带有Cloudformation WAFRegional的SAM API网关

时间:2019-06-20 10:12:31

标签: amazon-cloudformation aws-sam

为了保护我们的API,我正在尝试使用RateBasedRule部署WAFRegional。 API网关位于SAM模板中,其中我还有一个嵌套堆栈,用于包含WAFRegional配置的子模板。下面提供了WAFRegional配置的子模板。在ExecuteChangeSet阶段将发生以下情况:

  1. CamerasIpSet已创建

  2. CamerasRateRule已创建

  3. WAFCamerasWebACL CREATE_FAILED:所引用的项目不存在。 (服务:AWSWAFRegional;状态代码:400;错误代码:WAFNonexistentItemException

我发现大约2个月前的以下帖子,其中有人在使用Serverless时遇到相同的问题:https://forum.serverless.com/t/dependon-api-gateway-deployment/7792

我在这里错过了什么?

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template for WAF Configuration'
Parameters:
  CamerasApi:
    Description: "Arn of the Cameras Api"
    Type: String
    Default: cameras-api-dev
  StageName:
    Description: "Stage name of the Cameras Api"
    Type: String
    Default: v
  Blocking:
    Description: "Number of calls per 5 minutes for WAF IP blocking."
    Type: Number
    Default: 2000
  EnvironmentType:
    Type: String
    Default: "dev"
    Description: "Type of environment: dev, staging or prod."


Resources:
  WAFCamerasWebACL:
    Type: AWS::WAFRegional::WebACL
    DependsOn: CamerasRateRule
    Properties:
      DefaultAction:
        Type: ALLOW
      MetricName: !Join ['', ['IPBlockingMetric', !Ref EnvironmentType]]
      Name: !Join ['', ['IPBlockingACL', !Ref EnvironmentType]]
      Rules:
        -
          Action:
            Type: "BLOCK"
          Priority: 1
          RuleId: !Ref CamerasRateRule

  CamerasRateRule:
    Type: AWS::WAFRegional::RateBasedRule
    Properties:
      MetricName: UnallowedAccessCount
      Name: FiveMinuteRule
      RateKey: IP
      RateLimit: !Ref Blocking
      MatchPredicates:
      -
        DataId: !Ref CamerasIpSet
        Negated: false
        Type: "IPMatch"

  CamerasIpSet:
    Type: AWS::WAFRegional::IPSet
    Properties:
      Name: !Join ['-', ['IpBlacklist', !Ref EnvironmentType]]


  MyWebACLAssociation:
    Type: AWS::WAFRegional::WebACLAssociation
    Properties:
      ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${CamerasApi}/stages/${StageName}
      WebACLId: !Ref WAFCamerasWebACL

Outputs:
  WebACL:
    Description: Name of the web ACL
    Value: !Ref WAFCamerasWebACL


3 个答案:

答案 0 :(得分:0)

我终于在AWS客户服务的帮助下解决了该问题。这是他们在处理AWS :: WAFRegional :: RateBasedRule时对CloudFormation的限制。

尽管CloudFormation支持创建基于WAF区域费率的规则,但当前不支持将它们与Web ACL关联。如果您观察下面的链接[1],您将意识到: “要将通过CloudFormation创建的基于费率的规则添加到Web ACL,请使用AWS WAF控制台,API或命令行界面(CLI)。”

[1] AWS :: WAFRegional :: RateBasedRule: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-ratebasedrule.html

我使用Cloudformation模板生成了WebACL,RateBasedRule以及WebACL与我的APIGW的关联。现在,通过在CI / CD管道中使用CodeBuild,我将使用CLI命令aws waf-regional update-web-acl将RateBasedRule添加到WebACL。

答案 1 :(得分:0)

假设AWS::WAFRegional::WebACLAWS::WAFRegional::RateBasedRule在Cloudformation堆栈中定义,则可以使用以下bash脚本将它们附加:

CHANGE_TOKEN=$(aws waf-regional get-change-token --output text)
WEBACL_ID=$(aws waf-regional list-web-acls --query WebACLs[0].WebACLId --output text)
RULE_ID=$(aws waf-regional list-rate-based-rules --query Rules[0].RuleId --output text)
aws waf-regional update-web-acl --web-acl-id $WEBACL_ID --change-token $CHANGE_TOKEN \
    --updates Action="INSERT",ActivatedRule='{Priority=1,RuleId="'$RULE_ID'",Action={Type="BLOCK"},Type="RATE_BASED"}'

不幸的是,这会导致在删除Cloudformation堆栈时出现问题

  

以下资源无法删除:[RateBasedRuleName]。

有什么想法在发出aws cloudformation delete-stack时如何使堆栈删除规则?

答案 2 :(得分:0)

我遇到了同样的问题,并且使用WAFv2解决了该问题

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template for WAF Configuration'
Parameters:
  CamerasApi:
    Description: "Arn of the Cameras Api"
    Type: String
    Default: YOUR-API-ID
  StageName:
    Description: "Stage name of the Cameras Api"
    Type: String
    Default: YOUR-Stage
  Blocking:
    Description: "Number of calls per 5 minutes for WAF IP blocking."
    Type: Number
    Default: 2000
  EnvironmentType:
    Type: String
    Default: Prod
    Description: "Type of environment: dev, staging or prod."


Resources:
  WAFCamerasWebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: ExampleWebACL
      Description: This is an example WebACL
      Scope: REGIONAL
      DefaultAction: 
        Allow: {}
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: ExampleWebACLMetric
      Rules:
        - Name: RulesTest
          Priority: 0
          Action:
           Block: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: test
          Statement:
            RateBasedStatement:
              Limit: 100
              AggregateKeyType: IP

  MyWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${CamerasApi}/stages/${StageName}
      WebACLArn: !GetAtt  WAFCamerasWebACL.Arn

Outputs:
  WebACL:
    Description: Name of the web ACL
    Value: !Ref WAFCamerasWebACL