Q&A
実現したいこと
ここに実現したいことを箇条書きで書いてください。
- ALBにWAFを設定する
- WAFのログをS3とCloudwatchlogsに出力する
前提
AWS Clouformation(cFn)で作成し、現在動作しているApplicaiton Load Balancerがある
発生している問題・エラーメッセージ
cFnでデプロイできない。cFnのイベントに以下のメッセージが出力される
Resource handler returned message: "AWS WAF couldn?t perform the operation because your resource doesn?t exist.
該当のソースコード
AWSTemplateFormatVersion: 2010-09-09 Description: hoge-hoge backend WAF Set up. Parameters: Environment: Type: String AllowedValues: - prd - stg2 - dev SystemName: Type: String Default: "hoge-hoge" hogehogeBackendArnForWafLog: Type: String Description: "ex. arn:aws:s3:::aws-waf-logs-hoge-hoge-prd-012345678901" ELBForbackendArn: Type: String Description: "ex. arn:aws:elasticloadbalancing:ap-northeast-1:(int 12):loadbalancer/app/hoge-hoge-prd-backend-elb/(alphanumeric)" Resources: hogehogeBackendWAFForELB: Type: AWS::WAFv2::WebACL Properties: DefaultAction: Allow: {} Description: !Sub WebACL for ${SystemName}-${Environment}-elb-backend Name: !Sub ${SystemName}-${Environment}-waf-elb-backend Scope: REGIONAL VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub ${SystemName}-${Environment}-webacl-elb-backend Tags: - Key: Name Value: !Sub ${SystemName}-${Environment}-waf-elb-backend - Key: Env Value: !Sub ${Environment} - Key: SystemName Value: !Sub ${SystemName}-${Environment} Rules: - Name: !Sub ${SystemName}-${Environment}-count-for-aws-managed-rules-backend Priority: 1 Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesbackendRuleSet OverrideAction: Count: {} VisibilityConfig: CloudWatchMetricsEnabled: true SampledRequestsEnabled: false MetricName: !Sub ${SystemName}-${Environment}-count-for-aws-managed-rules-backend-metric - Name: !Sub ${SystemName}-${Environment}-count-for-aws-managed-rules-php Priority: 2 Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesPHPRuleSet OverrideAction: Count: {} VisibilityConfig: CloudWatchMetricsEnabled: true SampledRequestsEnabled: false MetricName: !Sub ${SystemName}-${Environment}-count-for-aws-managed-rules-php-metric - Name: !Sub ${SystemName}-${Environment}-count-for-aws-managed-rules-sql Priority: 3 Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesSQLiRuleSet OverrideAction: Count: {} VisibilityConfig: CloudWatchMetricsEnabled: true SampledRequestsEnabled: false MetricName: !Sub ${SystemName}-${Environment}-count-for-aws-managed-rules-sql-metric - Name: !Sub ${SystemName}-${Environment}-count-for-aws-managed-rules-common Priority: 4 Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet OverrideAction: Count: {} VisibilityConfig: CloudWatchMetricsEnabled: true SampledRequestsEnabled: false MetricName: !Sub ${SystemName}-${Environment}-count-for-aws-managed-rules-common-metric LoggingConfigForELB: Type: AWS::WAFv2::LoggingConfiguration Properties: LogDestinationConfigs: - !Sub ${hogehogeBackendArnForWafLog} ResourceArn: !GetAtt hogehogeBackendWAFForELB.Arn ACLAssociationForELB: Type: AWS::WAFv2::WebACLAssociation Properties: ResourceArn: !Sub ${ELBForbackendArn} WebACLArn: !GetAtt hogehogeBackendWAFForELB.Arn
試したこと
[aws cli]
aws-vault exec hogehoge -- aws cloudformation deploy
--template-file ./<template.yml>
--stack-name <stack name>
--parameter-overrides "Environment=dev"
"ELBForbackendArn= <Arn for ELB>
"hogehogeBackendArnForWafLog=<Arn for S3 and Cloudwatchlog>
--no-execute-changeset
aws cliは上記の通りです。パラメータ:hogehogeBackendArnForWafLog としてS3バケットのものとCloudwatchlogsのものを入れたのですがどちらもイベントでのエラーは同じでした。
補足情報(FW/ツールのバージョンなど)
aws --version
aws-cli/2.3.7 Python/3.8.8 Darwin/20.6.0 exe/x86_64 prompt/off
あなたの回答
tips
プレビュー
