将 AWS WAF 与无服务器关联 WAF 结合使用
[英]Using AWS WAF with Serverless Associate WAF
问题描述
I have created a Web ACL in my AWS account in the AWS WAF and assigned it some rules.
我在 AWS WAF 的 AWS 账户中创建了 Web ACL,并为其分配了一些规则。 In my serverless.yml file I have used the - serverless-associate-waf plugin.在我的 serverless.yml 文件中,我使用了-serverless-associate-waf插件。
But when I go to my Web ACLs > my acl > Associated AWS Resources, I do not see the associated API Gateway listed there.但是,当我从 go 到我的 Web ACL > 我的 acl > 关联的 AWS 资源时,我没有看到那里列出的关联的 API 网关。
Here is how my serverless.yml file looks:这是我的 serverless.yml 文件的外观:
service: ${opt:product}
plugins:
- serverless-domain-manager
- serverless-apigw-binary
- serverless-associate-waf
custom:
associateWaf:
name: name-of-my-acl
esLogs:
endpoint: link.amazonaws.com
index: "${opt:stage}-logs"
includeApiGWLogs: true
retentionInDays: 30
stage: ${opt:stage, 'dev'}
region: ${opt:region, 'ap-south-1'}
accountId: ${opt:accountId}
awsBucket: ${opt:awsBucket, 'documents'}
awsPermaBucket: ${opt:awsPermaBucket, 'perma-documents-dev'}
cryptoKey: ${opt:cryptoKey}
apigwBinary:
types:
- 'multipart/form-data'
customDomain:
domainName: ${opt:stage}-${opt:product}-api.io
basePath: ""
stage: ${self:custom.stage}
createRoute53Record: true
provider:
vpc:
securityGroupIds:
- sg-1234
subnetIds:
- subnet-1234
- subnet-1234
environment:
region: ${self:custom.region}
stage: ${self:custom.stage}
module: ${opt:product}
awsBucket: ${self:custom.awsBucket}
authToken: ${opt:authToken}
accountId: ${opt:accountId}
awsPermaBucket: ${self:custom.awsPermaBucket}
cryptoKey: ${opt:cryptoKey}
iamRoleStatements:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource: "*"
- Effect: Allow
Action:
- s3:*
Resource: "*"
- Effect: "Allow"
Action:
- "sqs:*"
Resource: "arn:aws:sqs:${opt:region}:*:${opt:stage}-${opt:product}-sqs-queue"
name: aws
runtime: nodejs12.x
stage: ${self:custom.stage}
region: ${self:custom.region}
memorySize: 256
timeout: 30
package:
exclude:
- "*/**"
include:
- build/**
- node_modules/**
functions:
orgSettingsAPI:
name: ${self:service}-${self:custom.stage}-api
handler: build/src/lambda.handler
events:
- http:
method: any
path: /api/{proxy+}
authorizer:
arn: arn:aws:lambda:${opt:region}:${self:custom.accountId}:function:authenticator-${self:custom.stage}-api
resultTtlInSeconds: 60
identitySource: method.request.header.Authorization
identityValidationExpression: ^Bearer.+
cors:
origins:
- "*"
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
allowCredentials: true
maxAge: 86400
- http:
method: any
path: /internal/{proxy+}
vpc:
securityGroupIds:
- sg-1234
subnetIds:
- subnet-1234
- subnet-1234
environment:
SqsQueueName: ${opt:stage}-${opt:product}-sqs-queue
reservedConcurrency: 10
events:
- sqs:
arn:
Fn::GetAtt:
- SqsQueue
- Arn
batchSize: 1
resources:
Resources:
GatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: EXPIRED_TOKEN
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
AuthFailureGatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: UNAUTHORIZED
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
When I debugged the deployment process it says:当我调试部署过程时,它说:
Serverless: Unable to find WAF named 'name-of-my-acl'.无服务器:找不到名为“name-of-my-acl”的 WAF。 Am I naming it wrong or using it wrong?我是命名错误还是使用错误?
I do not understand what is the name I should be using for my WAF in the serverless.yml file.我不明白我应该在 serverless.yml 文件中为我的 WAF 使用什么名称。
1 个解决方案
解决方案1
0 2021-05-27 05:30:12
Found the issue, turns out I need to add发现问题,原来我需要添加
version: V2
just after name since AWS WAF supports V2.由于 AWS WAF 支持 V2,就在名称之后。 Once I added it and redeployed the API Gateway got attached to the created WAF.一旦我添加并重新部署了 API 网关,它就会连接到创建的 WAF。
PS: the name is the name of the ACL that we want to use. PS:name是我们要使用的ACL的名称。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.