName": "DisassociateWebACL",
"awsRegion": "eu-west-3",
"sourceIPAddress": "xxxxxxx",
"userAgent": "elbv2.k8s.aws/v2.4.2 aws-sdk-go/1.42.27 (go1.17.10; linux; amd64)",
"requestParameters": {
"resourceArn": "arn:aws:elasticloadbalancing:eu-west-3:xxxxxxxx:loadbalancer/app/k8s-alb-xxx/xxx"
},
"responseElements": null,
"requestID": "6d50xxxxxxxxxxxxx1",
"eventID": "xxxxxxxxxxx",
"readOnly": false,
"eventType": "AwsApiCall",
"apiVersion": "2019-04-23",
"managementEvent": true,
"recipientAccountId": "xxxxx",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "xxxxxxx",
"clientProvidedHostHeader": "wafv2.eu-west-3.amazonaws.com"
}

[KhoaLeGTG]

The same problem in my system, WAF was disassociated from my load balancer by "AmazonEKSLoadBalancerControllerRole" automatically. I removed permission "waf-regional: DisassociateWebACL" and "wafv2:DisassociateWebACL". But it did not work and my WAF was still removed.
I cannot find any documents about whether other policies can trigger this event or not.
Would anyone be able to help? Thanks so much

[ibrahimbeyon]

This other issue post has helped me:
#2219

Just add the following notation to your kubernetes ingress yaml definition:

alb.ingress.kubernetes.io/wafv2-acl-arn

Note: I also found some trouble getting the ARN through the console, but I found a button "Download web ACL as JSON" in the top right corner of the Web ACL where you'll find the ARN