Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Hi, I tried to create a cloudformation template in yaml for WAF's ipAllow and IPDeny rule and ended up with the following error message & the code used is given below. I Kindly help.

0

I tried to resolve and unfortunately, I couldn't resolve. Tried many possible ways. CODE USED:

---
AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenya:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSeta
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllow:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllow
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRule
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenya
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              Arn: MyIPSeta.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllow
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: MyIPSetAllow.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true

ERROR MESSAGE: Resource handler returned message: "Model validation failed (#/Rules: 2 schema violations found) #/Rules/0/Statement/IPSetReferenceStatement/Arn: expected minLength: 20, actual: 12 (#/Rules/0/Statement/IPSetReferenceStatement/Arn) #/Rules/1/Statement/IPSetReferenceStatement/Arn: expected minLength: 20, actual: 16 (#/Rules/1/Statement/IPSetReferenceStatement/Arn)" (RequestToken: c5aa21ef-15c4-9c7d-04cb-f3b52a6e5a4e, HandlerErrorCode: InvalidRequest)

Themen
Management & Unternehmensführung
Tags
AWS CloudFormation
Sprache
English
Gowtham
gefragt vor 9 Monaten334 Aufrufe
1 Antwort
0
Akzeptierte Antwort

Hello.
CloudFormation templates have been modified to work.
The error was caused by a failure in the "Rules" section to obtain the "IPSetReferenceStatement" Arn.
Also, because "Capacity" was set to 1, only one rule could be set.
So we are increasing it to the maximum value of 1500.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenya:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSeta
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllow:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllow
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRule
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenya
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSetdenya.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllow
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSetAllow.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 9 Monaten
profile pictureAWS
EXPERTE
Jonathan_D
überprüft vor 9 Monaten
  • Gowtham
    vor 9 Monaten

    How did I miss the capacity!!!!??? the code works now!! I have been spending all day with WAF from morning, still gotta add two more AWS managed rules to the template which I can do. Thank you Riku you are the best and you are my saviour!!!

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt