【发布时间】:2021-10-30 10:04:05
【问题描述】:
我正在尝试在我的 Beanstalk 环境中设置 IPSet。
在我的 .ebextensions 中,我有一个 waf.config 包含:
option_settings:
aws:elasticbeanstalk:environment:
LoadBalancerType: application
Resources:
IPSet:
Type: "AWS::WAFv2::IPSet"
Properties:
Name: '`{ "Ref" : "AWSEBEnvironmentName" }`-IPset'
Addresses:
- 10.10.10.10/32
IPAddressVersion: IPV4
Scope: REGIONAL
Tags:
- Key: "Scope"
Value: "Sqreen"
WafAcl:
Type: "AWS::WAFv2::WebACL"
Properties:
Description: 'Web ACL to Block bad requests on `{ "Ref" : "AWSEBEnvironmentName" }`'
Name: '`{ "Ref" : "AWSEBEnvironmentName" }`-WebACL'
Scope: REGIONAL
DefaultAction:
Allow : {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: '`{ "Ref" : "AWSEBEnvironmentName" }`-WebACL'
Rules:
- Name: DenyListIPSet
Priority: 0
OverrideAction:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: DenyIps
Statement:
IPSetReferenceStatement:
Arn: '`{ "Fn::GetAtt" : ["IPSet", "Arn" ]}`'
WebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: '`{ "Ref" : "AWSEBV2LoadBalancer" }`'
WebACLArn: '`{ "Fn::GetAtt" : ["WafAcl", "Arn" ]}`'
但是 cloudformation 堆栈给了我:"Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement (Service: Wafv2, Status Code: 400
cloudformation 堆栈对我来说似乎有效。我没有看到任何其他陈述可以更好地满足我的需要......
编辑:解决方案
“RuleAction”和“OverrideAction”,请分别参考[3]和[4]。
[3]https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html [4]https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-overrideaction.html
使用操作(而不是覆盖操作),WAF 可以按预期工作!
【问题讨论】:
-
看起来你正在混合 waf 和 wafv2。
AWS::WAFv2::IPSet会起作用吗? -
oups 输入错误,已修复
标签: amazon-web-services amazon-elastic-beanstalk amazon-cloudformation amazon-waf