为了保护我们的API,我正在尝试使用RateBasedRule部署WAFRegional。 API网关位于SAM模板中,其中我还有一个嵌套堆栈,用于包含WAFRegional配置的子模板。下面提供了WAFRegional配置的子模板。在ExecuteChangeSet阶段将发生以下情况:
CamerasIpSet已创建
CamerasRateRule已创建
WAFCamerasWebACL CREATE_FAILED:所引用的项目不存在。 (服务:AWSWAFRegional;状态代码:400;错误代码:WAFNonexistentItemException
我发现大约2个月前的以下帖子,其中有人在使用Serverless时遇到相同的问题:https://forum.serverless.com/t/dependon-api-gateway-deployment/7792
我在这里错过了什么?
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template for WAF Configuration'
Parameters:
CamerasApi:
Description: "Arn of the Cameras Api"
Type: String
Default: cameras-api-dev
StageName:
Description: "Stage name of the Cameras Api"
Type: String
Default: v
Blocking:
Description: "Number of calls per 5 minutes for WAF IP blocking."
Type: Number
Default: 2000
EnvironmentType:
Type: String
Default: "dev"
Description: "Type of environment: dev, staging or prod."
Resources:
WAFCamerasWebACL:
Type: AWS::WAFRegional::WebACL
DependsOn: CamerasRateRule
Properties:
DefaultAction:
Type: ALLOW
MetricName: !Join ['', ['IPBlockingMetric', !Ref EnvironmentType]]
Name: !Join ['', ['IPBlockingACL', !Ref EnvironmentType]]
Rules:
-
Action:
Type: "BLOCK"
Priority: 1
RuleId: !Ref CamerasRateRule
CamerasRateRule:
Type: AWS::WAFRegional::RateBasedRule
Properties:
MetricName: UnallowedAccessCount
Name: FiveMinuteRule
RateKey: IP
RateLimit: !Ref Blocking
MatchPredicates:
-
DataId: !Ref CamerasIpSet
Negated: false
Type: "IPMatch"
CamerasIpSet:
Type: AWS::WAFRegional::IPSet
Properties:
Name: !Join ['-', ['IpBlacklist', !Ref EnvironmentType]]
MyWebACLAssociation:
Type: AWS::WAFRegional::WebACLAssociation
Properties:
ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${CamerasApi}/stages/${StageName}
WebACLId: !Ref WAFCamerasWebACL
Outputs:
WebACL:
Description: Name of the web ACL
Value: !Ref WAFCamerasWebACL
答案 0 :(得分:0)
我终于在AWS客户服务的帮助下解决了该问题。这是他们在处理AWS :: WAFRegional :: RateBasedRule时对CloudFormation的限制。
尽管CloudFormation支持创建基于WAF区域费率的规则,但当前不支持将它们与Web ACL关联。如果您观察下面的链接[1],您将意识到: “要将通过CloudFormation创建的基于费率的规则添加到Web ACL,请使用AWS WAF控制台,API或命令行界面(CLI)。”
[1] AWS :: WAFRegional :: RateBasedRule: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-ratebasedrule.html
我使用Cloudformation模板生成了WebACL,RateBasedRule以及WebACL与我的APIGW的关联。现在,通过在CI / CD管道中使用CodeBuild,我将使用CLI命令aws waf-regional update-web-acl将RateBasedRule添加到WebACL。
答案 1 :(得分:0)
假设AWS::WAFRegional::WebACL和AWS::WAFRegional::RateBasedRule在Cloudformation堆栈中定义,则可以使用以下bash脚本将它们附加:
CHANGE_TOKEN=$(aws waf-regional get-change-token --output text)
WEBACL_ID=$(aws waf-regional list-web-acls --query WebACLs[0].WebACLId --output text)
RULE_ID=$(aws waf-regional list-rate-based-rules --query Rules[0].RuleId --output text)
aws waf-regional update-web-acl --web-acl-id $WEBACL_ID --change-token $CHANGE_TOKEN \
--updates Action="INSERT",ActivatedRule='{Priority=1,RuleId="'$RULE_ID'",Action={Type="BLOCK"},Type="RATE_BASED"}'
不幸的是,这会导致在删除Cloudformation堆栈时出现问题
以下资源无法删除:[RateBasedRuleName]。
有什么想法在发出aws cloudformation delete-stack时如何使堆栈删除规则?
答案 2 :(得分:0)
我遇到了同样的问题,并且使用WAFv2解决了该问题
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template for WAF Configuration'
Parameters:
CamerasApi:
Description: "Arn of the Cameras Api"
Type: String
Default: YOUR-API-ID
StageName:
Description: "Stage name of the Cameras Api"
Type: String
Default: YOUR-Stage
Blocking:
Description: "Number of calls per 5 minutes for WAF IP blocking."
Type: Number
Default: 2000
EnvironmentType:
Type: String
Default: Prod
Description: "Type of environment: dev, staging or prod."
Resources:
WAFCamerasWebACL:
Type: AWS::WAFv2::WebACL
Properties:
Name: ExampleWebACL
Description: This is an example WebACL
Scope: REGIONAL
DefaultAction:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ExampleWebACLMetric
Rules:
- Name: RulesTest
Priority: 0
Action:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: test
Statement:
RateBasedStatement:
Limit: 100
AggregateKeyType: IP
MyWebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${CamerasApi}/stages/${StageName}
WebACLArn: !GetAtt WAFCamerasWebACL.Arn
Outputs:
WebACL:
Description: Name of the web ACL
Value: !Ref WAFCamerasWebACL