Cloudformation WAF Association

Question

Hi All,
I'm trying to create a WebAcl waf association with a ALB using Jenkins Ci/CD. **The Jenkins user has full admin permissions** on the account. I've even added:

```
- PolicyName: Regional-Waf
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              Effect: Allow
              Action:
                - wafv2:*
              Resource: "*"
```
Just to make sure... But... I get the following cloudformation **AFTER the association is created.**.. 
Resource handler returned message: "User: arn:aws:iam::${AWS::AccountId}:user/Jenkins is not authorized to perform: wafv2:GetWebACL on resource: arn:aws:wafv2:${AWS::Region}:${AWS::AccountId}:regional/webacl/waf-webacl-qa/789b4eed-77cf-4108-918f-0fa016a14cf7 with an explicit deny in an identity-based policy (Service: Wafv2, Status Code: 400, Request ID: ccba5209-7fb7-4ac9-b358-90131bf45e3d, Extended Request ID: null)" (RequestToken: 0bdbad29-c5b9-7fcc-51f6-fe011d6b8057, HandlerErrorCode: GeneralServiceException)

So, YES to association is created by the Jenkins user. But immediately after that, cfn gives this error...
The WAF is Regional. So no cloudfront.

Answer

Found the fix... Just don't understand it... I had a Ip restricion policy attached to the Jenkins user with the IP's of the agents and master...

```
 - PolicyName: IPRestricteddPolicyForServiceAccounts
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              Effect: Deny
              Action: "*"
              Resource: "*"
              Condition:
                NotIpAddress:
                  aws:SourceIp:
                    - *******/32
                    - ********/32
                    - *******/32
                    - *******/32
```

Removing this one fixed it... But can somebody explain to me... Why?

Cloudformation WAF Association

Relevant content