How to update a WebACL in WAFV2 using either PHP SDK or AWS CLI without losing important configuration

0

When working with WAFV2 and making a call to GetWebACL the CustomResponse configuration is missing. If this configuration is subsequently used in a call to UpdateWebACL then the CustomResponse is lost.

This appears to be a serious bug that would potentially cause undetected loss of configuration as the response from both API calls is successful.

The API documentation states:

To modify a web ACL, do the following: 1) Retrieve it by calling GetWebACL 2) Update its settings as needed 3) Provide the complete web ACL specification to UpdateWebACL

https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-wafv2-2019-07-29.html#updatewebacl

For example a WAFV2 Rule with the following configuration:

{
   "Name":"RateLimit-3000",
   "Priority":8,
   "Statement":{
      "RateBasedStatement":{
         "Limit":3000,
         "AggregateKeyType":"IP"
      }
   },
   "Action":{
      "Block":{
         "CustomResponse":{
            "ResponseCode":429,
            "CustomResponseBodyKey":"TooManyRequests"
         }
      }
   },
   "VisibilityConfig":{
      "SampledRequestsEnabled":true,
      "CloudWatchMetricsEnabled":true,
      "MetricName":"RateLimit-3000"
   }
}

Is returned from an API call to GetWebACL as this:

{
   "Name":"RateLimit-3000",
   "Priority":8,
   "VisibilityConfig":{
      "MetricName":"RateLimit-3000",
      "CloudWatchMetricsEnabled":true,
      "SampledRequestsEnabled":true
   },
   "Action":{
      "Block": { }
   },
   "Statement":{
      "RateBasedStatement":{
         "AggregateKeyType":"IP",
         "Limit":3000
      }
   }
}

If that configuration is then passed back to an API call to UpdateWebACL then the CustomResponse in the Block Action is removed.

Is this a known bug or is there another way to correctly update a WebACL without loss of configuration?

  • I would open a support ticket and bring to service team's attention.

  • Excellent question and the right place to put it!

    I am breaking down the answer in 4 easy steps:

    First of all, I suggest that you try the procedure below on a test/non-production WEBACL to get familiarized with the process.

    Even though it easy to enable custom response code using AWS WAFv2 web console, I understand that is some cases it can be convenient using AWS CLI to change the WAF WebACL programmatically.

    For testing purposes I disable custom response created with the AWS WAFv2 web console before starting and I'm going to enable custom response using AWS CLI. I'm going to change some parameters to highlight the difference with the custom response code generated using the web console.

    [1] First of all, we need to get some additional information from our WebACL such as the WebACL ID and the Locktoken. Please run the following command as shown below:

    $ aws wafv2 list-web-acls --scope REGIONAL You should get an output as shown below: “… { … “WebACLs”:[ { “Name”: “ACL-NAME” “Id”:”123456789-idid-1234-1234-id12345678910” “Description”: “description”, “LockToken”: “id345678-1234-1234-idid-1234567891011”, “ARN”: “arn:aws:wafv2:region:awsaccount:regional/webacl/ACLNAME/ARN” }, …”

  • [2] Copy the Web ACL ID and the LockToken.

    AWS WAF returns a token to your GET and LIST requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like UPDATE and DELETE, with this you can add the “CustomResponse”. AWS WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation. So, make sure that you get the latest LockToken before running aws wafv2 update-web-acl.

    This is what happens when you don’t use the proper LockToken: “… User$ aws wafv2 update-web-acl –name ACLNAME –scope REGIONAL –default-action Allow={} –id 123456789-idid-1234-1234-id12345678910 –lock-token id345678-1234-1234-idid-1234567891011 –visibility-config SampleRequestEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestWebAcl-Metric –cli-input-json file://directory/WebAclJsonFile.json

    An Error occurred (WAFOptimisticLockException) when calling the UpdateWebACL operation: AWS WAF couldn’t save your changes because someone changed the resource after you started to edit it. Reapply your changes. …”

  • [3] Once you get the Web ACL ID and the LockToken, you will need to run aws wafv2 update-web-acl using the following cli-skeleton. Modify the file accordingly and save it as “.json”

    =================================================== {

    "Name": "<WebACL_Name>", "Scope": "REGIONAL", "Id": "123456789-idid-1234-1234-id12345678910 ", "DefaultAction": { "Allow": {} }, "Rules": [ { Rule statement }, "Action": { "Block": { "CustomResponse": { "ResponseCode": <StatusCode_selected>, "CustomResponseBodyKey": "<CustomResponseBodyName>", "ResponseHeaders": [ { "Name": "<CustomHeader(Optional)>", "Value": "<CustomHeader_Value>" } ] } } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "<Metric_name for the rule>" } } ], "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "<Metric Name for the WebACL>" }, "LockToken": "Latest LockToken gotten using "aws wafv2 list-web-acls --scope REGIONAL" ", "CustomResponseBodies": { "<CustomResponseBodyName>": { "ContentType": "TEXT_HTML", "Content": "HTML_Code/PlainText or Json" } } }

  • [4] In order to update the WebACL run "aws wafv2 update-web-acl", using the saved “.json” file, including your CustomResponse, as below:

    aws wafv2 update-web-acl --name <WebACL_Name> --scope REGIONAL --default-action Allow={} --id <WebACL ID> --lock-token <Latest LockToken> --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=<Metric_Name_for_WebACL> --cli-input-json file://<path>/Filename.json

    Once you run the command, you should get the next LockToken. This confirms that your changes were successfully applied. See:

    “… User$ aws wafv2 update-web-acl –name ACLNAME –scope REGIONAL –default-action Allow={} –id 123456789-idid-1234-1234-id12345678910 –lock-token id345678-1234-1234-idid-1234567891012 –visibility-config SampleRequestEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestWebAcl-Metric –cli-input-json file://directory/WebAclJsonFile.json { “NextLockToken”: “id345678-1234-1234-idid-12345678910id” } …“

    After the above , feel free to check the WAF web console to confirm that our changes were applies successfully.

    Additional information is available at: Custom responses for Block actions https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-for-blocked-requests.html

    UpdateWebACL https://docs.aws.amazon.com/waf/latest/APIReference/API_UpdateWebACL.html

2 Answers
0
Accepted Answer

Thanks for all the suggestions. After contacting AWS Support, this issue has now been solved by updating both PHP SDK and AWS CLI to their latest versions. Hopefully this answer will help others as using an older version of either PHP SDK or AWS CLI will still work but using them will be destructive and cause configuration to be inadvertently lost.

Peter
answered a year ago
profile picture
EXPERT
reviewed 8 months ago
0

Hi,

Thank you for contacting AWS Re:post .

I understand you have some clarifications regarding updating a WebACL in WAFV2 using either PHP SDK or AWS CLI without losing important configuration

Looking at the issue, This would require further analysis and troubleshooting. I would suggest you to open a case with the WAF premium support team and provide details such as:

--> WAF configuration
--> Any supported Logs (Access logs)

Thanks and have a nice day!

AWS
SUPPORT ENGINEER
Ansh_C
answered a year ago
profile picture
EXPERT
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions