Search code examples
amazon-web-servicesamazon-elastic-beanstalkaws-cloudformationamazon-waf

AWS Beanstalk and IPset

I'm trying to set an IPSet on my Beanstalk Environment. into my .ebextensions I have a waf.config containing :

option_settings:
  aws:elasticbeanstalk:environment:
    LoadBalancerType: application
Resources:
  IPSet:
    Type: "AWS::WAFv2::IPSet"
    Properties:
      Name: '`{ "Ref" : "AWSEBEnvironmentName" }`-IPset'
      Addresses:
        - 10.10.10.10/32
      IPAddressVersion: IPV4
      Scope: REGIONAL
      Tags:
        - Key: "Scope"
          Value: "Sqreen"
  WafAcl:
   Type: "AWS::WAFv2::WebACL"
   Properties:
    Description: 'Web ACL to Block bad requests on `{ "Ref" : "AWSEBEnvironmentName" }`'
    Name: '`{ "Ref" : "AWSEBEnvironmentName" }`-WebACL'
    Scope: REGIONAL
    DefaultAction:
      Allow : {}
    VisibilityConfig:
      SampledRequestsEnabled: true
      CloudWatchMetricsEnabled: true
      MetricName: '`{ "Ref" : "AWSEBEnvironmentName" }`-WebACL'
    Rules:
      - Name: DenyListIPSet
        Priority: 0
        OverrideAction:
          Block: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName: DenyIps
        Statement:
          IPSetReferenceStatement:
            Arn: '`{ "Fn::GetAtt" : ["IPSet", "Arn" ]}`'
 WebACLAssociation:
  Type: AWS::WAFv2::WebACLAssociation
  Properties:
    ResourceArn: '`{ "Ref" : "AWSEBV2LoadBalancer" }`'
    WebACLArn: '`{ "Fn::GetAtt" : ["WafAcl", "Arn" ]}`'

But the cloudformation stack gave me : "Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement (Service: Wafv2, Status Code: 400

The cloudformation stack looks valid to me. I don't see any other statment that could be match better for my need....

EDIT: Solution

"RuleAction" and "OverrideAction", kindly reference [3] and [4] respectively.

[3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html [4] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-overrideaction.html

With Action (instead of override action) the WAF works as expected !

Solution

  • "RuleAction" and "OverrideAction", kindly reference [3] and [4] respectively.

    [3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html [4] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-overrideaction.html

    With Action (instead of override action) the WAF works as expected !