search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
837 stars 359 forks source link

Fail to create TimerBlackV4, WAFWhitelistSetV4 #177

Closed chrjoh closed 3 years ago

chrjoh commented 3 years ago

Describe the bug Try to deploy the template, after building it with docker and pushed it to the s3 bucket I go to cloudformation and load the template. The build goes fine until ip set lists is to be created, then I get the following error 

Embedded stack arn:aws:cloudformation:eu-central-1:***********:stack/waf2-test-WebACLStack-14021FAZ806QF/3a466de0-0ed1-11eb-8c9f-0287a5438d00 was not successfully created: The following resource(s) failed to create: [TimerBlackV4, WAFWhitelistSetV4].

To Reproduce Build a distribution with docker (Dockerfile)

FROM alpine:3.9

RUN apk update

# Install base and dev packages
RUN apk add --no-cache --virtual .build-deps
RUN apk add bash

# Install build packages
RUN apk add make && apk add curl && apk add openssh

# install npm package handler
RUN apk add nodejs-npm

# Install zip
RUN apk add zip

# Install nodejs
RUN apk add nodejs

# Set timezone to UTC by default
RUN ln -sf /usr/share/zoneinfo/Etc/UTC /etc/localtime

# Install aws-cli
RUN apk -Uuv add groff less python3 py3-pip py-pip python
RUN pip3 install pytest
RUN pip3 install requests
RUN pip3 install boto3 freezegun
RUN pip3 install awscli
RUN apk --purge -v del py3-pip
RUN rm /var/cache/apk/*

COPY . .

WORKDIR /deployment

ENV AWS_REGION eu-central-1
ENV VERSION 3.0.0
ENV SOLUTION_NAME waf-v2
ENV DIST_OUTPUT_BUCKET waf-source
ENV TEMPLATE_OUTPUT_BUCKET waf-source-eu-central-1

RUN chmod 777 run-unit-tests.sh
RUN ./run-unit-tests.sh
RUN chmod 777 build-s3-dist.sh
RUN chmod 777 init.sh
RUN ./build-s3-dist.sh $TEMPLATE_OUTPUT_BUCKET $DIST_OUTPUT_BUCKET $SOLUTION_NAME $VERSION

ENTRYPOINT ["./init.sh"]

init.sh

#!/bin/bash

aws s3 cp ./global-s3-assets s3://$TEMPLATE_OUTPUT_BUCKET/$SOLUTION_NAME/$VERSION --recursive --acl bucket-owner-full-control
aws s3 cp ./regional-s3-assets s3://$DIST_OUTPUT_BUCKET-$AWS_REGION/$SOLUTION_NAME/$VERSION --recursive --acl bucket-owner-full-control

Expected behavior The ip set lists should be created

Please complete the following information about the solution:

(SO0006) - AWS WAF Security Automations 3.0.0: This AWS CloudFormation template helps you provision the AWS WAF Security Automations stack without worrying about creating and configuring the underlying AWS infrastructure. **WARNING** This template creates multiple AWS Lambda functions, an AWS WAFv2 Web ACL, an Amazon S3 bucket, and an Amazon CloudWatch custom metric. You will be billed for the AWS resources used if you create a stack from this template.
chrjoh commented 3 years ago

Found the issue was deploying a cloudfront waf and it seems that you can only deploy global waf in us-east-1 region and not in eu-central-1.

aijunpeng commented 3 years ago

That is correct. As documented in the deployment guide, if you choose CLOUDFRONT as your endpoint, you must create your WAFV2 resources in the US East (N. Virginia) Region, us-east-1.