Invalid request provided: AWS::ElasticLoadBalancingV2::ListenerRule Validation exception

Question

I need to create just a TargetGroup and ListenerRule with the CloudFormation but i received error.

My CloudFormation:

TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: !Sub ${StackName}-alb
      VpcId: !Ref VpcId
      Port: !Ref ContainerPort
      Protocol: HTTP
      Matcher:
        HttpCode: 200
      HealthCheckIntervalSeconds: 10
      HealthCheckPath: !Ref HealthCheckPath
      HealthCheckProtocol: HTTP
      HealthCheckTimeoutSeconds: 5
      HealthyThresholdCount: 2
      TargetType: ip
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: 30

  ListenerRule:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    DependsOn: 
      - TargetGroup
    Properties:
      Actions:
        - Type: forward
          TargetGroupArn: !Ref TargetGroup
      Conditions:
        - Field: host-header
          Values:
            - "www.mydominian.*"
      ListenerArn: !Ref ListenerArn
      Priority: 164

So, the error is the image

Answer 1

Another reason for this error can be a faulty Listener ARN, in our case it was a copy/paste error of the ARN for a pre-existing LB that we referenced in a stack.

Answer 2

In my case, the specified header value contained invalid characters:

Maximum 128 characters. Allowed characters are a-z, A-Z, 0-9; spaces; the following special characters:
!"#$%&'()+,./:;<=>@[]^_`{|}~-; and wildcards (* and ?).

Answer 3

I also had this - and to add to other answers that talk about 'Condition values per rule' - that includes e.g. an HTTP Header check AND e.g. path checks.

So this was failing for me:

   0       Conditions:
   1         - Field: http-header
   2           HttpHeaderConfig:
   3             HttpHeaderName: Cookie
   4             Values:
   5               - '*MyCookieValue=*'
   6         - Field: path-pattern
   7           PathPatternConfig:
   8             Values:
   9               - '/path1'
  10               - '/path2'
  11               - '/path3'
  12               - '/path4'
  13               - '/path5'

...because the Cookie check counts as a value, as well as the 5 paths!

Answer 4

You have to check every character of your values, the service validates them, but it seems like they have only this generic error message.

In my case, the problem was a redundant 's', I had

  Actions:
    - Type: forwards

Only after comparing character by character with an example, I noticed the redundant 's'.

Answer 5

CloudFormation will also throw this "Invalid request provided" error if the permissions of the deploying user are incorrect.

We had to add an elasticloadbalancing:CreateRule Action, and supply the correct ARN conditions for the listener as well as a listener-rule wildcard in the Resource collection of the policy.

{
    "Effect": "Allow",
    "Action": [
        "elasticloadbalancing:CreateRule"
    ],
    "Resource": [
        "arn:aws:elasticloadbalancing:<region>:<account-id>:listener/app/<lb name>/<lb-id>/<listener-id>",
        "arn:aws:elasticloadbalancing:<region>:<account-id>:listener-rule/app/<lb name>/<lb-id>/<listener-id>/*"
    ]
}

Hope this helps someone else.

Answer 6

Ensure "Condition Values per Rule" doesn't exceed the quota of 5 rules per listener. The web console can help with that:

EC2
  -> Load Balancers
    -> [Select your load balancer]
      -> Listeners
        -> View/Edit Rules 
          -> Rule limits for condition values, wildcards, and total rules

Answer 7

I would like to share that in my case the course of the problem was the number of conditions in the rule. I had them 6 instead of 5.

Quotas for your Application Load Balancers, where

Rule

• Match evaluations per rule: 5

Answer 8

It's just missing the HostHeaderConfig in the Conditions section. Update it to the following:

Conditions:
  - Field: host-header
    HostHeaderConfig:
      Values:
        - "www.mydominian.*"

When you define Field, you'll need to use the correct Config section. Unfortunately, it's not smart enough to know which one to apply your pattern to.

For example, if you were using path-based routing it would look like this:

Conditions: 
  - Field: path-pattern
    PathPatternConfig:
      Values:
        - "/api/micro-service-1/*"

Answer 9

AWS::StackName looks like it's missing the AWS:: prefix

---

Recommend trying the CloudFormation Linter in VSCode to see some of these errors inline while authoring templates along with autocompletion and documentation links:

[cfn-lint] E1019: Parameter StackName for Fn::Sub not found at Resources/TargetGroup/Properties/Name/Fn::Sub