By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Hi, I tried to create a cloudformation template in yaml for WAF's ipAllow and IPDeny rule and ended up with the following error message & the code used is given below. I Kindly help.

0

I tried to resolve and unfortunately, I couldn't resolve. Tried many possible ways. CODE USED:

---
AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenya:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSeta
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllow:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllow
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRule
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenya
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              Arn: MyIPSeta.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllow
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: MyIPSetAllow.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true

ERROR MESSAGE: Resource handler returned message: "Model validation failed (#/Rules: 2 schema violations found) #/Rules/0/Statement/IPSetReferenceStatement/Arn: expected minLength: 20, actual: 12 (#/Rules/0/Statement/IPSetReferenceStatement/Arn) #/Rules/1/Statement/IPSetReferenceStatement/Arn: expected minLength: 20, actual: 16 (#/Rules/1/Statement/IPSetReferenceStatement/Arn)" (RequestToken: c5aa21ef-15c4-9c7d-04cb-f3b52a6e5a4e, HandlerErrorCode: InvalidRequest)

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
Gowtham
asked 9 months ago315 views
1 Answer
0
Accepted Answer

Hello.
CloudFormation templates have been modified to work.
The error was caused by a failure in the "Rules" section to obtain the "IPSetReferenceStatement" Arn.
Also, because "Capacity" was set to 1, only one rule could be set.
So we are increasing it to the maximum value of 1500.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenya:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSeta
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllow:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllow
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRule
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenya
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSetdenya.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllow
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSetAllow.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true
profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
profile pictureAWS
EXPERT
Jonathan_D
reviewed 9 months ago
  • Gowtham
    9 months ago

    How did I miss the capacity!!!!??? the code works now!! I have been spending all day with WAF from morning, still gotta add two more AWS managed rules to the template which I can do. Thank you Riku you are the best and you are my saviour!!!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content