AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Hi, I tried to create a cloudformation template in yaml for WAF's ipAllow and IPDeny rule and ended up with the following error message & the code used is given below. I Kindly help.

0

I tried to resolve and unfortunately, I couldn't resolve. Tried many possible ways. CODE USED:

---
AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenya:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSeta
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllow:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllow
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRule
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenya
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              Arn: MyIPSeta.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllow
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: MyIPSetAllow.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true

ERROR MESSAGE: Resource handler returned message: "Model validation failed (#/Rules: 2 schema violations found) #/Rules/0/Statement/IPSetReferenceStatement/Arn: expected minLength: 20, actual: 12 (#/Rules/0/Statement/IPSetReferenceStatement/Arn) #/Rules/1/Statement/IPSetReferenceStatement/Arn: expected minLength: 20, actual: 16 (#/Rules/1/Statement/IPSetReferenceStatement/Arn)" (RequestToken: c5aa21ef-15c4-9c7d-04cb-f3b52a6e5a4e, HandlerErrorCode: InvalidRequest)

トピック
管理とガバナンス
タグ
AWS CloudFormation
言語
English
Gowtham
質問済み 9ヶ月前334ビュー
1回答
0
承認された回答

Hello.
CloudFormation templates have been modified to work.
The error was caused by a failure in the "Rules" section to obtain the "IPSetReferenceStatement" Arn.
Also, because "Capacity" was set to 1, only one rule could be set.
So we are increasing it to the maximum value of 1500.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenya:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSeta
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllow:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllow
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRule
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenya
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSetdenya.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllow
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSetAllow.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true
profile picture
エキスパート
Riku_Kobayashi
回答済み 9ヶ月前
profile pictureAWS
エキスパート
Jonathan_D
レビュー済み 9ヶ月前
  • Gowtham
    9ヶ月前

    How did I miss the capacity!!!!??? the code works now!! I have been spending all day with WAF from morning, still gotta add two more AWS managed rules to the template which I can do. Thank you Riku you are the best and you are my saviour!!!

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ