search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.93k stars 1.46k forks source link

Can't attach new AWS WAF v2 ACLs - WAFNonexistentItemException #1089

Closed catalinmer closed 4 years ago

catalinmer commented 4 years ago

Hi, I created a WAF v2 rule but when i try to replace the old one (WAF classic) I get: error fetching web acl : WAFNonexistentItemException: The referenced item does not exist.\n\tstatus code: 400, request id: ... I guess there is a new API for WAF v2. I tried with both v1.1.2 and v1.1.4 of aws-alb-ingress-controller. Thank you

M00nF1sh commented 4 years ago

@catalinmer ALB only supports WAF regional. (WAF regional is an different service than WAF :D)

catalinmer commented 4 years ago

The new one was also a regional ACL but i guess there are some inconsistencies with aws api as it was not showing in 'aws waf-regional list-web-acls' either. I'll continue to use the classic WAF for now.

guhan94 commented 4 years ago

New WAF ACLs association doesn't work for me too. They changed the api for WAF v2 https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html

chris-sansone-angi commented 4 years ago

+1 for this.

API's have changed and a new wafv2 resource was added. For example to access a regional WAFv2 with the aws CLI you would so something like:

aws wafv2 get-web-acl --scope REGIONAL --name <name> --id <webACLId>

Any idea when the new WAFv2 will be supported?

savagete2860 commented 4 years ago

+1

M00nF1sh commented 4 years ago

Hi, i tested the new WAFV2 behavior...it's kind of weird.

The wafv2:GetWebACL API requires both name and ID (in exchange for an ARN). There is two possible case here:

  1. If WAF team made a mistake(i.e only one of name or ID is required), then we can have a workaround by list-webACL and then do filter from client-side before they release an SDK update.
  2. If WAF team isn't make any mistakes, i.e. both name & ID is required for uniquely identify an webACL, then we need to introduce a new annotation like web-acl-arn.

I have create an internal ticket to waf team for classification, and will code against their reply

igable commented 4 years ago

@M00nF1sh sorry to bother you. Did you happen to hear back on this from the WAF team? WAFv2 is looking pretty appealing compared to the previous versions, especially with the AWS managed rules.

marranz commented 4 years ago

Same here, we would love to use WAF v2.

As a workaround, can we attach a waf v2 it to a ALB created through aws-alb-ingress-controller and avoid it to remove the attachment everytime it reconfigures the alb?

Cheers.

M00nF1sh commented 4 years ago

@igable Sorry for late reply. Yes, We considered several options while designing this API , And went with "id" and "name" to be provided. this is what I got 😄 I think web-acl-arn have to be added for this. Plan for this to be added in v1.1.6. @marranz Yes, it's a working workaround, the controller won't detach it (IIRC)

Vlaaaaaaad commented 4 years ago

@M00nF1sh hi! I am seriously considering helping implement this one :)

Would a PR implementing this be accepted? Is anybody working on this already since it is planned for v1.1.6?

M00nF1sh commented 4 years ago

@Vlaaaaaaad we are not working on this support for now. It's will be super helpful if you can help :D

Vlaaaaaaad commented 4 years ago

Progress is being done! I managed to write a PoC that seems to be working:

controller.go:134] kubebuilder/controller "level"=0 "msg"="Starting Controller"  "controller"="alb-ingress-controller"
controller.go:154] kubebuilder/controller "level"=0 "msg"="Starting workers"  "controller"="alb-ingress-controller" "worker count"=1
...
wafv2.go:65] echoserver/echoserver: associate WAFv2 arn:aws:wafv2:us-east-1:00000000000:regional/webacl/vlad-test/3ab78708-85b0-00d3-b4e1-7a9615a6613b on arn:aws:elasticloadbalancing:us-east-1:00000000000:loadbalancer/app/23e04df9-echoserver-echose-2ad7/62b69a77d6a53ab6
controller.go:236] kubebuilder/controller "level"=1 "msg"="Successfully Reconciled"  "controller"="alb-ingress-controller" "request"={"Namespace":"echoserver","Name":"echoserver"}
...
wafv2.go:59] echoserver/echoserver: change WAFv2 on arn:aws:elasticloadbalancing:us-east-1:00000000000:loadbalancer/app/23e04df9-echoserver-echose-2ad7/62b69a77d6a53ab6 from arn:aws:wafv2:us-east-1:00000000000:regional/webacl/vlad-test/3ab78708-85b0-00d3-b4e1-7a9615a6613b to arn:aws:wafv2:us-east-1:00000000000:regional/webacl/vlad-test-2/f50743ff-c658-0000-9336-6d81417d1bdf
controller.go:236] kubebuilder/controller "level"=1 "msg"="Successfully Reconciled"  "controller"="alb-ingress-controller" "request"={"Namespace":"echoserver","Name":"echoserver"}
...
wafv2.go:53] echoserver/echoserver: disassociate WAFv2 on arn:aws:elasticloadbalancing:us-east-1:00000000000:loadbalancer/app/23e04df9-echoserver-echose-2ad7/62b69a77d6a53ab6
controller.go:236] kubebuilder/controller "level"=1 "msg"="Successfully Reconciled"  "controller"="alb-ingress-controller" "request"={"Namespace":"echoserver","Name":"echoserver"}

Up next:

ETA: sometime next week? All watchers of this issue, kindly bear in mind that I write terrible code that will have to be reviewed( which will take a while) and changed( which will take another while)! And there will be multiple rounds of this.

nathises commented 1 year ago

Configure the AWS Provider

resource "aws_wafv2_web_acl" "nprod" { count = var.is_prod ? 0 : 1 name = "${var.name}-Managed" scope = "REGIONAL"

default_action { block {} }

rule { name = "AWSManagedRulesAmazonIpReputationList"

priority = 0

override_action {
  none {}
}

statement {
  managed_rule_group_statement {
    name        = "AWSManagedRulesAmazonIpReputationList"
    vendor_name = "AWS"

  }
}

visibility_config {
  cloudwatch_metrics_enabled = true
  metric_name                = "AWSManagedRulesAmazonIpReputationList"
  sampled_requests_enabled   = false
}

}

rule { name = "AWSKnownBadInputs"

priority = 1

override_action {
  none {}
}

statement {
  managed_rule_group_statement {
    name        = "AWSKnownBadInputs"
    vendor_name = "AWS"

  }
}

visibility_config {
  cloudwatch_metrics_enabled = true
  metric_name                = "AWSKnownBadInputs"
  sampled_requests_enabled   = false
}

}

tags = var.tags

visibility_config { cloudwatch_metrics_enabled = true metric_name = "${var.name}-Managed" sampled_requests_enabled = true } }

resource "aws_wafv2_web_acl_logging_configuration" "nprod_logging_configuration" { count = var.is_prod ? 0 : 1 log_destination_configs = [var.aws_kinesis_firehose_delivery_stream_arn] resource_arn = aws_wafv2_web_acl.nprod[0].arn redacted_fields { single_header { name = "user-agent" } } }

im getting error - Error: creating WAFv2 WebACL (web-acl-common-cluster01-usw2-cx-nprd-dev-Managed): WAFNonexistentItemException: AWS WAF couldn’t perform the operation because your resource doesn’t exist.