I am trying to connect a WafWebACL to my standard Serverless Framework API Gateway but no matter what I do, I can’t get it to work.
This is my setup:
ApiGatewayRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: 'ApiGatewayRestApi'
Description: 'Standard REST gateway'
MyWafWebACLAssociation:
Type: 'AWS::WAFv2::WebACLAssociation'
Properties:
WebAclArn: !Ref MyWafWebACL
ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${ApiGatewayRestApi}/stages/${opt:stage, 'dev'}
I have also tried defining the ResourceArn directly by taking the API gateway id and putting it all in a predefined string:
ResourceArn: "arn:aws:apigateway:eu-central-1::/restapis/my-gateway-id/stages/dev"
No matter what I do, I get the error:
CREATE_FAILED: MyWafWebACLAssociation (AWS::WAFv2::WebACLAssociation)
Resource handler returned message: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: WhitelistedIPsWebACL
When I comment out the MyWafWebACLAssociation, I do not get the error.
When I change the gateway id to my resource id
ResourceArn: "arn:aws:apigateway:eu-central-1::/restapis/my-resource-id/stages/dev"
I get this error
CREATE_FAILED: MyWafWebACLAssociation (AWS::WAFv2::WebACLAssociation)
Resource handler returned message: "AWS WAF couldn?t perform the operation because your resource doesn?t exist.
So the formatting seems to be correct but for some reason for the existing arn it doesn’t work.
Does anybody have an idea why this happens?