SAM API Gateway with Cloudformation WAFRegional - aws-cloudformation

To secure our API, I'm trying to deploy a WAFRegional with a RateBasedRule. The API Gateway is located in a SAM template wherein I have also a nested stack for the child template holding the WAFRegional configurations. The child template for the WAFRegional configuration is provided below. What happens during the ExecuteChangeSet phase is the following:
CamerasIpSet is created
CamerasRateRule is created
WAFCamerasWebACL CREATE_FAILED: The referenced item does not exist. (Service: AWSWAFRegional; Status Code: 400; Error Code: WAFNonexistentItemException
I found the following post from about 2 months ago where someone has the same issue when using Serverless: https://forum.serverless.com/t/dependon-api-gateway-deployment/7792
What am I missing out on here?
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template for WAF Configuration'
Parameters:
CamerasApi:
Description: "Arn of the Cameras Api"
Type: String
Default: cameras-api-dev
StageName:
Description: "Stage name of the Cameras Api"
Type: String
Default: v
Blocking:
Description: "Number of calls per 5 minutes for WAF IP blocking."
Type: Number
Default: 2000
EnvironmentType:
Type: String
Default: "dev"
Description: "Type of environment: dev, staging or prod."
Resources:
WAFCamerasWebACL:
Type: AWS::WAFRegional::WebACL
DependsOn: CamerasRateRule
Properties:
DefaultAction:
Type: ALLOW
MetricName: !Join ['', ['IPBlockingMetric', !Ref EnvironmentType]]
Name: !Join ['', ['IPBlockingACL', !Ref EnvironmentType]]
Rules:
-
Action:
Type: "BLOCK"
Priority: 1
RuleId: !Ref CamerasRateRule
CamerasRateRule:
Type: AWS::WAFRegional::RateBasedRule
Properties:
MetricName: UnallowedAccessCount
Name: FiveMinuteRule
RateKey: IP
RateLimit: !Ref Blocking
MatchPredicates:
-
DataId: !Ref CamerasIpSet
Negated: false
Type: "IPMatch"
CamerasIpSet:
Type: AWS::WAFRegional::IPSet
Properties:
Name: !Join ['-', ['IpBlacklist', !Ref EnvironmentType]]
MyWebACLAssociation:
Type: AWS::WAFRegional::WebACLAssociation
Properties:
ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${CamerasApi}/stages/${StageName}
WebACLId: !Ref WAFCamerasWebACL
Outputs:
WebACL:
Description: Name of the web ACL
Value: !Ref WAFCamerasWebACL

I finally resolved the issue with the help of the AWS customer service. This is a limitation they have with CloudFormation when dealing with AWS::WAFRegional::RateBasedRule.
Despite the fact that CloudFormation supports creating WAF regional rate-based rules, the association of them with a Web ACL is not currently supported. If you observe link [1] below, you will realize that:
"To add the rate-based rules created through CloudFormation to a web ACL, use the AWS WAF console, API, or command line interface (CLI)."
[1] AWS::WAFRegional::RateBasedRule:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-ratebasedrule.html
I used the Cloudformation template to generate the WebACL, the RateBasedRule, and the association of the WebACL with my APIGW. Using CodeBuild in our CI/CD pipeline, I'm now adding the RateBasedRule to the WebACL by using the CLI command aws waf-regional update-web-acl.

I ran in the same issue and I solve the problem with WAFv2
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template for WAF Configuration'
Parameters:
CamerasApi:
Description: "Arn of the Cameras Api"
Type: String
Default: YOUR-API-ID
StageName:
Description: "Stage name of the Cameras Api"
Type: String
Default: YOUR-Stage
Blocking:
Description: "Number of calls per 5 minutes for WAF IP blocking."
Type: Number
Default: 2000
EnvironmentType:
Type: String
Default: Prod
Description: "Type of environment: dev, staging or prod."
Resources:
WAFCamerasWebACL:
Type: AWS::WAFv2::WebACL
Properties:
Name: ExampleWebACL
Description: This is an example WebACL
Scope: REGIONAL
DefaultAction:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ExampleWebACLMetric
Rules:
- Name: RulesTest
Priority: 0
Action:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: test
Statement:
RateBasedStatement:
Limit: 100
AggregateKeyType: IP
MyWebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${CamerasApi}/stages/${StageName}
WebACLArn: !GetAtt WAFCamerasWebACL.Arn
Outputs:
WebACL:
Description: Name of the web ACL
Value: !Ref WAFCamerasWebACL

Assuming a AWS::WAFRegional::WebACL and AWS::WAFRegional::RateBasedRule are defined in a Cloudformation stack, they can be attached using the following bash script:
CHANGE_TOKEN=$(aws waf-regional get-change-token --output text)
WEBACL_ID=$(aws waf-regional list-web-acls --query WebACLs[0].WebACLId --output text)
RULE_ID=$(aws waf-regional list-rate-based-rules --query Rules[0].RuleId --output text)
aws waf-regional update-web-acl --web-acl-id $WEBACL_ID --change-token $CHANGE_TOKEN \
--updates Action="INSERT",ActivatedRule='{Priority=1,RuleId="'$RULE_ID'",Action={Type="BLOCK"},Type="RATE_BASED"}'
However unfortunately this leads to issues when deleting the Cloudformation stack
The following resource(s) failed to delete: [RateBasedRuleName].
Any ideas how to enable the stack to remove the rule when issueing aws cloudformation delete-stack?

Resources:
BlueWafAlbAssociation:
Type: "AWS::WAFv2::WebACLAssociation"
Properties:
WebACLArn: arn:aws:wafv2:us-east-1:1234567890:regional/webacl/name-of-webacl/id-of-webacl
ResourceArn: arn:aws:elasticloadbalancing:us-east-1:1234567890:loadbalancer/app/load-balancer-name/xxxxxxxxxxx

Related

How to conditionally create an AWS::Events::Connection resource based on if a secret key is defined or not

I currently have this cloud formation template that is supposed to create an event bridge resource with all the necessary configurations, but I can't get it to create because I can't get cloud formation to verify if a key exists in the secrets manager or not.
to be more clear, I want my event-bridge.yml template resource to only be created if my key ${Stage}/${SubDomain}/django-events-api-key is already defined in the secrets manager and has a valid value(meaning it does not only have an empty string or a AWS::NoValue); this because I need to create the key after the stack is created and deployed, before the stack is not deployed, so I can't execute my command to generate the key
I have this:
event-bridge.yml
AWSTemplateFormatVersion: "2010-09-09"
Description: "Event scheduling for sending the email digest"
Parameters:
SubDomain:
Description: The part of a website address before your DomainName - e.g. www or img
Type: String
DomainName:
Description: The part of a website address after your SubDomain - e.g. example.com
Type: String
Stage:
Description: Stage name (e.g. dev, test, prod)
Type: String
DjangoApiKey:
Description: Api key for events bridge communication
Type: String
Conditions:
DjangoApiKeyExists: !Or [ !Not [ !Equals [ !Ref DjangoApiKey, !Ref AWS::NoValue ] ], !Not [ !Equals [ !Ref DjangoApiKey, "" ] ] ]
Outputs:
DjangoEventsConnection:
Description: Connection to the Django backend for Event Bridge
Value: !Ref DjangoEventsConnection
Resources:
MessageDigestEventsRule:
Type: AWS::Events::Rule
Properties:
Name: !Sub "${SubDomain}-chat-digest"
Description: "Send out email digests for a chat"
ScheduleExpression: "rate(15 minutes)"
State: "ENABLED"
Targets:
- Arn: !GetAtt MessageDigestEventsApiDestination.Arn
HttpParameters:
HeaderParameters: { }
QueryStringParameters: { }
Id: !Sub "${SubDomain}-chat-digest-api-target"
RoleArn: !GetAtt MessageDigestEventsRole.Arn
EventBusName: "default"
DjangoEventsConnection:
Type: AWS::Events::Connection
Properties:
Name: !Sub "${SubDomain}-django"
AuthorizationType: "API_KEY"
AuthParameters:
ApiKeyAuthParameters:
ApiKeyName: "Authorization"
ApiKeyValue: !Ref DjangoApiKey
in a main.yml template I pass the key variable like this:
EventBridge:
DependsOn: [ VpcStack, DjangoEventBridgeApiKey ]
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: ./event-bridge.yaml
Parameters:
SubDomain: !Ref SubDomain
DomainName: !Ref DomainName
Stage: !Ref Stage
DjangoApiKey: !Sub '{{resolve:secretsmanager:arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SubDomain}/django-events-api-key}}' <--
but that will always fail because the key is not defined, I would like to pass an empty string or something I can use as a conditional
I have also tried defining the secret, so it exists:
Resources:
DjangoEventBridgeApiKey:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub ${Stage}/${SubDomain}/django-events-api-key
Description: !Sub Credentials for the event bridge integration https://api.${SubDomain}.circular.co
Tags:
- Key: Name
Value: django-events-api-key
EventBridge:
DependsOn: [ VpcStack, DjangoEventBridgeApiKey ]
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: ./event-bridge.yaml
Parameters:
SubDomain: !Ref SubDomain
DomainName: !Ref DomainName
Stage: !Ref Stage
DjangoApiKey: !Sub '{{resolve:secretsmanager:${DjangoEventBridgeApiKey}}}'
But that for some reason, is still making my condition above fail, making the stack attempt to execute, I still cant figure out why is my condition not working
Any ideas on how to make this better? any help provided will be super useful to me
Okay found out the biggest problem with my implementation, on event-bridge.yml:
AWSTemplateFormatVersion: "2010-09-09"
Description: "Event scheduling for sending the email digest of chat messages"
Parameters:
SubDomain:
Description: The part of a website address before your DomainName - e.g. www or img
Type: String
DomainName:
Description: The part of a website address after your SubDomain - e.g. example.com
Type: String
Stage:
Description: Stage name (e.g. dev, test, prod)
Type: String
DjangoApiKey:
Description: Api key for events bridge communication
Type: String
Conditions:
DjangoApiKeyExists: !Not [ !Equals [ !Ref DjangoApiKey, "" ] ] # <-- this works
Outputs:
DjangoEventsConnection:
Condition: DjangoApiKeyExists
Description: Connection to the django backend for Event Bridge
Value: !Ref DjangoEventsConnection
Resources:
DjangoEventsConnection:
Type: AWS::Events::Connection
Condition: DjangoApiKeyExists
Properties:
Name: !Sub "${SubDomain}-django"
AuthorizationType: "API_KEY"
AuthParameters:
ApiKeyAuthParameters:
ApiKeyName: "Authorization"
ApiKeyValue: !Ref DjangoApiKey
# This does not update when we change the secret - so we need to force an update - need a more permanent solution
# ApiKeyValue: pop
MessageDigestEventsApiDestination:
Type: AWS::Events::ApiDestination
Condition: DjangoApiKeyExists
DependsOn: DjangoEventsConnection
on main.yml
...
DjangoEventBridgeApiKey:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub ${Stage}/${SubDomain}/django-events-api-key # <- this was missing ${Stage}
SecretString: " "
Tags:
- Key: Name
Value: django-events-api-key
EventBridge:
DependsOn: DjangoEventBridgeApiKey
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: ./event-bridge.yaml
Parameters:
SubDomain: !Ref SubDomain
DomainName: !Ref DomainName
Stage: !Ref Stage
DjangoApiKey: !Sub '{{resolve:secretsmanager:arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${Stage}/${SubDomain}/django-events-api-key}}'
Tags:
- Key: Stage
Value: !Ref Stage
- Key: SubDomain
Value: !Ref SubDomain
- Key: SecretKeyName
Value: !Ref DjangoEventBridgeApiKey

how to pass bucket/key name to fargate job via a cloudwatch event trigger on s3 object creation event?

I have create a fargate task and trying to trigger it via s3 object creation event ( see sample below) via cloudformation.as it cannot trigger it directly, i have created a cloudwatchevent. I am trying to pass the bucket and obj name to my fargate task code . doing some research, i came across -> InputTransformer, but i'm not sure how to pass the value of my bucket and key name and how to read it in my python code. any help will be appreciated.
AWSTemplateFormatVersion: 2010-09-09
Description: An example CloudFormation template for Fargate.
Parameters:
VPC:
Type: AWS::EC2::VPC::Id
SubnetA:
Type: AWS::EC2::Subnet::Id
SubnetB:
Type: AWS::EC2::Subnet::Id
Image:
Type: String
Default: 123456789012.dkr.ecr.region.amazonaws.com/image:tag
Resources:
mybucket:
Properties:
BucketName: 'mytestbucket-us'
cloudwatchEvent:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- aws.s3
detail:
eventSource:
- s3.amazonaws.com
eventName:
- PutObject
- CompleteMultipartUpload
requestParameters:
bucketName:
- !Ref mybucket
Targets:
- Id: my-fargate-task
Arn: myclusterArn
RoleArn: myinvocationrolearn
Input:
'Fn::Sub':
- >-
{"containerOverrides": [{"name":"somecontainer"]}
EcsParameters:
TaskDefinition:
LaunchType: 'FARGATE'
...
NetworkConfiguration:
...
Cluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Join ['', [!Ref ServiceName, Cluster]]
TaskDefinition:
Type: AWS::ECS::TaskDefinition
DependsOn: LogGroup
Properties:
Family: !Join ['', [!Ref ServiceName, TaskDefinition]]
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
Cpu: 256
Memory: 2GB
ExecutionRoleArn: !Ref ExecutionRole
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: !Ref ServiceName
Image: !Ref Image
# A role needed by ECS
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join ['', [!Ref ServiceName, ExecutionRole]]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
# A role for the containers
TaskRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join ['', [!Ref ServiceName, TaskRole]]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
You would use a CloudWatch Event Input Transformer to extract the data you need from the event, and pass that data to the ECS task as environment variable(s) in the target's ContainerOverrides. I don't use CloudFormation, but here's an example using Terraform.
You can't. CloudWatch events do not pass data to ECS jobs. You need to develop your own mechanism for that. For example, trigger lambda first, store event in S3 Parameter Store or DynamoDB, and then invoke your ECS job which will get stored data.

CloudFormation - How can I reference a serverless usage plan?

Problem:
I want to associate an existing API key to a newly created "Usage Plan" which is created via AWS SAM as below:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
Name: MyAPI
OpenApiVersion: '2.0'
EndpointConfiguration:
Type: REGIONAL
StageName: prod
MethodSettings:
- ResourcePath: "/*"
HttpMethod: "*"
ThrottlingBurstLimit: 1
ThrottlingRateLimit: 1
Domain:
DomainName: api.mywebsite.com
CertificateArn: 'arn:aws:acm:eu-north-1:101010101010:certificate/88888888-4444-3333-2222-1111111111'
EndpointConfiguration: REGIONAL
Route53:
HostedZoneId: 'OMMITTD82737373'
BasePath:
- /
Auth:
UsagePlan:
CreateUsagePlan: PER_API
Description: Usage plan for this API
Quota:
Limit: 1000
Period: MONTH
Throttle:
BurstLimit: 1
RateLimit: 1
Tags:
- Key: Name
Value: MyUsagePlan
usagePlanKey:
Type: 'AWS::ApiGateway::UsagePlanKey'
Properties:
KeyId: 2672762828
KeyType: API_KEY
UsagePlanId: ????????????????????
Is it possible to reference the UsagePlanId here?
I tried: !Ref UsagePlan but no success...
Any ideas on how to do it?
Thanks
As far as I know, there is no way to reference the UsagePlan created as part of your Api.
However, you can create UsagePlan outside of ApiGatewayApi as a separate resource, and associate it with your ApiGatewayApi. Then you can easily reference it in your UsagePlanKey:
usagePlan:
Type: 'AWS::ApiGateway::UsagePlan'
Properties:
ApiStages:
- ApiId: !Ref ApiGatewayApi
Stage: prod
... (rest of the properties omitted)
usagePlanKey:
Type: 'AWS::ApiGateway::UsagePlanKey'
Properties:
KeyId: 2672762828
KeyType: API_KEY
UsagePlanId: !Ref usagePlan

While deploying stack encountered ' Unsupported ActionTypeId' error

When I create cloudformation stack for codepipeline, it fails and the error message is "Encountered unsupported property ActionTypeId".
Template is:
AWSTemplateFormatVersion: '2010-09-09'
Description: Model and provision AWS CodePipeline and AWS CodeBuild
Parameters:
CodePipelineSourceBucketName:
Type: String
Description: Bucket to store source code
Default: covid19-codepipeline-source
CodePipelineSourceObjectKey:
Type: String
Description: Object key of zip file uploaded to source bucket
Default: source.zip
CodePipelineArtifactStoreBucketName:
Type: String
Description: Bucket to store artifacts created by codepipeline
Default: covid19-codepipeline-artifacts
CloudTrailLogsBucketName:
Type: String
Description: Bucket to store cloudtrail logs
Default: covid19-cloudtrail-logs
Resources:
# CodePipeline
DeployPipelineForGlueWorkflow:
Type: AWS::CodePipeline::Pipeline
Properties:
Name: !Sub DeployPipelineForGlueWorkflow-${AWS::StackName}
RoleArn: !GetAtt CodePipelineRole.Arn
ArtifactStore:
Type: S3
Location: !Ref CodePipelineArtifactStoreBucket
Stages:
-
Name: Source
Actions:
-
Name: SourceAction
ActionTypeId:
Category: Source
Owner: AWS
Version: "1"
Provider: S3
OutputArtifacts:
- Name: SourceOutput
Configuration:
S3Bucket: !Ref CodePipelineSourceBucket
S3ObjectKey: !Ref CodePipelineSourceObjectKey
PollForSourceChanges: false
RunOrder: 1
-
I checked the indentation as well but still facing same issue.

create service using cloudformation in aws ecs fargate "did not stabilize"

AWSTemplateFormatVersion: "2010-09-09"
Description: Not Have Any Idea
Parameters:
Service:
Description: Service Name
Type: String
Cluster:
Description: Cluster Name
Type: String
TaskDefinition:
Description: TaskDefinition Name
Type: String
securitygroup:
Description: securitygroup
Type: AWS::EC2::SecurityGroup::Id
SubnetId:
Type: List<AWS::EC2::Subnet::Id>
Description: Select at two subnets in your selected VPC.
Resources:
sernginx:
Type: "AWS::ECS::Service"
Properties:
ServiceName:
Ref: Service
LaunchType: "FARGATE"
DesiredCount: 1
Cluster:
Ref: Cluster
TaskDefinition:
Ref: TaskDefinition
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 70
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- Ref: securitygroup
Subnets:
Ref: SubnetId
I am using this code to create aws ecs service fargate
I am getting ROLLBACK_COMPLETE status with an error message saying
Service arn:aws:ecs:us-east-1:439138162442:service/yuiyiuyiu did not stabilize
I've used this kind of template for creating fargate task.
AWSTemplateFormatVersion: '2010-09-09'
Description: Docker Core App service
Parameters:
EnvironmentName:
Type: String
Default: coreapp
Description: A name for the environment that this cloudformation will be part of.
ServiceName:
Type: String
Default: coreapi
Description: A name for the service
ImageUrl:
Type: String
Default: your_image_URI
Description: The url of a docker image
ContainerPort:
Type: Number
Default: 5000
Description: What port number the application inside the docker container
ContainerCpu:
Type: Number
Default: 256
Description: How much CPU to give the container.
ContainerMemory:
Type: Number
Default: 512
Description: How much memory in megabytes to give the container
DesiredCount:
Type: Number
Default: 2
Description: How many copies of the service task to run
Role:
Type: String
Default: ""
Description: (Optional) An IAM role to give the service's containers
Resources:
Service:
Type: AWS::ECS::Service
Properties:
ServiceName: !Ref 'ServiceName'
Cluster:
- coreapp
LaunchType: FARGATE
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 75
DesiredCount: !Ref 'DesiredCount'
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- sg-483aa03e
Subnets:
- subnet-2ce41866
- subnet-ceefe5aa
TaskDefinition: !Ref 'TaskDefinition'