我想将一个WAFv2 Web ACL关联到API GatewayV2 HTTP阶段。
根据terraform 文档,我尝试了以下代码:
resource "aws_wafv2_web_acl_association" "this" {
resource_arn = aws_apigatewayv2_stage.this.arn
web_acl_arn = aws_wafv2_web_acl.this.arn
}
然而,此操作未被接受,错误信息如下:
Error: WAFInvalidParameterException:错误原因:ARN 无效。有效的 ARN 以 arn: 开头,并包含用冒号或斜杠分隔的其他信息,字段:RESOURCE_ARN,参数:arn:aws:apigateway:eu-west-2::/apis/abcd1234/stages/my-stage
从 AWS 文档 可以看出,该 ARN 的格式应为:
arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
然而,只有旧版API Gateway的ARN在其ARN中使用“restapis”。v2网关只使用“apis”。
- 这是否是ARN无效的原因?
- 如何将AWS API GatewayV2 HTTP阶段与AWS WAFv2 Web ACL关联?
按要求,这是一个网关的代码:
resource "aws_apigatewayv2_api" "this" {
name = "example-http-api"
protocol_type = "HTTP"
}
resource "aws_lambda_function" "this" {
filename = "example.zip"
function_name = "Example"
role = var.lambda_arn
handler = "index.handler"
runtime = "nodejs10.x"
}
resource "aws_apigatewayv2_integration" "get" {
api_id = aws_apigatewayv2_api.this.id
integration_type = "AWS_PROXY"
integration_method = "GET"
integration_uri = aws_lambda_function.this.invoke_arn
}
resource "aws_apigatewayv2_route" "get" {
api_id = aws_apigatewayv2_api.this.id
route_key = "$default"
target = "path/${aws_apigatewayv2_integration.get.id}"
}
resource "aws_apigatewayv2_stage" "this" {
api_id = aws_apigatewayv2_api.this.id
name = "example-stage"
}
下面是 Web-ACL 的代码:
resource "aws_wafv2_web_acl" "this" {
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "common-rule-set"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "common-rule-set"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "web-acl"
sampled_requests_enabled = false
}
}