search

mikesouza / serverless-associate-waf

Associate a regional WAF with the AWS API Gateway used by your Serverless stack.
MIT License
28 stars 17 forks source link

Do not see my API Gateway in the AWS WAF Web ACL's associated resources #36

Closed neerajlocusnine closed 3 years ago

neerajlocusnine commented 3 years ago

I have created a Web ACL in my AWS account in the AWS WAF and assigned it some rules. In my serverless.yml file I have used the - serverless-associate-waf plugin and giving the name of the web acl in the associateWaf property.

But when I go to my Web ACLs > my acl > Associated AWS Resources, I do not see the associated API Gateway listed there.

Here is how my serverless.yml file looks:

service: ${opt:product}

plugins:
    - serverless-domain-manager
    - serverless-apigw-binary
    - serverless-associate-waf

custom:
    associateWaf:
        name: name-of-my-acl
    esLogs:
        endpoint: link.amazonaws.com
        index: "${opt:stage}-logs"
        includeApiGWLogs: true
        retentionInDays: 30
    stage: ${opt:stage, 'dev'}
    region: ${opt:region, 'ap-south-1'}
    accountId: ${opt:accountId}
    awsBucket: ${opt:awsBucket, 'documents'}
    awsPermaBucket: ${opt:awsPermaBucket, 'perma-documents-dev'}
    cryptoKey: ${opt:cryptoKey}
    apigwBinary:
        types:
            - 'multipart/form-data'
    customDomain:
        domainName: ${opt:stage}-${opt:product}-api.io
        basePath: ""
        stage: ${self:custom.stage}
        createRoute53Record: true

provider:
    vpc:
        securityGroupIds:
            - sg-1234
        subnetIds:
            - subnet-1234
            - subnet-1234
    environment:
        region: ${self:custom.region}
        stage: ${self:custom.stage}
        module: ${opt:product}
        awsBucket: ${self:custom.awsBucket}
        authToken: ${opt:authToken}
        accountId: ${opt:accountId}
        awsPermaBucket: ${self:custom.awsPermaBucket}
        cryptoKey: ${opt:cryptoKey}
    iamRoleStatements:
        - Effect: Allow
          Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogStreams
          Resource: "*"
        - Effect: Allow
          Action:
              - s3:*
          Resource: "*"
        - Effect: "Allow"
          Action:
              - "sqs:*"
          Resource: "arn:aws:sqs:${opt:region}:*:${opt:stage}-${opt:product}-sqs-queue"
    name: aws
    runtime: nodejs12.x
    stage: ${self:custom.stage}
    region: ${self:custom.region}
    memorySize: 256
    timeout: 30
    package:
        exclude:
            - "*/**"
        include:
            - build/**
            - node_modules/**

functions:
    orgSettingsAPI:
        name: ${self:service}-${self:custom.stage}-api
        handler: build/src/lambda.handler
        events:
            - http:
                  method: any
                  path: /api/{proxy+}
                  authorizer:
                      arn: arn:aws:lambda:${opt:region}:${self:custom.accountId}:function:authenticator-${self:custom.stage}-api
                      resultTtlInSeconds: 60
                      identitySource: method.request.header.Authorization
                      identityValidationExpression: ^Bearer.+
                  cors:
                      origins:
                        - "*"
                      headers:
                        - Content-Type
                        - X-Amz-Date
                        - Authorization
                        - X-Api-Key
                        - X-Amz-Security-Token
                      allowCredentials: true
                      maxAge: 86400
            - http:
                  method: any
                  path: /internal/{proxy+}
        vpc:
            securityGroupIds:
                - sg-1234
            subnetIds:
                - subnet-1234
                - subnet-1234
        environment:
            SqsQueueName: ${opt:stage}-${opt:product}-sqs-queue
        reservedConcurrency: 10
        events:
            - sqs:
                  arn:
                      Fn::GetAtt:
                          - SqsQueue
                          - Arn
                  batchSize: 1

resources:
    Resources:
        GatewayResponse:
            Type: "AWS::ApiGateway::GatewayResponse"
            Properties:
                ResponseParameters:
                    gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
                    gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
                ResponseType: EXPIRED_TOKEN
                RestApiId:
                    Ref: "ApiGatewayRestApi"
                StatusCode: "401"
        AuthFailureGatewayResponse:
            Type: "AWS::ApiGateway::GatewayResponse"
            Properties:
                ResponseParameters:
                    gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
                    gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
                ResponseType: UNAUTHORIZED
                RestApiId:
                    Ref: "ApiGatewayRestApi"
                StatusCode: "401"

Is there a reason why the API Gateway is not shown in the Web ACL?

When I debugged the deployment process it says:

Serverless: Unable to find WAF named 'name-of-my-acl'. Am I naming it wrong or using it wrong?

neerajlocusnine commented 3 years ago

Found the issue, turns out I need to add

version: V2

just after name since AWS WAF supports V2. Once I added it and redeployed the API Gateway got attached to the created WAF.