Closed tomekit closed 3 years ago
Turns out if was IAM permission problem. Giving all these:
"wafv2:*",
"waf:*",
"waf-regional:*"
solved the problem. Now I need to narrow down which ones exactly are needed, as the wafv2:AssociateWebACL
alone wasn't enough.
Until now I identified these permissions for wafv2:
"wafv2:AssociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource"
Probably you need also wafv2:DisassociateWebACL
in case the controller shall be allowed to remove a WebACL
When I set:
zalando.org/aws-waf-web-acl-id
annotation to ARN or ACL ID (WAF: https://console.aws.amazon.com/wafv2/homev2/web-acls?region=eu-west-1) the ALB fails to be setup and Cloud Formation fails with:The referenced item does not exist. (Service: AWSWAFRegional; Status Code: 400; Error Code: WAFNonexistentItemException; Request ID: b55849d3-0e7b-4b5e-8ad2-b405f7e2bb33)
and:The following resource(s) failed to create: [WAFAssociation]. . Delete requested by user.
In the Cloud Formation this
zalando.org/aws-waf-web-acl-id
ends up inLoadBalancerWAFWebACLIDParameter
, is there a chance that different parameter must be used in order to reference the V2 version of REGIONAL WAF?I am new to WAF and Cloud Formation, but personally I find it confusing when there are so many types of WAF, it took me a while to return the right one:
Where I can find more about e.g.:
LoadBalancerWAFWebACLIDParameter
? Can't find anything about it using the search engine.