Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Hi, I tried to create a cloudformation template in yaml for WAF's ipAllow and IPDeny rule and ended up with the following error message & the code used is given below. I Kindly help.

0

I tried to resolve and unfortunately, I couldn't resolve. Tried many possible ways. CODE USED:

---
AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenya:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSeta
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllow:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllow
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRule
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenya
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              Arn: MyIPSeta.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllow
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: MyIPSetAllow.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true

ERROR MESSAGE: Resource handler returned message: "Model validation failed (#/Rules: 2 schema violations found) #/Rules/0/Statement/IPSetReferenceStatement/Arn: expected minLength: 20, actual: 12 (#/Rules/0/Statement/IPSetReferenceStatement/Arn) #/Rules/1/Statement/IPSetReferenceStatement/Arn: expected minLength: 20, actual: 16 (#/Rules/1/Statement/IPSetReferenceStatement/Arn)" (RequestToken: c5aa21ef-15c4-9c7d-04cb-f3b52a6e5a4e, HandlerErrorCode: InvalidRequest)

Argomenti
Gestione e amministrazione
Tag
AWS CloudFormation
Lingua
English
Gowtham
posta 9 mesi fa334 visualizzazioni
1 Risposta
0
Risposta accettata

Hello.
CloudFormation templates have been modified to work.
The error was caused by a failure in the "Rules" section to obtain the "IPSetReferenceStatement" Arn.
Also, because "Capacity" was set to 1, only one rule could be set.
So we are increasing it to the maximum value of 1500.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenya:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSeta
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllow:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllow
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRule
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenya
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSetdenya.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllow
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSetAllow.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true
profile picture
ESPERTO
Riku_Kobayashi
con risposta 9 mesi fa
profile pictureAWS
ESPERTO
Jonathan_D
verificato 9 mesi fa
  • Gowtham
    9 mesi fa

    How did I miss the capacity!!!!??? the code works now!! I have been spending all day with WAF from morning, still gotta add two more AWS managed rules to the template which I can do. Thank you Riku you are the best and you are my saviour!!!

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente