search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
844 stars 361 forks source link

WAFInvalidOperationException: Operation is invalid for this entity. #118

Closed Jun711 closed 4 years ago

Jun711 commented 4 years ago

Using boto3 in Lambda, I could add an IP to blocked ip set using the following code but I got WAFInvalidOperationException error when I tried to remove the IP from the blocked ip set. Has anyone experienced the same thing?

I ran the same code locally and it could run and remove the ip from the ip set. I double checked iam permission in lambda, it does have permission to update ip set. 

An error occurred (WAFInvalidOperationException) when calling the      
UpdateIPSet operation:  Operation is invalid for this entity.

code 

import boto3

wafClient = boto3.client('waf')
changeTokenRes = wafClient.get_change_token()

wafClient.update_ip_set(
                IPSetId='ip set id',
                ChangeToken=changeTokenRes['ChangeToken'],
                Updates=[{
                    'Action': 'DELETE',
                    'IPSetDescriptor': {
                        'Type': 'IPV4',
                        'Value': ''
                    }
                }])
Jun711 commented 4 years ago

I tried again to reproduce it and got this WAFInvalidOperationException: Operation is invalid for this entity. error when I tried to delete an IP that had been deleted from the blocked ip set. The message Operation is invalid for this entity. seems confusing.

Shouldn't the message be The operation failed because there was nothing to do according to the Java doc? unless AWS uses different messages in different languages.

https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/waf/model/WAFInvalidOperationException.html

The operation failed because there was nothing to do. For example:

You tried to remove a Rule from a WebACL, but the Rule isn't in the specified WebACL.

You tried to remove an IP address from an IPSet, but the IP address isn't in the specified IPSet.

You tried to remove a ByteMatchTuple from a ByteMatchSet, but the ByteMatchTuple isn't in the specified WebACL.

You tried to add a Rule to a WebACL, but the Rule already exists in the specified WebACL.

You tried to add a ByteMatchTuple to a ByteMatchSet, but the ByteMatchTuple already exists in the specified WebACL.