This cloud formation resource allows associating resources to Web ACL. Find details below on a scenario where it fails to create the association with permission errors.
2. Scope of request
Found a bug with deploying the WAF association resource in a specific scenario.
Whenever the resource is deployed into a cloud formation stack without a role ARN, it works as expected but if deployed into a cloud formation stack with an IAM Role with all the required permissions, it fails with the below error:
State: CREATE_FAILED
User: arn:aws:sts::050190566102:assumed-role/samplerole/AWSCloudFormation is not authorized to perform: elasticloadbalancing:SetWebACL on resource: arn:aws:elasticloadbalancing:us-east-1:XXXXXXXXX:loadbalancer/app/webacltest/XXXXXXX (Service: Wafv2, Status Code: 400, Request ID: aaac1c22-f18f-47e9-aa45-6313c8b7da21)
Can someone please confirm the above by reproducing. I have reproduced this multiple times with other peers in my org.
1. AWS::WAFv2::WebACLAssociation
This cloud formation resource allows associating resources to Web ACL. Find details below on a scenario where it fails to create the association with permission errors.
2. Scope of request
Found a bug with deploying the WAF association resource in a specific scenario. Whenever the resource is deployed into a cloud formation stack without a role ARN, it works as expected but if deployed into a cloud formation stack with an IAM Role with all the required permissions, it fails with the below error:
State: CREATE_FAILED
User: arn:aws:sts::050190566102:assumed-role/samplerole/AWSCloudFormation is not authorized to perform: elasticloadbalancing:SetWebACL on resource: arn:aws:elasticloadbalancing:us-east-1:XXXXXXXXX:loadbalancer/app/webacltest/XXXXXXX (Service: Wafv2, Status Code: 400, Request ID: aaac1c22-f18f-47e9-aa45-6313c8b7da21)
Can someone please confirm the above by reproducing. I have reproduced this multiple times with other peers in my org.