#WAF Code
Resources:
MyWaf:
Type: 'AWS::WAFv2::WebACL'
Properties:
Name: My-waf
Scope: CLOUDFRONT
DefaultAction:
Block: {}
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: my-waf-metric
SampledRequestsEnabled: true
Rules:
- Name: AWSManagedRulesCommonRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: CommonRuleSet
Priority: 1
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: CommonRuleSetMetric
- Name: AWSManagedRulesSQLiRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: SQLiRuleSet
Priority: 2
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: SQLiMeteric
- Name: AWSManagedRulesKnownBadInputs
Statement:
ManagedRuleGroupStatement:
Name: BadInputSet
VendorName: AWS
Priority: 3
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BadInputMetric
- Name: AWSManagedRulesATPRuleSet
Statement:
ManagedRuleGroupStatement:
Name: ATPRuleSet
VendorName: AWS
Priority: 4
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ATPRuleSetMetric
- Name: AWSManagedRulesIPReputationList
Priority: 5
Statement:
ManagedRuleGroupStatement:
Name: IPReputationListSet
VendorName: AWS
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: IPReputationListMetric
- Name: AWSManagedRulesBotControlRuleSet
Priority: 6
Statement:
ManagedRuleGroupStatement:
Name: BotControlSet
VendorName: AWS
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BotContolSetMetric
Outputs:
WebACLId:
Description: My WAF WebACL ID
Value: !Ref MyWaf
Export:
Name: my-web-aclid
I have a CloudFront distribution in ap-souteast-2. Which is associated with an ALB. Both these resources are created using Cloudformation. I have associated a WAF with cloudfront with the scope of the WAFv2 as cloudfront. I am deploying this in us-east-1. Upon deploying the WAF code in us-east-1 , I noticed the following error.
Resource handler returned message: "AWS WAF couldn?t perform the operation because your resource doesn?t exist. (Service: Wafv2, Status Code: 400, Request ID: 7165d5e9-aa1d-4057-a5f2-b6a5617cbbdf)" (RequestToken: 82863340-6852-b176-023f-01beb14f28b1, HandlerErrorCode: NotFound). How do I then associate this WAF with a cloudfront deployed in ap-south-east 2 can exports be done cross region in cloudfromagtion…i think not right?
Here is my WAF code. Can you help me troubleshoot this as its a pretty generic runtime error.
MyCloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Enabled: true
Origins:
- DomainName: !ImportValue my-ApiGatewayDnsName
Id: testgwy
CustomOriginConfig:
HTTPSPort: 443
OriginProtocolPolicy: https-only
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
MinTTL: 100
DefaultTTL: 100
MaxTTL: 300
ForwardedValues:
QueryString: true
TargetOriginId: testalb
ViewerProtocolPolicy: allow-all
WebACLId: !Ref MyWaf
Thanks
I tried putting the cloudfront and WAF in us-east-1 but then the cloudfront deployment failed as the origin it links to is in ap-south-east-2. I tried running WAF code alone in us-east-1 and got the error.
Update 1: I removed all the rules and tried it again and the WAF code worked..then included only commonruleset rule and itfailed..it think something to do with ruleset
2
Answers
Your WebACL is called
MyVicWaf, but you are using!Ref MyWaf. Also you need ARN, not Id. Thus it should be: