search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
852 stars 367 forks source link

Build failing. Am I doing it wrong? #184

Closed RobBiddle closed 3 years ago

RobBiddle commented 3 years ago

Hello, I'm having issues with the latest version of this project.

The AWS WAF Security Automations CloudFormation stack is failing with the following Error:

Helper CREATE_FAILED Error occurred while GetObject. S3 Error Code: NoSuchBucket. S3 Error Message: The specified bucket does not exist (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: ed53f220-648a-4bdd-b42c-e517420f9608; Proxy: null)

I tested the build process using AWS CloudShell and the following commands based on the Readme for this project:

sudo yum install awscli python3 python-pip python3-pip python3-pytest python-logilab-common zip
cd ~/
git clone https://github.com/awslabs/aws-waf-security-automations.git
cd ~/aws-waf-security-automations/deployment 
export TEMPLATE_OUTPUT_BUCKET=robertbiddle-test-aws-waf-deployment
export DIST_OUTPUT_BUCKET=robertbiddle-test-aws-waf-deployment
export SOLUTION_NAME="aws-waf-security-automations"
export VERSION=1
export AWS_REGION=us-west-2

###CREATE BUCKETS
aws s3api create-bucket --bucket $TEMPLATE_OUTPUT_BUCKET --region $AWS_REGION --create-bucket-configuration LocationConstraint=$AWS_REGION --acl public-read
aws s3api create-bucket --bucket $DIST_OUTPUT_BUCKET-$AWS_REGION --region $AWS_REGION --create-bucket-configuration LocationConstraint=$AWS_REGION --acl public-read

chmod +x ./build-s3-dist.sh && ./build-s3-dist.sh $TEMPLATE_OUTPUT_BUCKET $DIST_OUTPUT_BUCKET $SOLUTION_NAME $VERSION
cd ~/aws-waf-security-automations/
aws s3 cp ./deployment/global-s3-assets s3://$TEMPLATE_OUTPUT_BUCKET/aws-waf-security-automations/$VERSION --recursive --acl public-read
aws s3 cp ./deployment/regional-s3-assets s3://$DIST_OUTPUT_BUCKET-$AWS_REGION/aws-waf-security-automations/$VERSION --recursive --acl public-read

It looks like the build was successful, and all of the files appear to be in the buckets. Any assistance/guidance provided is much appreciated.

Thanks, Rob

RobBiddle commented 3 years ago

Figured out my issue.

I was thinking that the Build script was substituting in the AWS_REGION variable into the template, since that is what it is doing with the other environment variables, however that is not the case. The template is using the CloudFormation internal function to reference the Region from the Stack.

TL/DR: You can't deploy the resources in one region and deploy the CFN Stack in a different region.