Closed catalinmer closed 4 years ago
@catalinmer ALB only supports WAF regional. (WAF regional is an different service than WAF :D)
The new one was also a regional ACL but i guess there are some inconsistencies with aws api as it was not showing in 'aws waf-regional list-web-acls' either. I'll continue to use the classic WAF for now.
New WAF ACLs association doesn't work for me too. They changed the api for WAF v2 https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html
+1 for this.
API's have changed and a new wafv2
resource was added. For example to access a regional WAFv2 with the aws CLI you would so something like:
aws wafv2 get-web-acl --scope REGIONAL --name <name> --id <webACLId>
Any idea when the new WAFv2 will be supported?
+1
Hi, i tested the new WAFV2 behavior...it's kind of weird.
The wafv2:GetWebACL API requires both name and ID (in exchange for an ARN). There is two possible case here:
web-acl-arn
.I have create an internal ticket to waf team for classification, and will code against their reply
@M00nF1sh sorry to bother you. Did you happen to hear back on this from the WAF team? WAFv2 is looking pretty appealing compared to the previous versions, especially with the AWS managed rules.
Same here, we would love to use WAF v2.
As a workaround, can we attach a waf v2 it to a ALB created through aws-alb-ingress-controller and avoid it to remove the attachment everytime it reconfigures the alb?
Cheers.
@igable
Sorry for late reply. Yes, We considered several options while designing this API , And went with "id" and "name" to be provided.
this is what I got 😄
I think web-acl-arn have to be added for this. Plan for this to be added in v1.1.6.
@marranz Yes, it's a working workaround, the controller won't detach it (IIRC)
@M00nF1sh hi! I am seriously considering helping implement this one :)
Would a PR implementing this be accepted? Is anybody working on this already since it is planned for v1.1.6?
@Vlaaaaaaad we are not working on this support for now. It's will be super helpful if you can help :D
Progress is being done! I managed to write a PoC that seems to be working:
controller.go:134] kubebuilder/controller "level"=0 "msg"="Starting Controller" "controller"="alb-ingress-controller"
controller.go:154] kubebuilder/controller "level"=0 "msg"="Starting workers" "controller"="alb-ingress-controller" "worker count"=1
...
wafv2.go:65] echoserver/echoserver: associate WAFv2 arn:aws:wafv2:us-east-1:00000000000:regional/webacl/vlad-test/3ab78708-85b0-00d3-b4e1-7a9615a6613b on arn:aws:elasticloadbalancing:us-east-1:00000000000:loadbalancer/app/23e04df9-echoserver-echose-2ad7/62b69a77d6a53ab6
controller.go:236] kubebuilder/controller "level"=1 "msg"="Successfully Reconciled" "controller"="alb-ingress-controller" "request"={"Namespace":"echoserver","Name":"echoserver"}
...
wafv2.go:59] echoserver/echoserver: change WAFv2 on arn:aws:elasticloadbalancing:us-east-1:00000000000:loadbalancer/app/23e04df9-echoserver-echose-2ad7/62b69a77d6a53ab6 from arn:aws:wafv2:us-east-1:00000000000:regional/webacl/vlad-test/3ab78708-85b0-00d3-b4e1-7a9615a6613b to arn:aws:wafv2:us-east-1:00000000000:regional/webacl/vlad-test-2/f50743ff-c658-0000-9336-6d81417d1bdf
controller.go:236] kubebuilder/controller "level"=1 "msg"="Successfully Reconciled" "controller"="alb-ingress-controller" "request"={"Namespace":"echoserver","Name":"echoserver"}
...
wafv2.go:53] echoserver/echoserver: disassociate WAFv2 on arn:aws:elasticloadbalancing:us-east-1:00000000000:loadbalancer/app/23e04df9-echoserver-echose-2ad7/62b69a77d6a53ab6
controller.go:236] kubebuilder/controller "level"=1 "msg"="Successfully Reconciled" "controller"="alb-ingress-controller" "request"={"Namespace":"echoserver","Name":"echoserver"}
Up next:
ETA: sometime next week? All watchers of this issue, kindly bear in mind that I write terrible code that will have to be reviewed( which will take a while) and changed( which will take another while)! And there will be multiple rounds of this.
resource "aws_wafv2_web_acl" "nprod" { count = var.is_prod ? 0 : 1 name = "${var.name}-Managed" scope = "REGIONAL"
default_action { block {} }
rule { name = "AWSManagedRulesAmazonIpReputationList"
priority = 0
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWSManagedRulesAmazonIpReputationList"
sampled_requests_enabled = false
}
}
rule { name = "AWSKnownBadInputs"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSKnownBadInputs"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWSKnownBadInputs"
sampled_requests_enabled = false
}
}
tags = var.tags
visibility_config { cloudwatch_metrics_enabled = true metric_name = "${var.name}-Managed" sampled_requests_enabled = true } }
resource "aws_wafv2_web_acl_logging_configuration" "nprod_logging_configuration" { count = var.is_prod ? 0 : 1 log_destination_configs = [var.aws_kinesis_firehose_delivery_stream_arn] resource_arn = aws_wafv2_web_acl.nprod[0].arn redacted_fields { single_header { name = "user-agent" } } }
im getting error - Error: creating WAFv2 WebACL (web-acl-common-cluster01-usw2-cx-nprd-dev-Managed): WAFNonexistentItemException: AWS WAF couldn’t perform the operation because your resource doesn’t exist.
Hi, I created a WAF v2 rule but when i try to replace the old one (WAF classic) I get: error fetching web acl: WAFNonexistentItemException: The referenced item does not exist.\n\tstatus code: 400, request id: ...
I guess there is a new API for WAF v2.
I tried with both v1.1.2 and v1.1.4 of aws-alb-ingress-controller.
Thank you