waf2: adding logging configuration fails to deploy.
See original GitHub issueHi ,
Im using cdk version 1.139.0, and I had a waf earlier added in my previous deployment. Now I tried to add the logging configuration for that waf. So I added the below code in cdk and generated the template.
new CfnLoggingConfiguration(scope,‘WafLoggingConfig’,{
resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference.
logDestinationConfigs:[arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app
],
})
Note: I have already created the log group for waf named as aws-waf-logs-for-app (which has the expected prefix need for waf)
After synthesizing/generating the template I did cdk deploy to update the Cloud formation.
List of policies I have already attached to the Cloudformation :
‘wafv2:AssociateWebACL’, ‘wafv2:CreateWebACL’, ‘wafv2:DeleteWebACL’, ‘wafv2:DescribeManagedRuleGroup’, ‘wafv2:DisassociateWebACL’, ‘wafv2:Get*’, ‘wafv2:List*’, ‘wafv2:UpdateWebACL’, ‘wafv2:GetLoggingConfiguration’, ‘wafv2:ListLoggingConfiguration’, ‘wafv2:PutLoggingConfiguration’, ‘wafv2:DeleteLoggingConfiguration’, ‘cloudwatch:DeleteAlarms’, ‘cloudwatch:Describe*’, ‘cloudwatch:DisableAlarmActions’, ‘cloudwatch:EnableAlarmActions’, ‘cloudwatch:GetDashboard’, ‘cloudwatch:ListDashboards’, ‘cloudwatch:PutDashboard’, ‘cloudwatch:DeleteDashboards’, ‘cloudwatch:GetMetricData’, ‘cloudwatch:GetMetricStatistics’, ‘cloudwatch:ListMetrics’, ‘cloudwatch:PutMetricAlarm’, ‘cloudwatch:PutMetricData’, and other policies for other resources.
But my cloud formation fails to deploy the logging configuration for waf and displays the below error in Cloudformation events page.
Resource handler returned message: “You don’t have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)” (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)
Note: In the above error I have modified the value of the Request ID: and RequestToken. I believe I have given the needed policies for the cloud formation.
Is it a bug in cdk ? Did cdk failed to create any role needed for this ? can someone help me with this?
Reproduction Steps
Try to add the waf and Logging configuration for waf in the cdk and do cdk deploy.
` const webAcl = new CfnWebACL(scope, ‘CfnWebAcl’, { description: “description”, scope: ‘REGIONAL’, defaultAction: { allow: {}, }, visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: ‘dev-webacl-metrics’, sampledRequestsEnabled: true, }, rules: [ { name: ‘demo-rate-limit-rule’, action: { block: {}, }, priority: 0, visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: “dev-rate-limit-metrics”, sampledRequestsEnabled: false, }, statement: { rateBasedStatement: { aggregateKeyType: ‘IP’, limit: serviceRateLimit.valueAsNumber, }, }, }, ], });
const logGroup= new LogGroup(scope, "CfnWebAclLogGroup", {
logGroupName: `aws-waf-logs-for-app`,
removalPolicy: RemovalPolicy.RETAIN
})
new CfnLoggingConfiguration(scope,'WafLoggingConfig',{
resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference.
logDestinationConfigs:[`arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app`],
})`
What did you expect to happen?
It should deploy without any errors as I suspect I have added the necessary polices need for aws cloudformation to deploy the above code.
What actually happened?
My cloud formation fails to deploy the logging configuration for waf and displays the below error in the Cloudformation events page.
Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)
Note: In the above error I have modified the value of the Request ID: and RequestToken.
CDK CLI Version
1.139.0
Framework Version
No response
Node.js Version
12.13.0
OS
windows , mac
Language
Typescript
Language Version
Typescript - 3.9.7
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:7
Top GitHub Comments
I was deploying the waf resource and other resources through the AWS CLOUDFORMATION and so I add those above policies to the cloudformation service role . (Aws cloudformation was using this service role to deploy the resources)
I was just trying some of the IAM policies listed here https://docs.aws.amazon.com/waf/latest/developerguide/logging-s3.html and I’ve got it working.
I was going wrong by providing partial ARNs in the IAM policy. By using ‘*’, it works.