Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Can't Associate WebACL to API Gateway by CloudFormation

0

I have an issue to use CloudFormation to add WAF to my API Gateway. My yaml is like:

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: "Service"
Resources: 
  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      DefaultAction:
        Allow: {}
      Scope: REGIONAL
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: WafACL
        SampledRequestsEnabled: true
      Rules:
        - Name: AWS-AWSManagedRulesCommonRuleSet
          Priority: 0
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesCommonRuleSet
              ExcludedRules:
                - Name: GenericRFI_BODY
          OverrideAction:
            None: {}
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWSManagedRulesCommonRuleSet
            SampledRequestsEnabled: false
  WebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Sub "arn:aws:apigateway:ap-northeast-1::/restapis/${ServerlessRestApi}/stages/${ServerlessRestApiProdStage}"
      WebACLArn: !Ref WebACL

Then the WebACL can create successfully. But the association will fail. The error message is:

An error occurred (WAFInvalidParameterException) when calling the AssociateWebACL operation: Error reason: The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN

I also try to write the ARN directly without using Sub and confirmed it is same format as in the article: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html

I found an question on StackOverflow is exactly same as my issue and he also use aws-cli to do the same job and got the same error:
https://stackoverflow.com/questions/60955745/applying-webacl-to-api-gateway

Edited by: othree3 on Apr 6, 2020 11:37 PM

Themen
Sicherheit, Identität & Konformität
Tags
AWS WAF
Sprache
English
othree3
gefragt vor 4 Jahren1573 Aufrufe
3 Antworten
0

For CLI:
WAFv2 has a different scheme for the ARN. WAF Classic uses UUID alone whereas WAFv2 uses full ARN.
From: https://docs.aws.amazon.com/cli/latest/reference/wafv2/associate-web-acl.html

aws wafv2 associate-web-acl \
    --web-acl-arn arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
    --resource-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a \
    --region us-west-2

For CFN:
WAFv2 has multiple return attribute so you cannot just reference the entire web ACL:

WebACLArn: !Ref <webacl>

Thus, you will have to do the following:

WebACLArn: !GetAtt <webacl>.Arn
AWS
kumo-hiyori
beantwortet vor 4 Jahren
0

Thank you Kevin

This solves my issue. And it works now. Then I think the error message is not clear.

The field: RESOURCE_ARN looks like the invalid parameter is ResourceArn. But what is invalid is WebACLArn. Is this is correct error message or I misunderstanding the message?

othree3
beantwortet vor 4 Jahren
0

Thanks, Kevin. This solved a similar issue for me as well. A corresponding example in the documentation would help reducing headache for others ;-)

AFO
beantwortet vor 3 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt