Support for WAFv2 REGIONAL

[tomekit]

When I set: zalando.org/aws-waf-web-acl-id annotation to ARN or ACL ID (WAF: https://console.aws.amazon.com/wafv2/homev2/web-acls?region=eu-west-1) the ALB fails to be setup and Cloud Formation fails with: The referenced item does not exist. (Service: AWSWAFRegional; Status Code: 400; Error Code: WAFNonexistentItemException; Request ID: b55849d3-0e7b-4b5e-8ad2-b405f7e2bb33) and: The following resource(s) failed to create: [WAFAssociation]. . Delete requested by user.

In the Cloud Formation this zalando.org/aws-waf-web-acl-id ends up in LoadBalancerWAFWebACLIDParameter, is there a chance that different parameter must be used in order to reference the V2 version of REGIONAL WAF?

I am new to WAF and Cloud Formation, but personally I find it confusing when there are so many types of WAF, it took me a while to return the right one:

$ aws waf list-web-acls --region eu-west-1
{
    "WebACLs": []
}

 $ aws waf-regional list-web-acls --region eu-west-1
{
    "WebACLs": []
}

$ aws wafv2 list-web-acls --scope REGIONAL
{
    "NextMarker": "<Name>",
    "WebACLs": [
        {
            "Name": "<Name>",
            "Id": "<id>",
            "Description": "",
            "LockToken": "<LockToken>",
            "ARN": "<ARN>"
        }
    ]
}

Where I can find more about e.g.: LoadBalancerWAFWebACLIDParameter? Can't find anything about it using the search engine.

[tomekit]

Turns out if was IAM permission problem. Giving all these:

"wafv2:*",
"waf:*",
"waf-regional:*"

solved the problem. Now I need to narrow down which ones exactly are needed, as the wafv2:AssociateWebACL alone wasn't enough.

[wilkej]

Until now I identified these permissions for wafv2:

"wafv2:AssociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource"

Probably you need also wafv2:DisassociateWebACL in case the controller shall be allowed to remove a WebACL