Unable to deploy the template more than once in the same region and same account

[obounaim]

Describe the bug I am unable to deploy the template more than once in the same region and same account. After successfully creating the first stack, trying to create a second stack will get rolled back because of conflicting resources withe the first stack.

To Reproduce The issue can be easily reproduced following the steps bellow :

1. Create a first stack from the template
2. Create a second stack form the same template (Will fail)

Expected behavior It should be possible to use the template to deploy more than one WebACL in the same account and the same region.

Please complete the following information about the solution:

• [x] Version: 3.0
• [x] Region: Any
• [x] Was the solution modified from the version published on this repository? No
• [x] If the answer to the previous question was yes, are the changes available on GitHub?
• [x] Have you checked your service quotas for the services this solution uses? Not related to the issue
• [x] Were there any errors in the CloudWatch Logs? There is errors on the CloudFormation console

[aijunpeng]

Thank you for reporting the issue. We have added it to our backlog and it will be addressed in future releases.

[aijunpeng]

Can you please provide screenshots of the input parameters/values for both stacks? And what error messages are you getting? Thanks!

[obounaim]

Please find bellow the input values:

ActivateAWSManagedRulesParam no ActivateBadBotProtectionParam yes ActivateCrossSiteScriptingProtectionParam yes ActivateHttpFloodProtectionParam yes - Amazon Athena log parser ActivateReputationListsProtectionParam no ActivateScannersProbesProtectionParam yes - Amazon Athena log parser ActivateSqlInjectionProtectionParam yes AppAccessLogBucket waf-accesslog EndpointType ALB ErrorThreshold 200 KeepDataInOriginalS3Location Yes RequestThreshold 200 WAFBlockPeriod 240

The sub-stack FirehoseAthenaStack is failing due to some hard-coded values. For example the value "WAFAddPartitionAthenaQueryWorkGroup" is hard-coded into the resource name.

  WAFAddPartitionAthenaQueryWorkGroup:
      Type: AWS::Athena::WorkGroup
      Condition: AthenaLogParser
      Properties:
        Name: WAFAddPartitionAthenaQueryWorkGroup
        Description: Athena WorkGroup for adding Athena partition queries used by AWS WAF Security Automations Solution
        State: ENABLED
        RecursiveDeleteOption: true
        WorkGroupConfiguration:
        PublishCloudWatchMetricsEnabled: true

[aijunpeng]

Thanks for the information! We will address the issue in next release.

[kunal999]

While it seems WAFAddPartitionAthenaQueryWorkGroup resource name has been changed to a custom name, the name for the other athena query work group WAFAppAccessLogAthenaQueryWorkGroup has still not been customized

[aijunpeng]

Thanks for the comment. Though the names can be made dynamic, we have evaluated this request and decided not to support multiple deployments in the same region and account in the out-of-box solution at this time. Feel free to download the source code and apply your own customization as needed.

[diimpp]

Seems to be related https://github.com/awslabs/aws-waf-security-automations/pull/218

[peterabbott]

Thanks for the comment. Though the names can be made dynamic, we have evaluated this request and decided not to support multiple deployments in the same region and account in the out-of-box solution at this time. Feel free to download the source code and apply your own customization as needed.

A strange response. You parameterised WAFAddPartitionAthenaQueryWorkGroup but not WAFAppAccessLogAthenaQueryWorkGroup, which is in the same file. Seems like an easy fix regardless if you want to support or not

[aijunpeng]

Will revisit this. Thanks!

[aijunpeng]

This issue has been addressed in version >= 4.0.0.