AWS WAF Ruleset with Multple Rules with Cloudformation

0

I am trying to configure an AWS WAF WebACL using cloud formation. I have been successful in creating a WEBACL with a single rule defined in the AWS::WAFv2::WebACL Rules statement, but as soon as I try to define two or more rules only the last rule in the block is created. There are no errors but I only get the final rule in the block. Does anyone have an example of deploying a WebACL with multiple rules?

The required ruleset is:

  1. IP deny rule with priority 0 and referenced IPset
  2. IP allow rule with priority 1 and referenced IPset
  3. Geolocation rule to restrict to GB and allow

Example code block:

"Rules":[
                {
                    "Name": "IPSetDeny",
                    "Priority": 0,
                    "Statement": {
                      "IPSetReferenceStatement": {"ARN": { "Fn::GetAtt" : ["SampleIPSetDeny", "Arn" ]}}
                    },
                    "Action": {
                      "Block": {}
                    },
                    "VisibilityConfig": {
                      "SampledRequestsEnabled": true,
                      "CloudWatchMetricsEnabled": true,
                      "MetricName": "aws-waf-logs-dev-inf"
                    },
                    "Name": "IPSetAllow",
                    "Priority": 1,
                    "Statement": {
                      "IPSetReferenceStatement": {"ARN": { "Fn::GetAtt" : ["SampleIPSetAllow", "Arn" ]}}
                    },
                    "Action": {
                      "Allow": {}
                    },
                    "VisibilityConfig": {
                      "SampledRequestsEnabled": true,
                      "CloudWatchMetricsEnabled": true,
                      "MetricName": "aws-waf-logs-dev-inf"
                    },
                    "Name": "restrict-country",
                    "Priority": 2,
                    "Statement": {
                      "GeoMatchStatement": {
                        "CountryCodes": [
                          "GB"
                        ]
                      }
                    },
                    "Action": {
                      "Allow": {}
                    },
                    "VisibilityConfig": {
                      "SampledRequestsEnabled": true,
                      "CloudWatchMetricsEnabled": true,
                      "MetricName": "aws-waf-logs-dev-inf"
                    } 
                  }
                
                ]
asked 3 months ago69 views
2 Answers
0
Accepted Answer

Hi, @Simon Cox

Your description describes only one Rule object for Rules.
It is unknown how CloudFormation interprets it, but it may have been overwritten by the last block.

I think you should write multiple Rules in the form of an array in Rules as follows.

"Rules": [
    {
        "Name": "IPSetDeny",
        "Priority": 0,
        "Statement": {
            "IPSetReferenceStatement": {
                "ARN": {
                    "Fn::GetAtt": [
                        "SampleIPSetDeny",
                        "Arn"
                    ]
                }
            }
        },
        "Action": {
            "Block": {}
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "aws-waf-logs-dev-inf"
        }
    },
    {
        "Name": "IPSetAllow",
        "Priority": 1,
        "Statement": {
            "IPSetReferenceStatement": {
                "ARN": {
                    "Fn::GetAtt": [
                        "SampleIPSetAllow",
                        "Arn"
                    ]
                }
            }
        },
        "Action": {
            "Allow": {}
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "aws-waf-logs-dev-inf"
        }
    },
    {
        "Name": "restrict-country",
        "Priority": 2,
        "Statement": {
            "GeoMatchStatement": {
                "CountryCodes": [
                    "GB"
                ]
            }
        },
        "Action": {
            "Allow": {}
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "aws-waf-logs-dev-inf"
        }
    }
]
profile picture
EXPERT
iwasa
answered 3 months ago
0

Hi @Iwasa thanks for your comment you were quite correct. I have used your example of an array of rules that my code is now working.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions