- Newest
- Most votes
- Most comments
Running into the same issue, WAF v2 works with other resource types but not cloudfront. Wish there was an easier way to report bugs.
I got this back from support. So WAFv2 for ALB and API Gateway is not supported by CloudFormation.
The WAFv2 Resource Type Reference:
AWS::WAFv2::RegexPatternSet
AWS::WAFv2::RuleGroup
AWS::WAFv2::WebACL
AWS::WAFv2::IPSet
The above resources support the below return values :
- !GetAtt Resource.Arn
- !GetAtt Resource.Id
The !GetAtt Resource.Arn returns the ARN of the resource.
Referencing the AWS::WAFv2::WebACL resource:
-
For ALB and API Gateway: Association of WebACL for WAFv2 through CloudFormation is not supported currently. Our service team is working on this feature.
-
For CloudFront: Pass the ARN of WebACL for WAFv2 to the WebACLId property of AWS::CloudFront::Distribution resource [1].
I tested the association of WebACL for WAFv2 to CloudFront as stated below and it works.
MyWebACL:
Type: AWS::WAFv2::WebACL
Properties:
Name: "WAF"
Scope: "CLOUDFRONT"
......
myDistribution:
Type: "AWS::CloudFront::Distribution"
Properties:
DistributionConfig:
WebACLId: !GetAtt MyWebACL.Arn
......
I have also asked the service team to update the documentation. Please let me know if the above works in your use case.
Documentation:
Hello!
Regional web ACL association through CloudFormation is currently not available, but we expect to fix this by the end of next week.
Regarding CloudFront web ACL association, as you already found out, you can associate a web ACL using AWS::CloudFront::Distribution by simply providing ARN of web ACL.
Also, you might notice that although association is successful, the change is not reflected in other service’s console (e.g., CloudFront, Application Load Balancer, API Gateway). You can confirm the association on WAF console for now. We are currently working on addressing this issue as well.
KevinL-AWS wrote:
Regional web ACL association through CloudFormation is currently not available, but we expect to fix this by the end of next week.
I see Cloudformation had a bunch of announcements yesterday (Dec 16)
https://aws.amazon.com/about-aws/whats-new/2019/12/aws-cloudformation-updates-for-api-gateway-codepipeline-s3-iam-ecs-rds-es-lambda-and-more/
One of the announcements is
Use the latest version of AWS WAF, a web application firewall that lets users monitor HTTP(S) requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront, or an Application Load Balancer.
But I still don't see how to use WAFv2 with ALB via Cloudformation. So what is this announcement referring to?
It made it to the release notes, but not in the docs yet
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html
The following resource was added: AWS::WAFv2::WebACLAssociation.
AWS WAFv2
Use the web ACL association to define an association between a Web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB) or an API Gateway stage. For CloudFront distributions, you use AWS::CloudFront::Distribution to manage the association.
Are there any updates on this? Just raised a ticket into the Cloudformation Roadmap GitHub project but found this forum thread.
Yes, I heard from support yesterday that they fix this by removing the premature announcement about AWS::WAFv2::WebACLAssociation:
Meanwhile, I have asked the team to modify the announcement on the release history page [1] as there is no documentation available to justify the announcement.
[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html
I have raised the ticket in the Cloudformation GitHub project... Been advised we need a lot of +1's to try and gain enough traction to get progressed:
https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/344
Assume they didn't mention any timescales?
Edited by: jamiem on Jan 16, 2020 12:03 AM
This appears to have been release on the 16th Jan, according to the release notes:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html
However, when trying to use it, I get
An error occurred (ValidationError) when calling the CreateChangeSet operation: Template format error: Unrecognized resource types: [AWS::WAFv2::WebACLAssociation]
Waited a few days in case, but still appears to be an issue.
Edit:
Documentation for it here:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html
Edited by: RalphLawrence on Jan 20, 2020 2:58 AM
The web ACL association for WAFv2 through CloudFormation is now available:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html
Here's a sample code for associating to ALB:
## Associate WAFv2 Web ACL with a load balancer
## Alb = AWS::ElasticLoadBalancingV2::LoadBalancer
## wafACL = AWS::WAFv2::WebACL
wafALBAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn:
!Sub
- 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/${TargetALB}'
- TargetALB: !GetAtt Alb.LoadBalancerFullName
WebACLArn: !GetAtt wafACL.Arn
We do apologize for the delay as this have caused. Thank you!
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
MyWAFWebACLAsgn:
DependsOn: MyWAFWebACL
Type: AWS::WAFv2::WebACLAssociation
Properties:
WebACLArn: !Ref MyWAFWebACL
# ResourceArn: !GetAtt LoadBalancer.Arn
ResourceArn: !Sub
- "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/${LoadBalancerFullName}"
- LoadBalancerFullName: !GetAtt LoadBalancer.LoadBalancerFullName
not working for the resource Arn. Resource arn showing invalid everytime.
Relevant content
- asked 4 years ago
- asked 6 months ago
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
