Unable to upgrade from v3.2.5 to v4.x

[tbgbeansbot]

Describe the bug

Whenever i try to update the template to v4.0 or above i get the following error message

Export with name waf-dr-eu2-stack-AppAccessLogBucket is already exported by stack waf-dr-eu2-stack

Cloudformation exports in console and cli have been checked and are empty

To Reproduce Deploy v3.2.5 - ALB solution in eu-west-2 upgrade in console to any template of v4 or above

Expected behavior Upgrade happens without errors

Please complete the following information about the solution:

• [ ] Version: v3.2.5
• [ ] Region: eu-west-2
• [ ] Was the solution modified from the version published on this repository? - No
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [ ] Have you checked your service quotas for the services this solution uses? - NA
• [ ] Were there any errors in the CloudWatch Logs? - No

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

[tbelmega]

Hi, thanks for reporting this issue. We're going to look into it.

[tbelmega]

Hi, unfortunately I was not able to reproduce the issue. I deployed v3.2.5 in multiple configurations and multiple regions, and every time the upgrade to the latest v4.0.x worked fine.

• In AWS Console / CloudFormation, select the main solution stack
• Click "update stack"
• Click "replace existing template"
• Paste https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations.template into the url field
• Click next, next, next, submit

Is there anything you're doing differently?

[tbgbeansbot]

hi, im afraid not, that is the exact same process we use

i believe we might of had this template deployed in the past with this name and then deleted it we are now trying to deploy with that same name,it seems to struggle with anything over v3.2.5

its as if the old version wasnt removed fully somehow - but it has gone from cloudformation console/cli exports

could there be anywhere else we would be checking where old things could be ? or could we remove the validation check (if possible) for AppAccessLogBucket ?

[tbelmega]

Hi, can you verify two things for me please?

1. Is waf-dr-eu2-stack the name of your existing stack that you're trying to update?
2. Does this stack have an output with the key AppAccessLogBucket and the value of waf-dr-eu2-stack-AppAccessLogBucket? (AWS Cloudformation Console -> Select Stack -> Tab "Outputs")

If that is the case, you might be able to work around the problem using the following steps:

1. Update the stack with the existing template (v3.2.5) and change the input parameter "Custom Rule - Scanner & Probes / Activate Scanner & Probe Protection" temporarily to "no". This update will remove the problematic export from the stack.
2. Now update the stack with the new template version (v4.0.3).
3. Finally update the stack again with the existing template (v4.0.3) setting the input parameter back to the original value, in order to re-activate the Scanner/Probe protection feature.

Please be aware that during steps 1 to 3, the Scanner/Probe protection feature is temporarily disabled. Consider the security implications of this and proceed at your own risk.

[tbgbeansbot]

Hi

The output has AppAccessLogBucket with the value of my s3 bucket tbg-waf-eu2-logs-dr I tried anyway and could remove Custom Rule - Scanner & Probes which worked fine, but then i still could not upgrade to v4 latest as it came with another error. I was then unable to rollback and add Custom Rule - Scanner & Probes back in So i had to delete the whole stack and recreated it again on v3.2.5

I did try the following though. i created a new waf with template 3.2.5 and called it waf123 with all the same settings - this deployed successfully I then upgraded it v4.0.3 and it deployed successfully

So it seems only when using the stack name waf-dr-eu2-stack does it not allow me to upgrade for some reason ??

Unfortunately i do need to keep the name waf-dr-eu2-stack for the time being for some downstream automation based on the name. Not sure why using the name waf-dr-eu2-stack would be an issue ??

[tbelmega]

Hi, I'm sorry to hear that. I don't have any plausible explanation why there would be an update issue with one specific stack name. Since you already deleted and recreated the stack, you should be able to do the same and install the latest version instead of v3.2.5, right?

It sounds like this is not an issue with the aws-waf-security-automations solution, but rather some state you AWS account is in. so I'm going to close this bug ticket. If you have an AWS Support plan, feel free to create a support request with AWS Support who is able to look at your actual account.

[tbgbeansbot]

For anyone who comes across this i had to log a tech support request for the internal cloudformation team to remove stale exports in my account - something that as an end user you can not see , nor do anything about