aws cloudformation WAF geo location condition

Question

Trying to create a cloud formation template to configure WAF with geo location condition. Couldnt find the right template yet. Any pointers would be appreciated.

http://docs.aws.amazon.com/waf/latest/developerguide/web-acl-geo-conditions.html

Hi, welcome to stack overflow. Please refer the [ask] link for more details on how to ask a question and update your question accordingly. — Jeroen Heier, Nov 10 '17 at 04:58
I am not sure what I am missing after I went through the link you referred. Is there additional details that I am supposed to add? — Forreading Purpose, Nov 10 '17 at 05:33

Dan1701 · Answer 1 · 2018-07-24T16:14:25.627

Unfortunately, the actual answer (as of this writing, July 2018) is that you cannot create geo match sets directly in CloudFormation. You can create them via the CLI or SDK, then reference them in the DataId field of a WAFRule's Predicates property.

Creating a GeoMatchSet with one constraint via CLI:

aws waf-regional get-change-token
aws waf-regional create-geo-match-set --name my-geo-set --change-token <token>
aws waf-regional get-change-token
aws waf-regional update-geo-match-set --change-token <new_token> --geo-match-set-id <id> --updates '[ { "Action": "INSERT", "GeoMatchConstraint": { "Type": "Country", "Value": "US" } } ]'

Now reference that GeoMatchSet id in the CloudFormation:

    "WebAclGeoRule": {
      "Type": "AWS::WAFRegional::Rule",
      "Properties": {
        ...
        "Predicates": [
          {
            "DataId": "00000000-1111-2222-3333-123412341234" // id from create-geo-match-set
            "Negated": false,
            "Type": "GeoMatch"
          }
        ]
      }
    }

A shame they don't support this! Thank you for this example – Kaymaz Sep 07 '18 at 12:15 — Kaymaz, Sep 07 '18 at 12:15

score 1 · Answer 2 · answered May 13 '19 at 08:58

There is no documentation for it, but it is possible to create the Geo Match in serverless/cloudformation.

Used the following in serverless:

Resources:
  Geos:
    Type: "AWS::WAFRegional::GeoMatchSet"
    Properties:
      Name: geo
      GeoMatchConstraints:
      - Type: "Country"
        Value: "IE"

Which translated to the following in cloudformation:

"Geos": {
  "Type": "AWS::WAFRegional::GeoMatchSet",
  "Properties": {
    "Name": "geo",
    "GeoMatchConstraints": [
      {
        "Type": "Country",
        "Value": "IE"
      }
    ]
  }
}

That can then be referenced when creating a rule:

(serverless) :

Resources:
  MyRule:
    Type: "AWS::WAFRegional::Rule"
    Properties:
      Name: waf
      Predicates:
      - DataId:
          Ref: "Geos"
        Negated: false
        Type: "GeoMatch"

(cloudformation) :

"MyRule": {
  "Type": "AWS::WAFRegional::Rule",
  "Properties": {
    "Name": "waf",
    "Predicates": [
      {
        "DataId": {
          "Ref": "Geos"
        },
        "Negated": false,
        "Type": "GeoMatch"
      }
    ]
  }
}

score 0 · Answer 3 · edited Feb 26 '19 at 16:21

I'm afraid that your question is too vague to solicit a helpful response. The CloudFormation User Guide (pdf) defines many different WAF / CloudFront / R53 resources that will perform various forms of geo match / geo blocking capabilities. The link you provide seems a subset of Web Access Control Lists (Web ACL) - see AWS::WAF::WebACL on page 2540.

I suggest you have a look and if you are still stuck, actually describe what it is you are trying to achieve.

Note that the term you used: "geo location condition" doesn't directly relate to an AWS capability that I'm aware of.

Finally, if you are referring to https://aws.amazon.com/about-aws/whats-new/2017/10/aws-waf-now-supports-geographic-match/, then the latest Cloudformation User Guide doesn't seem to have been updated yet to reflect this.

Try this https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html — P Burke, Jun 22 '18 at 17:59

aws cloudformation WAF geo location condition

3 Answers3