Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

waf2: adding logging configuration fails to deploy.

See original GitHub issue

Hi ,

Im using cdk version 1.139.0, and I had a waf earlier added in my previous deployment. Now I tried to add the logging configuration for that waf. So I added the below code in cdk and generated the template.

new CfnLoggingConfiguration(scope,‘WafLoggingConfig’,{ resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference. logDestinationConfigs:[arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app],

})

Note: I have already created the log group for waf named as aws-waf-logs-for-app (which has the expected prefix need for waf)

After synthesizing/generating the template I did cdk deploy to update the Cloud formation.

List of policies I have already attached to the Cloudformation :

‘wafv2:AssociateWebACL’, ‘wafv2:CreateWebACL’, ‘wafv2:DeleteWebACL’, ‘wafv2:DescribeManagedRuleGroup’, ‘wafv2:DisassociateWebACL’, ‘wafv2:Get*’, ‘wafv2:List*’, ‘wafv2:UpdateWebACL’, ‘wafv2:GetLoggingConfiguration’, ‘wafv2:ListLoggingConfiguration’, ‘wafv2:PutLoggingConfiguration’, ‘wafv2:DeleteLoggingConfiguration’, ‘cloudwatch:DeleteAlarms’, ‘cloudwatch:Describe*’, ‘cloudwatch:DisableAlarmActions’, ‘cloudwatch:EnableAlarmActions’, ‘cloudwatch:GetDashboard’, ‘cloudwatch:ListDashboards’, ‘cloudwatch:PutDashboard’, ‘cloudwatch:DeleteDashboards’, ‘cloudwatch:GetMetricData’, ‘cloudwatch:GetMetricStatistics’, ‘cloudwatch:ListMetrics’, ‘cloudwatch:PutMetricAlarm’, ‘cloudwatch:PutMetricData’, and other policies for other resources.

But my cloud formation fails to deploy the logging configuration for waf and displays the below error in Cloudformation events page.

Resource handler returned message: “You don’t have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)” (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)

Note: In the above error I have modified the value of the Request ID: and RequestToken. I believe I have given the needed policies for the cloud formation.

Is it a bug in cdk ? Did cdk failed to create any role needed for this ? can someone help me with this?

Reproduction Steps

Try to add the waf and Logging configuration for waf in the cdk and do cdk deploy.

` const webAcl = new CfnWebACL(scope, ‘CfnWebAcl’, { description: “description”, scope: ‘REGIONAL’, defaultAction: { allow: {}, }, visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: ‘dev-webacl-metrics’, sampledRequestsEnabled: true, }, rules: [ { name: ‘demo-rate-limit-rule’, action: { block: {}, }, priority: 0, visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: “dev-rate-limit-metrics”, sampledRequestsEnabled: false, }, statement: { rateBasedStatement: { aggregateKeyType: ‘IP’, limit: serviceRateLimit.valueAsNumber, }, }, }, ], });

const logGroup= new LogGroup(scope, "CfnWebAclLogGroup", {
  logGroupName: `aws-waf-logs-for-app`,
  removalPolicy: RemovalPolicy.RETAIN
})


new CfnLoggingConfiguration(scope,'WafLoggingConfig',{
  resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference.
  logDestinationConfigs:[`arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app`],

})`

What did you expect to happen?

It should deploy without any errors as I suspect I have added the necessary polices need for aws cloudformation to deploy the above code.

What actually happened?

My cloud formation fails to deploy the logging configuration for waf and displays the below error in the Cloudformation events page.

Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)

Note: In the above error I have modified the value of the Request ID: and RequestToken.

CDK CLI Version

1.139.0

Framework Version

No response

Node.js Version

12.13.0

OS

windows , mac

Language

Typescript

Language Version

Typescript - 3.9.7

Other information

No response

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:1
  • Comments:7

github_iconTop GitHub Comments

1reaction
Raghunath-SKcommented, Jun 10, 2022

I added these below policies and the deployment went well ( ‘logs:CreateLogGroup’, ‘logs:DeleteLogGroup’, ‘logs:DescribeLogGroups’, ‘logs:PutRetentionPolicy’, ‘logs:GetLogEvents’, ‘logs:PutLogEvents’, ‘logs:CreateLogDelivery’, ‘logs:PutResourcePolicy’, ‘logs:DescribeResourcePolicies’,).

I’m currently having this issue and the error persists in the AWS Console. Could you please elaborate on where you attached these IAM policies? @Raghunath-SK

I was deploying the waf resource and other resources through the AWS CLOUDFORMATION and so I add those above policies to the cloudformation service role . (Aws cloudformation was using this service role to deploy the resources)

1reaction
danw-mplcommented, Jan 31, 2022

I was just trying some of the IAM policies listed here https://docs.aws.amazon.com/waf/latest/developerguide/logging-s3.html and I’ve got it working.

I was going wrong by providing partial ARNs in the IAM policy. By using ‘*’, it works.

Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS::WAFv2::LoggingConfiguration - AWS CloudFormation
Indicates whether the logging configuration was created by AWS Firewall Manager, as part of an AWS WAF policy configuration. If true, only Firewall...
Read more >
awscdk - awswaf - logging configuration fails to deploy
So I added the below code in cdk and generated the template. new CfnLoggingConfiguration(scope,'WafLoggingConfig',{ resourceArn:webAcl.attrArn ...
Read more >
Ensure WAF2 has a Logging Configuration - Documentation
AWS WAF2 does not have a Logging Configuration. Description. You can enable comprehensive logging on a web access control list (web ACL) using...
Read more >
AWS::WAFv2::LoggingConfiguration - Amazon CloudFormation
Create your logging destination. You can use an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an...
Read more >
Configure Web Application Firewall(WAF) with Azure ...
It can be configure, deploy, and manage via the Azure Portal, REST APIs, ... This mode also records such attacks in the WAF...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(@aws-cdk/aws-ecr-assets): DockerImageAsset - can't tell which images are outdated, and where they came from

Next page

(pipelines): A guidance to writing programatic smoke test