0

    #WAF Code      
    Resources:
      MyWaf:
        Type: 'AWS::WAFv2::WebACL'
        Properties:
          Name: My-waf
          Scope: CLOUDFRONT
          DefaultAction:
            Block: {}
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: my-waf-metric
            SampledRequestsEnabled: true
          Rules:
            - Name: AWSManagedRulesCommonRuleSet
              Statement:
                ManagedRuleGroupStatement:
                  VendorName: AWS
                  Name: CommonRuleSet
              Priority: 1
              Action:
                Block: {}
              OverrideAction:
                Count: {}
              VisibilityConfig:
                SampledRequestsEnabled: true
                CloudWatchMetricsEnabled: true
                MetricName: CommonRuleSetMetric
            - Name: AWSManagedRulesSQLiRuleSet
              Statement:
                ManagedRuleGroupStatement:
                  VendorName: AWS
                  Name: SQLiRuleSet
              Priority: 2
              Action:
                Block: {}
              OverrideAction:
                Count: {}
              VisibilityConfig:
                SampledRequestsEnabled: true
                CloudWatchMetricsEnabled: true
                MetricName: SQLiMeteric
            - Name: AWSManagedRulesKnownBadInputs
              Statement:
                ManagedRuleGroupStatement:
                  Name: BadInputSet
                  VendorName: AWS
              Priority: 3
              Action:
                Block: {}
              OverrideAction:
                Count: {}
              VisibilityConfig:
                SampledRequestsEnabled: true
                CloudWatchMetricsEnabled: true
                MetricName: BadInputMetric
            - Name: AWSManagedRulesATPRuleSet
              Statement:
                ManagedRuleGroupStatement:
                  Name: ATPRuleSet
                  VendorName: AWS
              Priority: 4
              Action:
                Block: {}
              OverrideAction:
                Count: {}
              VisibilityConfig:
                SampledRequestsEnabled: true
                CloudWatchMetricsEnabled: true
                MetricName: ATPRuleSetMetric
            - Name: AWSManagedRulesIPReputationList
              Priority: 5
              Statement:
                ManagedRuleGroupStatement:
                  Name: IPReputationListSet
                  VendorName: AWS
              Action:
                Block: {}
              OverrideAction:
                Count: {}
              VisibilityConfig:
                SampledRequestsEnabled: true
                CloudWatchMetricsEnabled: true
                MetricName: IPReputationListMetric
            - Name: AWSManagedRulesBotControlRuleSet
              Priority: 6
              Statement:
                ManagedRuleGroupStatement:
                  Name: BotControlSet
                  VendorName: AWS
              Action:
                Block: {}
              OverrideAction:
                Count: {}
              VisibilityConfig:
                SampledRequestsEnabled: true
                CloudWatchMetricsEnabled: true
                MetricName: BotContolSetMetric


    Outputs:
      WebACLId:
        Description: My WAF WebACL ID
        Value: !Ref MyWaf
        Export:
          Name: my-web-aclid

I have a CloudFront distribution in ap-souteast-2. Which is associated with an ALB. Both these resources are created using Cloudformation. I have associated a WAF with cloudfront with the scope of the WAFv2 as cloudfront. I am deploying this in us-east-1. Upon deploying the WAF code in us-east-1 , I noticed the following error.

Resource handler returned message: "AWS WAF couldn?t perform the operation because your resource doesn?t exist. (Service: Wafv2, Status Code: 400, Request ID: 7165d5e9-aa1d-4057-a5f2-b6a5617cbbdf)" (RequestToken: 82863340-6852-b176-023f-01beb14f28b1, HandlerErrorCode: NotFound). How do I then associate this WAF with a cloudfront deployed in ap-south-east 2 can exports be done cross region in cloudfromagtion...i think not right?

Here is my WAF code. Can you help me troubleshoot this as its a pretty generic runtime error.

    MyCloudFrontDistribution:
        Type: 'AWS::CloudFront::Distribution'
        Properties:
          DistributionConfig:
            Enabled: true
            Origins:
            - DomainName: !ImportValue my-ApiGatewayDnsName
              Id: testgwy
              CustomOriginConfig:
                HTTPSPort: 443
                OriginProtocolPolicy: https-only
            DefaultCacheBehavior: 
              AllowedMethods: 
                - GET
                - HEAD
              CachedMethods: 
                - GET
                - HEAD
              MinTTL: 100
              DefaultTTL: 100
              MaxTTL: 300
              ForwardedValues:
                 QueryString: true
              TargetOriginId: testalb
              ViewerProtocolPolicy: allow-all
            WebACLId: !Ref MyWaf

Thanks

I tried putting the cloudfront and WAF in us-east-1 but then the cloudfront deployment failed as the origin it links to is in ap-south-east-2. I tried running WAF code alone in us-east-1 and got the error.

Update 1: I removed all the rules and tried it again and the WAF code worked..then included only commonruleset rule and itfailed..it think something to do with ruleset

Vinay Ramakrishnan
  • 1
  • 2

2 Answers2

0

Your WebACL is called MyVicWaf, but you are using !Ref MyWaf. Also you need ARN, not Id. Thus it should be:

WebACLId: !GetAtt MyVicWaf.Arn
Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Edited this and got the same error – Vinay Ramakrishnan Mar 08 '23 at 00:29
  • @VinayRamakrishnan Then your real code is different then in the question. In fact your question has to WAFs. One called `MyWaf`, second `MyVicWaf` as I wrote. Subsequently, its not clear what you are actually doing at this stage. – Marcin Mar 08 '23 at 00:50
  • Hi let me tell you what Im doing...Im trying to deploy my WAF code in us-east-1. This is when I get the error. My cloudfront WAF code show no errors in vscode as well as in AWS designer. The ultimate aim is to associate the WAF in us-east-1 with cloudfront deployed through cloudfromation in an account in ap-south-east-2. What you have dicovered is correct. I have then edited the code tried again and it did not work. Hope this is clear? – Vinay Ramakrishnan Mar 08 '23 at 00:57
  • @VinayRamakrishnan So which WAF do you actually use? You have to WAF definitions in your question. Are they deployed separately? Which one do you use with CloudFront? Also why do you have two WAFs in the first place? – Marcin Mar 08 '23 at 02:18
  • Apologies for the confusion...I have removed WAF code form cloudfront as it is a duplicate....We have to deploy both files separately. I first deploy cloudfront only without WAF part in ap-south-east-2 and it works then deploy WAF code in us-east 1 and this shows the error Im asking about – Vinay Ramakrishnan Mar 08 '23 at 04:58
0

#WAF Code      
Resources:
  MyWaf:
    Type: 'AWS::WAFv2::WebACL'
    Properties:
      Name: My-waf
      Scope: CLOUDFRONT
      DefaultAction:
        Block: {}
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: my-waf-metric
        SampledRequestsEnabled: true
      Rules:
        - Name: CommonRuleSet
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesCommonRuleSet
          Priority: 0
          OverrideAction:
            Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: CommonRuleSetMetric
        - Name: AWSManagedRulesSQLiRuleSet
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesSQLiRuleSet
          Priority: 1
          OverrideAction:
            Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: AWSManagedRulesSQLiRuleSetMetric
        - Name: AWS-AWSManagedRulesKnownBadInputsRuleSet
          Priority: 2
          OverrideAction:
            Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: MetricForAMRKnownBadInputs
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesKnownBadInputsRuleSet
        - Name: AWS-AWSManagedRulesATPRuleSet
          Priority: 3
          OverrideAction:
            Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: MetricForAWSManagedRulesATPRuleSet
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesATPRuleSet
              ManagedRuleGroupConfigs:
                - LoginPath: /api/accounts/login
                - PayloadType: JSON
                - PasswordField:
                    Identifier: /form/password
                - UsernameField:
                    Identifier: /form/username
        - Name: AWS-AWSManagedRulesAmazonIpReputationList
          Priority: 4
          OverrideAction:
            Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: MetricForAWSManagedRulesAmazonIpReputationList
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesAmazonIpReputationList
        - Name: AWS-AWSManagedRulesBotControlRuleSet
          Priority: 5
          OverrideAction:
            Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: MetricForAWSManagedRulesBotControlRuleSet
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesBotControlRuleSet


Outputs:
  WebACLId:
    Description: My WAF WebACL ID
    Value: !Ref MyWaf
    Export:
      Name: my-web-aclid
  

The rule names were incorrect and I have corrected them and the code works now :) Thanks to all those who saw my question and also attempted to answer it!
Vinay Ramakrishnan
  • 1
  • 2
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 14 '23 at 00:56