Vinay Ramakrishnan
Reputation: 1
Getting the error: Resource handler returned message: "AWS WAF couldn't perform the operation because your resource doesn?t exist
#WAF Code
Resources:
MyWaf:
Type: 'AWS::WAFv2::WebACL'
Properties:
Name: My-waf
Scope: CLOUDFRONT
DefaultAction:
Block: {}
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: my-waf-metric
SampledRequestsEnabled: true
Rules:
- Name: AWSManagedRulesCommonRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: CommonRuleSet
Priority: 1
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: CommonRuleSetMetric
- Name: AWSManagedRulesSQLiRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: SQLiRuleSet
Priority: 2
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: SQLiMeteric
- Name: AWSManagedRulesKnownBadInputs
Statement:
ManagedRuleGroupStatement:
Name: BadInputSet
VendorName: AWS
Priority: 3
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BadInputMetric
- Name: AWSManagedRulesATPRuleSet
Statement:
ManagedRuleGroupStatement:
Name: ATPRuleSet
VendorName: AWS
Priority: 4
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ATPRuleSetMetric
- Name: AWSManagedRulesIPReputationList
Priority: 5
Statement:
ManagedRuleGroupStatement:
Name: IPReputationListSet
VendorName: AWS
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: IPReputationListMetric
- Name: AWSManagedRulesBotControlRuleSet
Priority: 6
Statement:
ManagedRuleGroupStatement:
Name: BotControlSet
VendorName: AWS
Action:
Block: {}
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BotContolSetMetric
Outputs:
WebACLId:
Description: My WAF WebACL ID
Value: !Ref MyWaf
Export:
Name: my-web-aclid
I have a CloudFront distribution in ap-souteast-2. Which is associated with an ALB. Both these resources are created using Cloudformation. I have associated a WAF with cloudfront with the scope of the WAFv2 as cloudfront. I am deploying this in us-east-1. Upon deploying the WAF code in us-east-1 , I noticed the following error.
Resource handler returned message: "AWS WAF couldn?t perform the operation because your resource doesn?t exist. (Service: Wafv2, Status Code: 400, Request ID: 7165d5e9-aa1d-4057-a5f2-b6a5617cbbdf)" (RequestToken: 82863340-6852-b176-023f-01beb14f28b1, HandlerErrorCode: NotFound). How do I then associate this WAF with a cloudfront deployed in ap-south-east 2 can exports be done cross region in cloudfromagtion...i think not right?
Here is my WAF code. Can you help me troubleshoot this as its a pretty generic runtime error.
MyCloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Enabled: true
Origins:
- DomainName: !ImportValue my-ApiGatewayDnsName
Id: testgwy
CustomOriginConfig:
HTTPSPort: 443
OriginProtocolPolicy: https-only
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
MinTTL: 100
DefaultTTL: 100
MaxTTL: 300
ForwardedValues:
QueryString: true
TargetOriginId: testalb
ViewerProtocolPolicy: allow-all
WebACLId: !Ref MyWaf
Thanks
I tried putting the cloudfront and WAF in us-east-1 but then the cloudfront deployment failed as the origin it links to is in ap-south-east-2. I tried running WAF code alone in us-east-1 and got the error.
Update 1: I removed all the rules and tried it again and the WAF code worked..then included only commonruleset rule and itfailed..it think something to do with ruleset
Upvotes: 0
Views: 2203
Answers (2)
Vinay Ramakrishnan
Reputation: 1
#WAF Code
Resources:
MyWaf:
Type: 'AWS::WAFv2::WebACL'
Properties:
Name: My-waf
Scope: CLOUDFRONT
DefaultAction:
Block: {}
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: my-waf-metric
SampledRequestsEnabled: true
Rules:
- Name: CommonRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesCommonRuleSet
Priority: 0
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: CommonRuleSetMetric
- Name: AWSManagedRulesSQLiRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesSQLiRuleSet
Priority: 1
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesSQLiRuleSetMetric
- Name: AWS-AWSManagedRulesKnownBadInputsRuleSet
Priority: 2
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: MetricForAMRKnownBadInputs
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesKnownBadInputsRuleSet
- Name: AWS-AWSManagedRulesATPRuleSet
Priority: 3
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: MetricForAWSManagedRulesATPRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesATPRuleSet
ManagedRuleGroupConfigs:
- LoginPath: /api/accounts/login
- PayloadType: JSON
- PasswordField:
Identifier: /form/password
- UsernameField:
Identifier: /form/username
- Name: AWS-AWSManagedRulesAmazonIpReputationList
Priority: 4
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: MetricForAWSManagedRulesAmazonIpReputationList
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAmazonIpReputationList
- Name: AWS-AWSManagedRulesBotControlRuleSet
Priority: 5
OverrideAction:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: MetricForAWSManagedRulesBotControlRuleSet
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesBotControlRuleSet
Outputs:
WebACLId:
Description: My WAF WebACL ID
Value: !Ref MyWaf
Export:
Name: my-web-aclid
The rule names were incorrect and I have corrected them and the code works now :) Thanks to all those who saw my question and also attempted to answer it!Upvotes: 0
Marcin
Reputation: 238727
Your WebACL is called MyVicWaf, but you are using !Ref MyWaf. Also you need ARN, not Id. Thus it should be:
WebACLId: !GetAtt MyVicWaf.Arn
Upvotes: 0
Related Questions
- Resource handler returned message: "Invalid request provided: CreateService error: Access denied
- Resource handler returned message: "Invalid request provided: AWS::Cognito::UserPoolUser"
- Resource handler returned message: "invalid request provided: AWS::Logs::MetricFilter"
- AWS SAM - AWS::WAFv2::WebACLAssociation - AWS WAF couldn?t perform the operation because your resource doesn?t exist
- AWS Error Message: A conflicting conditional operation is currently in progress against this resource
- How to re-deploy stack when getting 'resource already exists in stack' error, without deleting the resource
- Importing ALBName from StackA to use in StackB