Using AWS WAF with Serverless Associate WAF

Question

I have created a Web ACL in my AWS account in the AWS WAF and assigned it some rules. In my serverless.yml file I have used the - serverless-associate-waf plugin.

But when I go to my Web ACLs > my acl > Associated AWS Resources, I do not see the associated API Gateway listed there.

Here is how my serverless.yml file looks:

service: ${opt:product}

plugins:
    - serverless-domain-manager
    - serverless-apigw-binary
    - serverless-associate-waf

custom:
    associateWaf:
        name: name-of-my-acl
    esLogs:
        endpoint: link.amazonaws.com
        index: "${opt:stage}-logs"
        includeApiGWLogs: true
        retentionInDays: 30
    stage: ${opt:stage, 'dev'}
    region: ${opt:region, 'ap-south-1'}
    accountId: ${opt:accountId}
    awsBucket: ${opt:awsBucket, 'documents'}
    awsPermaBucket: ${opt:awsPermaBucket, 'perma-documents-dev'}
    cryptoKey: ${opt:cryptoKey}
    apigwBinary:
        types:
            - 'multipart/form-data'
    customDomain:
        domainName: ${opt:stage}-${opt:product}-api.io
        basePath: ""
        stage: ${self:custom.stage}
        createRoute53Record: true

provider:
    vpc:
        securityGroupIds:
            - sg-1234
        subnetIds:
            - subnet-1234
            - subnet-1234
    environment:
        region: ${self:custom.region}
        stage: ${self:custom.stage}
        module: ${opt:product}
        awsBucket: ${self:custom.awsBucket}
        authToken: ${opt:authToken}
        accountId: ${opt:accountId}
        awsPermaBucket: ${self:custom.awsPermaBucket}
        cryptoKey: ${opt:cryptoKey}
    iamRoleStatements:
        - Effect: Allow
          Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogStreams
          Resource: "*"
        - Effect: Allow
          Action:
              - s3:*
          Resource: "*"
        - Effect: "Allow"
          Action:
              - "sqs:*"
          Resource: "arn:aws:sqs:${opt:region}:*:${opt:stage}-${opt:product}-sqs-queue"
    name: aws
    runtime: nodejs12.x
    stage: ${self:custom.stage}
    region: ${self:custom.region}
    memorySize: 256
    timeout: 30
    package:
        exclude:
            - "*/**"
        include:
            - build/**
            - node_modules/**

functions:
    orgSettingsAPI:
        name: ${self:service}-${self:custom.stage}-api
        handler: build/src/lambda.handler
        events:
            - http:
                  method: any
                  path: /api/{proxy+}
                  authorizer:
                      arn: arn:aws:lambda:${opt:region}:${self:custom.accountId}:function:authenticator-${self:custom.stage}-api
                      resultTtlInSeconds: 60
                      identitySource: method.request.header.Authorization
                      identityValidationExpression: ^Bearer.+
                  cors:
                      origins:
                        - "*"
                      headers:
                        - Content-Type
                        - X-Amz-Date
                        - Authorization
                        - X-Api-Key
                        - X-Amz-Security-Token
                      allowCredentials: true
                      maxAge: 86400
            - http:
                  method: any
                  path: /internal/{proxy+}
        vpc:
            securityGroupIds:
                - sg-1234
            subnetIds:
                - subnet-1234
                - subnet-1234
        environment:
            SqsQueueName: ${opt:stage}-${opt:product}-sqs-queue
        reservedConcurrency: 10
        events:
            - sqs:
                  arn:
                      Fn::GetAtt:
                          - SqsQueue
                          - Arn
                  batchSize: 1

resources:
    Resources:
        GatewayResponse:
            Type: "AWS::ApiGateway::GatewayResponse"
            Properties:
                ResponseParameters:
                    gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
                    gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
                ResponseType: EXPIRED_TOKEN
                RestApiId:
                    Ref: "ApiGatewayRestApi"
                StatusCode: "401"
        AuthFailureGatewayResponse:
            Type: "AWS::ApiGateway::GatewayResponse"
            Properties:
                ResponseParameters:
                    gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
                    gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
                ResponseType: UNAUTHORIZED
                RestApiId:
                    Ref: "ApiGatewayRestApi"
                StatusCode: "401"
      

When I debugged the deployment process it says:

Serverless: Unable to find WAF named 'name-of-my-acl'. Am I naming it wrong or using it wrong?

I do not understand what is the name I should be using for my WAF in the serverless.yml file.

Answer 1

Creating an ACL in a separate template and importing its name to serverless.yml didn't work

The export was in the form :

acl-name-here|8e22cf49-765b-4615-7ad4-bebb66ed5c6a|REGIONAL

While the template expects

associateWaf:
  name: 'acl-name-here'

Answer 2

Found the issue, turns out I need to add

version: V2

just after name since AWS WAF supports V2. Once I added it and redeployed the API Gateway got attached to the created WAF.

PS: the name is the name of the ACL that we want to use.