Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Deleting Stack Fails while trying to delete Reputation Lists

See original GitHub issue

After deploying the updated WAF template to test out some changes, I decided to delete it. This failed when it got to WAFReputationListsSet1 and WAFReputationListsSet2 with the message Operation would result in exceeding resource limits.

Although I can’t find a limit for this in the documentation or AWS WAF Limits, the rumour online is that there is a limit of 1000 CIDRs per create, update or delete. So it would appear that CloudFormation when going to delete the IPSet deletes all of the IPs in the IPSet first, then deletes the IPSet itself, which is a problem because the reputation lists seem to have over 1000 ips in them.

Issue Analytics

State:
Created 6 years ago
Reactions:1
Comments:9 (2 by maintainers)

Top GitHub Comments

3reactions

jasonmcintoshcommented, Jan 9, 2018

For anyone else who hits this… here’s a quick script to clean things up. Designed to work from the CLI vs. lambda. Note, designed to work with waf not waf-regional (eg. alb vs. cloudfront wafs)

import boto3

import optparse

parser = optparse.OptionParser()
parser.add_option('--setid', help='SetID via aws waf list-set-ids or aws waf-regional list-set-ids')
parser.add_option('--profile', help='AWS Profile as in ~/.aws/credentials file')
(options, args) = parser.parse_args()
if not options.setid:
    parser.error("Missing setid")
if not options.profile:
    parser.error("Missing profile")


def chunks(l, n):
    """Yield successive n-sized chunks from l."""
    for i in range(0, len(l), n):
        yield l[i:i + n]

session = boto3.session.Session(profile_name= options.profile)
client = session.client("waf")


ipset = client.get_ip_set(IPSetId = options.setid)
count = 1

for chunk in chunks(ipset['IPSet']['IPSetDescriptors'], 500):
    delete_set = []
    for item in chunk:
        delete_set.append({'Action':'DELETE','IPSetDescriptor':{'Type':item['Type'], 'Value':item['Value']}})
    token = client.get_change_token()
    response = client.update_ip_set( ChangeToken=token['ChangeToken'], IPSetId=options.setid, Updates=delete_set)
    print "On count {0} of delete... ".format(count)
    count += 1

2reactions

pedros007commented, Jun 10, 2019

I ran into this problem today with v2.3.0. Deleting the stack would fail to delete the regional IP Reputation Lists Set.

Here’s how I fixed it:

Load console for WAF > IP Addresses condition > select my region > select “IP Reputation Lists Set” and saw 2,479 IP descriptors
Show 1,000 descriptors per page
Select all and delete the descriptors.

After I did this, I was able to delete the CloudFormation stack without a rate limit error. AFAICT, this is a manual attempt at what @alfaro28 suggested above