By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't Associate WebACL to API Gateway by CloudFormation

0

I have an issue to use CloudFormation to add WAF to my API Gateway. My yaml is like:

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: "Service"
Resources: 
  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      DefaultAction:
        Allow: {}
      Scope: REGIONAL
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: WafACL
        SampledRequestsEnabled: true
      Rules:
        - Name: AWS-AWSManagedRulesCommonRuleSet
          Priority: 0
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesCommonRuleSet
              ExcludedRules:
                - Name: GenericRFI_BODY
          OverrideAction:
            None: {}
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWSManagedRulesCommonRuleSet
            SampledRequestsEnabled: false
  WebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Sub "arn:aws:apigateway:ap-northeast-1::/restapis/${ServerlessRestApi}/stages/${ServerlessRestApiProdStage}"
      WebACLArn: !Ref WebACL

Then the WebACL can create successfully. But the association will fail. The error message is:

An error occurred (WAFInvalidParameterException) when calling the AssociateWebACL operation: Error reason: The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN

I also try to write the ARN directly without using Sub and confirmed it is same format as in the article: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html

I found an question on StackOverflow is exactly same as my issue and he also use aws-cli to do the same job and got the same error:
https://stackoverflow.com/questions/60955745/applying-webacl-to-api-gateway

Edited by: othree3 on Apr 6, 2020 11:37 PM

Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English
othree3
asked 4 years ago1558 views
3 Answers
0

For CLI:
WAFv2 has a different scheme for the ARN. WAF Classic uses UUID alone whereas WAFv2 uses full ARN.
From: https://docs.aws.amazon.com/cli/latest/reference/wafv2/associate-web-acl.html

aws wafv2 associate-web-acl \
    --web-acl-arn arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
    --resource-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a \
    --region us-west-2

For CFN:
WAFv2 has multiple return attribute so you cannot just reference the entire web ACL:

WebACLArn: !Ref <webacl>

Thus, you will have to do the following:

WebACLArn: !GetAtt <webacl>.Arn
AWS
kumo-hiyori
answered 4 years ago
0

Thank you Kevin

This solves my issue. And it works now. Then I think the error message is not clear.

The field: RESOURCE_ARN looks like the invalid parameter is ResourceArn. But what is invalid is WebACLArn. Is this is correct error message or I misunderstanding the message?

othree3
answered 4 years ago
0

Thanks, Kevin. This solved a similar issue for me as well. A corresponding example in the documentation would help reducing headache for others ;-)

AFO
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content