Hi, I tried to integrate two CF templates into one. I end up with different errors and I couldn't resolve all of them. Also there's a priority order in the rules. Kindly help.
0
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security: WAF (Web Application Firewall)'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'WAF Parameters'
Parameters:
- Scope
- RateLimit
- RateLimitEffect
- ReputationListEffect
- BotControlEffect
- BotControlExcludeRule1
- BotControlExcludeRule2
- BotControlExcludeRule3
- BotControlExcludeRule4
- BotControlExcludeRule5
- BotControlExcludeRule6
Parameters:
KinesisArn:
Description: 'Kinesis data stream arn that pushes logs to centralised S3 bucket'
Type: String
Default: arn:aaa:aaaaaaaa:aa-bbbbb-2:eeeeeeeeeeee:gggggggggggggg/ccc-jjjjj-llllll-rrrrrrrrrrrr
Scope:
Description: 'Specify wether WAF shall be used with CloudFront (us-east-1 only!) or regional (ALB, API Gateway, and AppSync).'
Type: String
Default: 'REGIONAL'
AllowedValues:
- 'REGIONAL'
- 'CLOUDFRONT'
RateLimit:
Description: 'The maximum number of requests from a single IP address that are allowed in a five-minute period.'
Type: Number
Default: 100
MinValue: 100
MaxValue: 20000000
RateLimitEffect:
Description: 'Block or count requests that exceed the rate limit. Alterantively, disable rate limiting at all.'
Type: String
Default: 'Block'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
ReputationListEffect:
Description: 'Block or count requests with bad reputation. Alterantively, disable reputation list at all.'
Type: String
Default: 'Disable'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
BotControlEffect:
Description: 'Block or count requests from bots. Alterantively, disable bot control at all.'
Type: String
Default: 'Disable'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
BotControlExcludeRule1:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule2:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule3:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule4:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule5:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule6:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
CCodes:
Description: "An array of two-character country codes that you want to match against"
Type: String
Default: ""
KinesisStack:
Description: 'Kinesis stack for WAF logging'
Type: String
Default: 'kinesis-waf'
Conditions:
EnableRateLimit: !Not [!Equals [!Ref RateLimitEffect, 'Disable']]
BlockRateLimit: !Equals [!Ref RateLimitEffect, 'Block']
EnableReputationList: !Not [!Equals [!Ref ReputationListEffect, 'Disable']]
BlockReputationList: !Equals [!Ref ReputationListEffect, 'Block']
EnableBotControl: !Not [!Equals [!Ref BotControlEffect, 'Disable']]
BlockBotControl: !Equals [!Ref BotControlEffect, 'Block']
HasBotControlExcludeRule1: !Not [!Equals [!Ref BotControlExcludeRule1, '']]
HasBotControlExcludeRule2: !Not [!Equals [!Ref BotControlExcludeRule2, '']]
HasBotControlExcludeRule3: !Not [!Equals [!Ref BotControlExcludeRule3, '']]
HasBotControlExcludeRule4: !Not [!Equals [!Ref BotControlExcludeRule4, '']]
HasBotControlExcludeRule5: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
HasBotControlExcludeRule6: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
EnableGeolocation: !Not [!Equals [!Ref CCodes, ""]]
Resources:
WebACL:
Type: 'AWS::WAFv2::WebACL'
Properties:
DefaultAction:
Allow: {}
Description: !Sub 'A collection of rules for ${AWS::StackName}.'
Name: !Ref 'AWS::StackName'
Rules:
- !If
- EnableReputationList
- Name: AWSReputationList
Priority: 1
OverrideAction: !If
- BlockReputationList
- None: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSReputationList
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAmazonIpReputationList
- !Ref 'AWS::NoValue'
- !If
- EnableRateLimit
- Name: RateLimit
Priority: 2
Statement:
RateBasedStatement:
Limit: !Ref RateLimit
AggregateKeyType: IP
Action: !If
- BlockRateLimit
- Block: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: RateLimit
- !Ref 'AWS::NoValue'
- !If
- EnableBotControl
- Name: AWSBotControl
Priority: 3
OverrideAction: !If
- BlockBotControl
- None: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSBotControl
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesBotControlRuleSet
ExcludedRules:
- !If [HasBotControlExcludeRule1, {Name: !Ref BotControlExcludeRule1}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule2, {Name: !Ref BotControlExcludeRule2}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule3, {Name: !Ref BotControlExcludeRule3}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule4, {Name: !Ref BotControlExcludeRule4}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule5, {Name: !Ref BotControlExcludeRule5}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule6, {Name: !Ref BotControlExcludeRule6}, !Ref 'AWS::NoValue']
- !Ref 'AWS::NoValue'
- !If
- EnableGeolocation
- Name: restrict-country
Priority: 4
Statement:
GeoMatchStatement:
CountryCodes:
Fn::Split:
- ","
- !Ref CCodes
Action:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: restrict-country
- !Ref "AWS::NoValue"
Scope: !Ref Scope
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: !Ref 'AWS::StackName'
SampledRequestsEnabled: true
# WAFLogGroup:
# Type: AWS::Logs::LogGroup
# Properties:
# RetentionInDays: 7
# LogGroupName: aws-waf-logs-cidm
# WafLoggingConfiguration:
# Type: AWS::WAFv2::LoggingConfiguration
# DependsOn:
# - WAFLogGroup
# Properties:
# ResourceArn: !GetAtt WebACL.Arn
# LogDestinationConfigs:
# - { "Fn::ImportValue": !Sub "${KinesisStack}-KinesisArn" }
# - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-cidm"
Outputs:
StackName:
Description: 'Stack name.'
Value: !Sub '${AWS::StackName}'
WebACL:
Description: 'The ARN of the Web ACL.'
Value: !GetAtt 'WebACL.Arn'
Export:
Name: !Sub '${AWS::StackName}-WebACL'
Template 2:
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyIPSetdenyb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetb
Description: IP Set to deny access to specific IP addresses
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 192.0.2.44/32
MyIPSetAllowb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetAllowb
Description: IP Set to deny access to
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 10.0.0.0/32
MyIPSetRule:
Type: AWS::WAFv2::RuleGroup
Properties:
Name: MyIPSetRuleb
Description: Rule to use IPSet for denial
Scope: REGIONAL
Capacity: 1500
Rules:
- Action:
Block: {}
Name: MyIPSetDenyb
Priority: 0
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetdenyb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-deny
- Action:
Allow: {}
Name: MyIPSetAllowb
Priority: 1
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetAllowb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-allow
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: waf-metric
SampledRequestsEnabled: true
WebACL:
Type: AWS::WAFv2::WebACL
Properties:
DefaultAction:
Allow: {}
Name: waf-acl
Rules:
- Name: managed-rule
OverrideAction:
None: {}
Priority: 0
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesCommonRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesCommonRuleSet
SampledRequestsEnabled: true
- Name: BadInputRuleSet
OverrideAction:
None: {}
Priority: 1
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesKnownBadInputsRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
SampledRequestsEnabled: true
- Name: custom-rule-group
OverrideAction:
None: {}
Priority: 2
Statement:
RuleGroupReferenceStatement:
Arn: !GetAtt MyIPSetRule.Arn
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: custom-rule-group
SampledRequestsEnabled: true
Scope: REGIONAL
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: waf-acl
SampledRequestsEnabled: true
Priority order is attached in the images.
No Answers
- Newest
- Most votes
- Most comments
Relevant content
- How do I raise the priority of agent to agent or agent to queue transferred calls in Amazon Connect?
AWS OFFICIALUpdated 3 years ago - AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
masked the arn value for privacy reasons - FYI
Hi Riku, Any update on the question, I tried all the possible ways still get error.