search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.55k stars 3.87k forks source link

waf2: adding logging configuration fails to deploy. #18619

Closed Raghunath-SK closed 2 years ago

Raghunath-SK commented 2 years ago

Hi ,

Im using cdk version 1.139.0, and I had a waf earlier added in my previous deployment. Now I tried to add the logging configuration for that waf. So I added the below code in cdk and generated the template.

new CfnLoggingConfiguration(scope,'WafLoggingConfig',{ resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference. logDestinationConfigs:[arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app],

})

Note: I have already created the log group for waf named as aws-waf-logs-for-app (which has the expected prefix need for waf)

After synthesizing/generating the template I did cdk deploy to update the Cloud formation.

List of policies I have already attached to the Cloudformation :

'wafv2:AssociateWebACL', 'wafv2:CreateWebACL', 'wafv2:DeleteWebACL', 'wafv2:DescribeManagedRuleGroup', 'wafv2:DisassociateWebACL', 'wafv2:Get', 'wafv2:List', 'wafv2:UpdateWebACL', 'wafv2:GetLoggingConfiguration', 'wafv2:ListLoggingConfiguration', 'wafv2:PutLoggingConfiguration', 'wafv2:DeleteLoggingConfiguration', 'cloudwatch:DeleteAlarms', 'cloudwatch:Describe*', 'cloudwatch:DisableAlarmActions', 'cloudwatch:EnableAlarmActions', 'cloudwatch:GetDashboard', 'cloudwatch:ListDashboards', 'cloudwatch:PutDashboard', 'cloudwatch:DeleteDashboards', 'cloudwatch:GetMetricData', 'cloudwatch:GetMetricStatistics', 'cloudwatch:ListMetrics', 'cloudwatch:PutMetricAlarm', 'cloudwatch:PutMetricData', and other policies for other resources.

But my cloud formation fails to deploy the logging configuration for waf and displays the below error in Cloudformation events page.

Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)

Note: In the above error I have modified the value of the Request ID: and RequestToken. I believe I have given the needed policies for the cloud formation.

Is it a bug in cdk ? Did cdk failed to create any role needed for this ? can someone help me with this?

Reproduction Steps

Try to add the waf and Logging configuration for waf in the cdk and do cdk deploy.

` const webAcl = new CfnWebACL(scope, 'CfnWebAcl', { description: "description", scope: 'REGIONAL', defaultAction: { allow: {}, }, visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: 'dev-webacl-metrics', sampledRequestsEnabled: true, }, rules: [ { name: 'demo-rate-limit-rule', action: { block: {}, }, priority: 0, visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: "dev-rate-limit-metrics", sampledRequestsEnabled: false, }, statement: { rateBasedStatement: { aggregateKeyType: 'IP', limit: serviceRateLimit.valueAsNumber, }, }, }, ], });

const logGroup= new LogGroup(scope, "CfnWebAclLogGroup", {
  logGroupName: `aws-waf-logs-for-app`,
  removalPolicy: RemovalPolicy.RETAIN
})

new CfnLoggingConfiguration(scope,'WafLoggingConfig',{
  resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference.
  logDestinationConfigs:[`arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app`],

})`

What did you expect to happen?

It should deploy without any errors as I suspect I have added the necessary polices need for aws cloudformation to deploy the above code.

What actually happened?

My cloud formation fails to deploy the logging configuration for waf and displays the below error in the Cloudformation events page.

Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)

Note: In the above error I have modified the value of the Request ID: and RequestToken.

CDK CLI Version

1.139.0

Framework Version

No response

Node.js Version

12.13.0

OS

windows , mac

Language

Typescript

Language Version

Typescript - 3.9.7

Other information

No response

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

danw-mpl commented 2 years ago

@Raghunath-SK Did you find a solution to this? I'm also having this problem with an S3 bucket.

Raghunath-SK commented 2 years ago

@danw-mpl Yes, I did find what I was missing. I have missed adding some policies earlier and also even the error was very generic (not much details) in cloudformation deployment I couldn't figure it out earlier. Since I was using the cloudwatch logs for waf logging, I added these below policies and the deployment went well ( 'logs:CreateLogGroup', 'logs:DeleteLogGroup', 'logs:DescribeLogGroups', 'logs:PutRetentionPolicy', 'logs:GetLogEvents', 'logs:PutLogEvents', 'logs:CreateLogDelivery', 'logs:PutResourcePolicy', 'logs:DescribeResourcePolicies',).

Not sure whether these helps you as you are trying with S3. Maybe adding some S3 policies should help you I guess

danw-mpl commented 2 years ago

I was just trying some of the IAM policies listed here https://docs.aws.amazon.com/waf/latest/developerguide/logging-s3.html and I've got it working.

I was going wrong by providing partial ARNs in the IAM policy. By using '*', it works.

pradoz commented 2 years ago

I added these below policies and the deployment went well ( 'logs:CreateLogGroup', 'logs:DeleteLogGroup', 'logs:DescribeLogGroups', 'logs:PutRetentionPolicy', 'logs:GetLogEvents', 'logs:PutLogEvents', 'logs:CreateLogDelivery', 'logs:PutResourcePolicy', 'logs:DescribeResourcePolicies',).

I'm currently having this issue and the error persists in the AWS Console. Could you please elaborate on where you attached these IAM policies? @Raghunath-SK

Raghunath-SK commented 2 years ago

I added these below policies and the deployment went well ( 'logs:CreateLogGroup', 'logs:DeleteLogGroup', 'logs:DescribeLogGroups', 'logs:PutRetentionPolicy', 'logs:GetLogEvents', 'logs:PutLogEvents', 'logs:CreateLogDelivery', 'logs:PutResourcePolicy', 'logs:DescribeResourcePolicies',).

I'm currently having this issue and the error persists in the AWS Console. Could you please elaborate on where you attached these IAM policies? @Raghunath-SK

I was deploying the waf resource and other resources through the AWS CLOUDFORMATION and so I add those above policies to the cloudformation service role . (Aws cloudformation was using this service role to deploy the resources)

pradoz commented 2 years ago

Thank you for clarifying. @Raghunath-SK I verified that this errors still exists in the console with the AdministratorAccess IAM Policy attached. I guess my bug is somewhere else