search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

AWS::WAFv2::WebACLAssociation [BUG] #386

Closed philipakash closed 3 years ago

philipakash commented 4 years ago

1. AWS::WAFv2::WebACLAssociation

This cloud formation resource allows associating resources to Web ACL. Find details below on a scenario where it fails to create the association with permission errors.

2. Scope of request

Found a bug with deploying the WAF association resource in a specific scenario. Whenever the resource is deployed into a cloud formation stack without a role ARN, it works as expected but if deployed into a cloud formation stack with an IAM Role with all the required permissions, it fails with the below error:

State: CREATE_FAILED

User: arn:aws:sts::050190566102:assumed-role/samplerole/AWSCloudFormation is not authorized to perform: elasticloadbalancing:SetWebACL on resource: arn:aws:elasticloadbalancing:us-east-1:XXXXXXXXX:loadbalancer/app/webacltest/XXXXXXX (Service: Wafv2, Status Code: 400, Request ID: aaac1c22-f18f-47e9-aa45-6313c8b7da21)

Can someone please confirm the above by reproducing. I have reproduced this multiple times with other peers in my org.

AgentO3 commented 4 years ago

We are having the same problem.

jerechenamz commented 3 years ago

This issue should've been fixed long ago as I'm not able to reproduce the error. Can you please confirm?