AWS Beanstalk 和 IPset
AWS Beanstalk and IPset
我正在尝试在我的 Beanstalk 环境中设置 IPSet。
进入我的 .ebextensions 我有一个 waf.config 包含:
option_settings:
aws:elasticbeanstalk:environment:
LoadBalancerType: application
Resources:
IPSet:
Type: "AWS::WAFv2::IPSet"
Properties:
Name: '`{ "Ref" : "AWSEBEnvironmentName" }`-IPset'
Addresses:
- 10.10.10.10/32
IPAddressVersion: IPV4
Scope: REGIONAL
Tags:
- Key: "Scope"
Value: "Sqreen"
WafAcl:
Type: "AWS::WAFv2::WebACL"
Properties:
Description: 'Web ACL to Block bad requests on `{ "Ref" : "AWSEBEnvironmentName" }`'
Name: '`{ "Ref" : "AWSEBEnvironmentName" }`-WebACL'
Scope: REGIONAL
DefaultAction:
Allow : {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: '`{ "Ref" : "AWSEBEnvironmentName" }`-WebACL'
Rules:
- Name: DenyListIPSet
Priority: 0
OverrideAction:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: DenyIps
Statement:
IPSetReferenceStatement:
Arn: '`{ "Fn::GetAtt" : ["IPSet", "Arn" ]}`'
WebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: '`{ "Ref" : "AWSEBV2LoadBalancer" }`'
WebACLArn: '`{ "Fn::GetAtt" : ["WafAcl", "Arn" ]}`'
但是 cloudformation 堆栈给了我:"Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement (Service: Wafv2, Status Code: 400
cloudformation 堆栈对我来说似乎有效。我没有看到任何其他陈述可以更好地满足我的需要....
编辑:解决方案
“RuleAction”和“OverrideAction”,请分别参考[3]和[4]。
[3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html
[4] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-overrideaction.html
通过操作(而不是覆盖操作),WAF 按预期工作!
“RuleAction”和“OverrideAction”,请分别参考[3]和[4]。
[3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html [4] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-overrideaction.html
通过操作(而不是覆盖操作),WAF 按预期工作!
我正在尝试在我的 Beanstalk 环境中设置 IPSet。
进入我的 .ebextensions 我有一个 waf.config 包含:
option_settings:
aws:elasticbeanstalk:environment:
LoadBalancerType: application
Resources:
IPSet:
Type: "AWS::WAFv2::IPSet"
Properties:
Name: '`{ "Ref" : "AWSEBEnvironmentName" }`-IPset'
Addresses:
- 10.10.10.10/32
IPAddressVersion: IPV4
Scope: REGIONAL
Tags:
- Key: "Scope"
Value: "Sqreen"
WafAcl:
Type: "AWS::WAFv2::WebACL"
Properties:
Description: 'Web ACL to Block bad requests on `{ "Ref" : "AWSEBEnvironmentName" }`'
Name: '`{ "Ref" : "AWSEBEnvironmentName" }`-WebACL'
Scope: REGIONAL
DefaultAction:
Allow : {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: '`{ "Ref" : "AWSEBEnvironmentName" }`-WebACL'
Rules:
- Name: DenyListIPSet
Priority: 0
OverrideAction:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: DenyIps
Statement:
IPSetReferenceStatement:
Arn: '`{ "Fn::GetAtt" : ["IPSet", "Arn" ]}`'
WebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: '`{ "Ref" : "AWSEBV2LoadBalancer" }`'
WebACLArn: '`{ "Fn::GetAtt" : ["WafAcl", "Arn" ]}`'
但是 cloudformation 堆栈给了我:"Error reason: A reference in your rule statement is not valid., field: RULE, parameter: Statement (Service: Wafv2, Status Code: 400
cloudformation 堆栈对我来说似乎有效。我没有看到任何其他陈述可以更好地满足我的需要....
编辑:解决方案
“RuleAction”和“OverrideAction”,请分别参考[3]和[4]。
[3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html [4] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-overrideaction.html
通过操作(而不是覆盖操作),WAF 按预期工作!
“RuleAction”和“OverrideAction”,请分别参考[3]和[4]。
[3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html [4] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-overrideaction.html
通过操作(而不是覆盖操作),WAF 按预期工作!