1

我们正在尝试在我们的 SAM 模板中创建一个 AWS::WAFv2::IPSet。

WhitelistedIPAddressesIPSet:
    Type: AWS::WAFv2::IPSet
    Properties:
        Description: 'Merchant IPs'
        Scope: REGIONAL
        IPAddressVersion: IPV4
        Addresses: [0.0.0.0/32, 0.0.10.0/32]

IP 集的创建已成功完成。一旦创建 AWS::WAFv2::WebACLAssociation。

WAFApiAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    DependsOn:
        - ApiGateway
        - WAFWebAcl
    Properties:
        ResourceArn: !Sub 'arn:aws:apigateway:${AWS::Region}::/restapis/${ApiGateway}/stages/${EnvType}'
        WebACLArn: !GetAtt WAFWebAcl.Arn

CloudFormation 失败并执行回滚。显示的错误如下:

Resource handler returned
ion message: "AWS WAF couldn?t
perform the operation
because your resource
doesn?t exist. (Service:
Wafv2, Status Code: 400,
Request ID: e337720a-e32c-
4c29-acde-1896855405c9,
Extended Request ID:
null)" (RequestToken: f24d
0488-3016-4030-3a3b-bbb246
66f130, HandlerErrorCode:
NotFound)

我们尝试了不同格式的 IP 集的 SAM 模板,以查看是否会导致问题,但没有任何成功。

任何人都可以就这个问题分享一些有用的见解吗?

4

2 回答 2

1

DependsOnA)如果您的资源已经直接依赖于其他资源,则不需要。在这种情况下,它确实如此,因此您可以删除此属性。

B) 您需要在此处共享您的整个堆栈,而不仅仅是共享的内容,因为您的 APIGW 配置可能存在问题。由于创建失败,因此您可能会出现此后续问题。

创建 APIGW 是不够的,您需要确保在创建 APIGW阶段后实际附加 WAF ,而不仅仅是 APIGW。在这种情况下,将 替换为ResourceArn引用APIGW Stage. (此外,您可能需要等待阶段部署完成。)

于 2021-05-18T12:00:54.303 回答
0

这是 APIGW 模板Warren Parad

CDEAPI:
    Type: AWS::Serverless::Api
    Properties:
        # Domain:
        #     DomainName: !Ref CDEAPIDomainName
        #     SecurityPolicy: TLS_1_2
        #     CertificateArn: !Sub 'arn:aws:acm:us-east-1:${AWS::AccountId}:certificate/${CDEAPICertificateArn}'
        #     EndpointConfiguration: EDGE
        #     Route53:
        #         HostedZoneId: !Ref CDEAPIHostedZoneId
        AccessLogSetting:
            DestinationArn: !GetAtt CDEAPIAccessLogGroup.Arn
            Format: >-
                { "requestId":"$context.requestId",
                "ip":"$context.identity.sourceIp",
                "caller":"$context.identity.caller",
                "user":"$context.identity.user",
                "userAgent":"$context.identity.userAgent",
                "userArn":"$context.identity.userArn",
                "requestTime":"$context.requestTime",
                "requestTimeEpoch":"$context.requestTimeEpoch",
                "httpMethod":"$context.httpMethod",
                "resourcePath":"$context.resourcePath",
                "path":"$context.path",
                "status":"$context.status",
                "protocol":"$context.protocol",
                "responseLength":"$context.responseLength",
                "responseLatency":"$context.responseLatency",
                "authorizerLatency":"$context.authorizer.integrationLatency",
                "integrationLatency":"$context.integrationLatency",
                "integrationStatus":"$context.integrationStatus",
                "xrayTraceId":"$context.xrayTraceId",
                "errorMessage":"$context.error.message",
                "domainName":"$context.domainName",
                "domainPrefix":"$context.domainPrefix",
                "tokenScopes":"$context.authorizer.claims.scope",
                "tokenIat":"$context.authorizer.claims.iat",
                "tokenExp":"$context.authorizer.claims.exp",
                "cognitoIdentityId":"$context.identity.cognitoIdentityId",
                "awsEndpointRequestId":"$context.awsEndpointRequestId",
                "arn":"$context.identity.userArn",
                "account":"$context.identity.accountId",
                "claims-sub":"$context.authorizer.claims.sub",
                "waf-error":"$context.waf.error",
                "waf-status":"$context.waf.status",
                "waf-latency":"$context.waf.latency",
                "waf-response":"$context.waf.wafResponseCode",
                "authenticate-error":"$context.authenticate.error",
                "authenticate-status":"$context.authenticate.status",
                "authenticate-latency":"$context.authenticate.latency",
                "integration-error":"$context.integration.error",
                "integration-status":"$context.integration.status",
                "integration-latency":"$context.integration.latency",
                "integration-requestId":"$context.integration.requestId",
                "integration-integrationStatus":"$context.integration.integrationStatus",
                "response-latency":"$context.responseLatency" }
        StageName: !Ref EnvType
        Auth:
            DefaultAuthorizer: CognitoAuthorizer
            AddDefaultAuthorizerToCorsPreflight: false
            Authorizers:
                CognitoAuthorizer:
                    AuthType: COGNITO_USER_POOLS
                    UserPoolArn: !Sub 'arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${CognitoUserPoolArn}'
于 2021-05-18T13:11:50.740 回答