- Newest
- Most votes
- Most comments
Thanks for all the suggestions. After contacting AWS Support, this issue has now been solved by updating both PHP SDK and AWS CLI to their latest versions. Hopefully this answer will help others as using an older version of either PHP SDK or AWS CLI will still work but using them will be destructive and cause configuration to be inadvertently lost.
Hi,
Thank you for contacting AWS Re:post .
I understand you have some clarifications regarding updating a WebACL in WAFV2 using either PHP SDK or AWS CLI without losing important configuration
Looking at the issue, This would require further analysis and troubleshooting. I would suggest you to open a case with the WAF premium support team and provide details such as:
--> WAF configuration
--> Any supported Logs (Access logs)
Thanks and have a nice day!
Relevant content
- asked 2 years ago
- asked 4 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
I would open a support ticket and bring to service team's attention.
Excellent question and the right place to put it!
I am breaking down the answer in 4 easy steps:
First of all, I suggest that you try the procedure below on a test/non-production WEBACL to get familiarized with the process.
Even though it easy to enable custom response code using AWS WAFv2 web console, I understand that is some cases it can be convenient using AWS CLI to change the WAF WebACL programmatically.
For testing purposes I disable custom response created with the AWS WAFv2 web console before starting and I'm going to enable custom response using AWS CLI. I'm going to change some parameters to highlight the difference with the custom response code generated using the web console.
[1] First of all, we need to get some additional information from our WebACL such as the WebACL ID and the Locktoken. Please run the following command as shown below:
$ aws wafv2 list-web-acls --scope REGIONAL You should get an output as shown below: “… { … “WebACLs”:[ { “Name”: “ACL-NAME” “Id”:”123456789-idid-1234-1234-id12345678910” “Description”: “description”, “LockToken”: “id345678-1234-1234-idid-1234567891011”, “ARN”: “arn:aws:wafv2:region:awsaccount:regional/webacl/ACLNAME/ARN” }, …”
[2] Copy the Web ACL ID and the LockToken.
AWS WAF returns a token to your GET and LIST requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like UPDATE and DELETE, with this you can add the “CustomResponse”. AWS WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation. So, make sure that you get the latest LockToken before running aws wafv2 update-web-acl.
This is what happens when you don’t use the proper LockToken: “… User$ aws wafv2 update-web-acl –name ACLNAME –scope REGIONAL –default-action Allow={} –id 123456789-idid-1234-1234-id12345678910 –lock-token id345678-1234-1234-idid-1234567891011 –visibility-config SampleRequestEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestWebAcl-Metric –cli-input-json file://directory/WebAclJsonFile.json
An Error occurred (WAFOptimisticLockException) when calling the UpdateWebACL operation: AWS WAF couldn’t save your changes because someone changed the resource after you started to edit it. Reapply your changes. …”
[3] Once you get the Web ACL ID and the LockToken, you will need to run aws wafv2 update-web-acl using the following cli-skeleton. Modify the file accordingly and save it as “.json”
=================================================== {
"Name": "<WebACL_Name>", "Scope": "REGIONAL", "Id": "123456789-idid-1234-1234-id12345678910 ", "DefaultAction": { "Allow": {} }, "Rules": [ { Rule statement }, "Action": { "Block": { "CustomResponse": { "ResponseCode": <StatusCode_selected>, "CustomResponseBodyKey": "<CustomResponseBodyName>", "ResponseHeaders": [ { "Name": "<CustomHeader(Optional)>", "Value": "<CustomHeader_Value>" } ] } } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "<Metric_name for the rule>" } } ], "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "<Metric Name for the WebACL>" }, "LockToken": "Latest LockToken gotten using "aws wafv2 list-web-acls --scope REGIONAL" ", "CustomResponseBodies": { "<CustomResponseBodyName>": { "ContentType": "TEXT_HTML", "Content": "HTML_Code/PlainText or Json" } } }
[4] In order to update the WebACL run "aws wafv2 update-web-acl", using the saved “.json” file, including your CustomResponse, as below:
aws wafv2 update-web-acl --name <WebACL_Name> --scope REGIONAL --default-action Allow={} --id <WebACL ID> --lock-token <Latest LockToken> --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=<Metric_Name_for_WebACL> --cli-input-json file://<path>/Filename.json
Once you run the command, you should get the next LockToken. This confirms that your changes were successfully applied. See:
“… User$ aws wafv2 update-web-acl –name ACLNAME –scope REGIONAL –default-action Allow={} –id 123456789-idid-1234-1234-id12345678910 –lock-token id345678-1234-1234-idid-1234567891012 –visibility-config SampleRequestEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestWebAcl-Metric –cli-input-json file://directory/WebAclJsonFile.json { “NextLockToken”: “id345678-1234-1234-idid-12345678910id” } …“
After the above , feel free to check the WAF web console to confirm that our changes were applies successfully.
Additional information is available at: Custom responses for Block actions https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-for-blocked-requests.html
UpdateWebACL https://docs.aws.amazon.com/waf/latest/APIReference/API_UpdateWebACL.html