search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
845 stars 361 forks source link

Cannot update the stack when you deleted the default Web ACL #83

Closed nokiomanz closed 1 year ago

nokiomanz commented 5 years ago

Hi,

I was using the stack version from 2017. I just created a new stack at version 2.3.0.

I have my own webacl that I use for different element. So I modified them to use the new rules created by the new stack. I deleted the default Web ACL that was created as I won't be using it and don't want to pay for it. Everything was working just fine at that point. Then, I wanted to update the stack to modify de value for "Error Threshold"

Doing so I get the following : UPDATE_FAILED | Custom::ConfigureWebAcl | ConfigureWebAcl | Failed to update resource. An error occurred (WAFNonexistentItemException) when calling the GetWebACL operation: The referenced item does not exist.

And the following : UPDATE_ROLLBACK_FAILED | AWS::CloudFormation::Stack | WAFSecurityAutomations | The following resource(s) failed to update: [ConfigureWebAcl].

If I ask to skip the "ConfigureWebAcl" during the rollback. The rollback complete properly.

Expected behavior : In the previous version of the stack, I could delete the default Web ACL and still update the stack when I needed.

hvital commented 5 years ago

Hi @nokiomanz

For your case, I suggest to change the Threshold directly using the JSON file on S3. More details here.

There reason why it is failing to update if because the CloudFormation template still is referencing the deleted webACL (and probably fails at this point). If you apply the changes directly to the config JSON file, this function won't be called.

Regards

nokiomanz commented 5 years ago

Hi @hvital

If I take a look into the S3 bucket I configured for Scanner and Probes configuration file. (HTTP flood is using AWS WAF Rate-based Rule). The file AWSWAFSecurityAutomations-app_log_out.json is there but the WAFSecurityAutomations-waf_log_conf.json is not.

manali14 commented 4 years ago

We are also facing a similar issue wherein when we update the value of any cloudformation template parameter, it fails to update it and goes in UPDATE_ROLLBACK_FAILED state. This specifically happened while changing the parameter RequestThreshold used by Flood Protection Rule.

deolank commented 4 years ago

@manali14 I tried updating the stack for the RequestThreshold parameter with a new value of 2200 and was able to successfully update the stack. Can you please check if you are using a value greater than 2000 for AWS WAF rate based rule as mentioned in the description of the RequestThreshold parameter.

manali14 commented 4 years ago

@deolank Yes, I used a new value of 10000 to update the stack and got following Error in the Events:

Status | Status reason UPDATE_ROLLBACK_FAILED | The following resource(s) failed to update: [ConfigureWebAcl]. UPDATE_FAILED | Failed to update resource. 'Action'

Which version of stack did you try with?

aijunpeng commented 1 year ago

Closing the old ticket. Feel free to open a new ticket if needed.