【问题标题】:AWS SAM - AWS::WAFv2::WebACLAssociation - AWS WAF couldn?t perform the operation because your resource doesn?t existAWS SAM - AWS::WAFv2::WebACLAssociation - AWS WAF 无法执行操作,因为您的资源不存在
【发布时间】:2021-08-07 13:44:49
【问题描述】:

我们正在尝试在我们的 SAM 模板中创建一个 AWS::WAFv2::IPSet。

WhitelistedIPAddressesIPSet:
    Type: AWS::WAFv2::IPSet
    Properties:
        Description: 'Merchant IPs'
        Scope: REGIONAL
        IPAddressVersion: IPV4
        Addresses: [0.0.0.0/32, 0.0.10.0/32]

IP 集的创建已成功完成。 一旦创建 AWS::WAFv2::WebACLAssociation。

WAFApiAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    DependsOn:
        - ApiGateway
        - WAFWebAcl
    Properties:
        ResourceArn: !Sub 'arn:aws:apigateway:${AWS::Region}::/restapis/${ApiGateway}/stages/${EnvType}'
        WebACLArn: !GetAtt WAFWebAcl.Arn

CloudFormation 失败并执行回滚。错误显示如下:

Resource handler returned
ion message: "AWS WAF couldn?t
perform the operation
because your resource
doesn?t exist. (Service:
Wafv2, Status Code: 400,
Request ID: e337720a-e32c-
4c29-acde-1896855405c9,
Extended Request ID:
null)" (RequestToken: f24d
0488-3016-4030-3a3b-bbb246
66f130, HandlerErrorCode:
NotFound)

我们尝试了不同的格式设置 IP 集的 SAM 模板,以查看是否会导致问题,但没有任何成功。

谁能分享一些对此问题有帮助的见解?

【问题讨论】:

    标签: amazon-web-services amazon-waf sam


    【解决方案1】:

    A) 如果您的资源已经直接依赖于其他资源,则不需要DependsOn。在这种情况下确实如此,因此您可以删除此属性。

    B) 您需要在此处共享您的整个堆栈,而不仅仅是共享的内容,因为您的 APIGW 配置可能存在问题。由于创建失败,因此您可能会出现此后续问题。

    创建 APIGW 是不够的,您需要确保在创建 APIGW stage 之后实际附加 WAF,而不仅仅是 APIGW。在这种情况下,将ResourceArn 替换为引用APIGW Stage 的那个。 (此外,您可能需要等待阶段部署完成。)

    【讨论】:

    • 这是正确的答案。我按照建议通过引用舞台来做到这一点。因此,创建了隐式依赖。就像来自 AWS::WAFv2::WebACLAssociation 的这个 sn-p:ResourceArn: !Sub - "arn:aws:apigateway:${AWS::Region}::/restapis/${ApiGatewayApi}/stages/${Stage}" - Stage: !Ref ApiGatewayApi.Stage 希望这对未来的人有所帮助。
    【解决方案2】:

    这是APIGW模板Warren Parad

    CDEAPI:
        Type: AWS::Serverless::Api
        Properties:
            # Domain:
            #     DomainName: !Ref CDEAPIDomainName
            #     SecurityPolicy: TLS_1_2
            #     CertificateArn: !Sub 'arn:aws:acm:us-east-1:${AWS::AccountId}:certificate/${CDEAPICertificateArn}'
            #     EndpointConfiguration: EDGE
            #     Route53:
            #         HostedZoneId: !Ref CDEAPIHostedZoneId
            AccessLogSetting:
                DestinationArn: !GetAtt CDEAPIAccessLogGroup.Arn
                Format: >-
                    { "requestId":"$context.requestId",
                    "ip":"$context.identity.sourceIp",
                    "caller":"$context.identity.caller",
                    "user":"$context.identity.user",
                    "userAgent":"$context.identity.userAgent",
                    "userArn":"$context.identity.userArn",
                    "requestTime":"$context.requestTime",
                    "requestTimeEpoch":"$context.requestTimeEpoch",
                    "httpMethod":"$context.httpMethod",
                    "resourcePath":"$context.resourcePath",
                    "path":"$context.path",
                    "status":"$context.status",
                    "protocol":"$context.protocol",
                    "responseLength":"$context.responseLength",
                    "responseLatency":"$context.responseLatency",
                    "authorizerLatency":"$context.authorizer.integrationLatency",
                    "integrationLatency":"$context.integrationLatency",
                    "integrationStatus":"$context.integrationStatus",
                    "xrayTraceId":"$context.xrayTraceId",
                    "errorMessage":"$context.error.message",
                    "domainName":"$context.domainName",
                    "domainPrefix":"$context.domainPrefix",
                    "tokenScopes":"$context.authorizer.claims.scope",
                    "tokenIat":"$context.authorizer.claims.iat",
                    "tokenExp":"$context.authorizer.claims.exp",
                    "cognitoIdentityId":"$context.identity.cognitoIdentityId",
                    "awsEndpointRequestId":"$context.awsEndpointRequestId",
                    "arn":"$context.identity.userArn",
                    "account":"$context.identity.accountId",
                    "claims-sub":"$context.authorizer.claims.sub",
                    "waf-error":"$context.waf.error",
                    "waf-status":"$context.waf.status",
                    "waf-latency":"$context.waf.latency",
                    "waf-response":"$context.waf.wafResponseCode",
                    "authenticate-error":"$context.authenticate.error",
                    "authenticate-status":"$context.authenticate.status",
                    "authenticate-latency":"$context.authenticate.latency",
                    "integration-error":"$context.integration.error",
                    "integration-status":"$context.integration.status",
                    "integration-latency":"$context.integration.latency",
                    "integration-requestId":"$context.integration.requestId",
                    "integration-integrationStatus":"$context.integration.integrationStatus",
                    "response-latency":"$context.responseLatency" }
            StageName: !Ref EnvType
            Auth:
                DefaultAuthorizer: CognitoAuthorizer
                AddDefaultAuthorizerToCorsPreflight: false
                Authorizers:
                    CognitoAuthorizer:
                        AuthType: COGNITO_USER_POOLS
                        UserPoolArn: !Sub 'arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${CognitoUserPoolArn}'
    

    【讨论】:

      猜你喜欢
      • 2021-11-03
      • 1970-01-01
      • 2022-09-24
      • 1970-01-01
      • 1970-01-01
      • 2021-04-17
      • 1970-01-01
      • 2020-10-28
      • 1970-01-01
      相关资源
      最近更新 更多