#WAF Code
Resources:
MyWaf:
Type: 'AWS::WAFv2::WebACL'
Properties:
Name: My-waf
Scope: CLOUDFRONT
DefaultAction:
Block: {}
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: my-waf-metric
SampledRequestsEnabled: true
Rules:
- Name: AWSManagedRulesCommonRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: CommonRuleSet
Priority: 1
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: CommonRuleSetMetric
- Name: AWSManagedRulesSQLiRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: SQLiRuleSet
Priority: 2
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: SQLiMeteric
- Name: AWSManagedRulesKnownBadInputs
Statement:
ManagedRuleGroupStatement:
Name: BadInputSet
VendorName: AWS
Priority: 3
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BadInputMetric
- Name: AWSManagedRulesATPRuleSet
Statement:
ManagedRuleGroupStatement:
Name: ATPRuleSet
VendorName: AWS
Priority: 4
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ATPRuleSetMetric
- Name: AWSManagedRulesIPReputationList
Priority: 5
Statement:
ManagedRuleGroupStatement:
Name: IPReputationListSet
VendorName: AWS
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: IPReputationListMetric
- Name: AWSManagedRulesBotControlRuleSet
Priority: 6
Statement:
ManagedRuleGroupStatement:
Name: BotControlSet
VendorName: AWS
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BotContolSetMetric
Outputs:
WebACLId:
Description: My WAF WebACL ID
Value: !Ref MyWaf
Export:
Name: my-web-aclid
I have a CloudFront distribution in ap-souteast-2. Which is associated with an ALB. Both these resources are created using Cloudformation. I have associated a WAF with cloudfront with the scope of the WAFv2 as cloudfront. I am deploying this in us-east-1. Upon deploying the WAF code in us-east-1 , I noticed the following error.
Resource handler returned message: "AWS WAF couldn?t perform the operation because your resource doesn?t exist. (Service: Wafv2, Status Code: 400, Request ID: 7165d5e9-aa1d-4057-a5f2-b6a5617cbbdf)" (RequestToken: 82863340-6852-b176-023f-01beb14f28b1, HandlerErrorCode: NotFound). How do I then associate this WAF with a cloudfront deployed in ap-south-east 2 can exports be done cross region in cloudfromagtion...i think not right?
Here is my WAF code. Can you help me troubleshoot this as its a pretty generic runtime error.
MyCloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Enabled: true
Origins:
- DomainName: !ImportValue my-ApiGatewayDnsName
Id: testgwy
CustomOriginConfig:
HTTPSPort: 443
OriginProtocolPolicy: https-only
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
MinTTL: 100
DefaultTTL: 100
MaxTTL: 300
ForwardedValues:
QueryString: true
TargetOriginId: testalb
ViewerProtocolPolicy: allow-all
WebACLId: !Ref MyWaf
Thanks
I tried putting the cloudfront and WAF in us-east-1 but then the cloudfront deployment failed as the origin it links to is in ap-south-east-2. I tried running WAF code alone in us-east-1 and got the error.
Update 1: I removed all the rules and tried it again and the WAF code worked..then included only commonruleset rule and itfailed..it think something to do with ruleset
Your WebACL is called
MyVicWaf, but you are using!Ref MyWaf. Also you need ARN, not Id. Thus it should be: