Closed tbgbeansbot closed 3 months ago
Hi, thanks for reporting this issue. We're going to look into it.
Hi, unfortunately I was not able to reproduce the issue. I deployed v3.2.5 in multiple configurations and multiple regions, and every time the upgrade to the latest v4.0.x worked fine.
https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations.template
into the url fieldIs there anything you're doing differently?
hi, im afraid not, that is the exact same process we use
i believe we might of had this template deployed in the past with this name and then deleted it we are now trying to deploy with that same name,it seems to struggle with anything over v3.2.5
its as if the old version wasnt removed fully somehow - but it has gone from cloudformation console/cli exports
could there be anywhere else we would be checking where old things could be ? or could we remove the validation check (if possible) for AppAccessLogBucket ?
Hi, can you verify two things for me please?
waf-dr-eu2-stack
the name of your existing stack that you're trying to update?AppAccessLogBucket
and the value of waf-dr-eu2-stack-AppAccessLogBucket
? (AWS Cloudformation Console -> Select Stack -> Tab "Outputs")If that is the case, you might be able to work around the problem using the following steps:
Please be aware that during steps 1 to 3, the Scanner/Probe protection feature is temporarily disabled. Consider the security implications of this and proceed at your own risk.
Hi
The output has AppAccessLogBucket with the value of my s3 bucket tbg-waf-eu2-logs-dr I tried anyway and could remove Custom Rule - Scanner & Probes which worked fine, but then i still could not upgrade to v4 latest as it came with another error. I was then unable to rollback and add Custom Rule - Scanner & Probes back in So i had to delete the whole stack and recreated it again on v3.2.5
I did try the following though. i created a new waf with template 3.2.5 and called it waf123 with all the same settings - this deployed successfully I then upgraded it v4.0.3 and it deployed successfully
So it seems only when using the stack name waf-dr-eu2-stack does it not allow me to upgrade for some reason ??
Unfortunately i do need to keep the name waf-dr-eu2-stack for the time being for some downstream automation based on the name. Not sure why using the name waf-dr-eu2-stack would be an issue ??
Hi, I'm sorry to hear that. I don't have any plausible explanation why there would be an update issue with one specific stack name. Since you already deleted and recreated the stack, you should be able to do the same and install the latest version instead of v3.2.5, right?
It sounds like this is not an issue with the aws-waf-security-automations solution, but rather some state you AWS account is in. so I'm going to close this bug ticket. If you have an AWS Support plan, feel free to create a support request with AWS Support who is able to look at your actual account.
For anyone who comes across this i had to log a tech support request for the internal cloudformation team to remove stale exports
in my account - something that as an end user you can not see , nor do anything about
Describe the bug
Whenever i try to update the template to v4.0 or above i get the following error message
Export with name waf-dr-eu2-stack-AppAccessLogBucket is already exported by stack waf-dr-eu2-stack
Cloudformation exports in console and cli have been checked and are empty
To Reproduce Deploy v3.2.5 - ALB solution in eu-west-2 upgrade in console to any template of v4 or above
Expected behavior Upgrade happens without errors
Please complete the following information about the solution:
Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).
Additional context Add any other context about the problem here.