Applying WebACL to API Gateway

Question

I have a problem with finding a mistake. I'm trying to connect WafACL to API Gateway Deployment and I'm using such command:

aws wafv2 associate-web-acl --web-acl-arn  d3b11jj1-30c6-46ae-8e58-6a90ae69eeaf --resource-arn 'arn:aws:apigateway:us-east-1::/restapis/*api-id*/stages/dev'

An error occurred (WAFInvalidParameterException) when calling the AssociateWebACL operation: Error reason: The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: d3b11jj1-30c6-46ae-8e58-6a90ae69eeaf

I tried also to use CloudFormation:

AWSTemplateFormatVersion: "2010-09-09"
Description: "DB Management Service"
Resources: 
  WebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: 'arn:aws:apigateway:us-east-1::/restapis/*api-id*/stages/dev'
      WebACLArn:
        Ref: WebACL
  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      DefaultAction:
        Allow: {}
      Rules:
        - Name: WebACLRule
          Action:
            Block: {}
          Priority: 0
          Statement:
            RateBasedStatement:
              AggregateKeyType: IP
              Limit: 2048
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: Requests
            SampledRequestsEnabled: false
      Scope: REGIONAL
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: WafACL
        SampledRequestsEnabled: true

But here I also get:

Error reason: The ARN isn?t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN

I don't think that Arn is incorrect. I tried use it on various combinations.

Answer 1

Wafv2 has a different scheme for the arn. Waf v1 used what looks like a UUID where as Wafv2 uses a fully qualified ARN.

aws wafv2 associate-web-acl \
    --web-acl-arn arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
    --resource-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a \
    --region us-west-2

So in your case it may look like

aws wafv2 associate-web-acl --web-acl-arn  arn:aws:wafv2:<region>:<account>:regional/webacl/<webacl name>/d3b11jj1-30c6-46ae-8e58-6a90ae69eeaf --resource-arn 'arn:aws:apigateway:us-east-1::/restapis/*api-id*/stages/dev'

Also in CFN, Wafv2 has multiple return attr so you cannot do the good ol

WebACLArn: !Ref <webacl>

But you will have to do something like

WebACLArn: !GetAtt <webacl>.Arn

Ref https://docs.aws.amazon.com/cli/latest/reference/wafv2/associate-web-acl.html