我在 AWS WAF 的 AWS 账户中创建了一个 Web ACL 并为其分配了一些规则。在我的 serverless.yml 文件中,我使用了 - serverless-associate-waf 插件。
但是当我转到我的 Web ACL > 我的 acl > 关联的 AWS 资源时,我没有看到那里列出了关联的 API 网关。
这是我的 serverless.yml 文件的外观:
service: ${opt:product}
plugins:
- serverless-domain-manager
- serverless-apigw-binary
- serverless-associate-waf
custom:
associateWaf:
name: name-of-my-acl
esLogs:
endpoint: link.amazonaws.com
index: "${opt:stage}-logs"
includeApiGWLogs: true
retentionInDays: 30
stage: ${opt:stage, 'dev'}
region: ${opt:region, 'ap-south-1'}
accountId: ${opt:accountId}
awsBucket: ${opt:awsBucket, 'documents'}
awsPermaBucket: ${opt:awsPermaBucket, 'perma-documents-dev'}
cryptoKey: ${opt:cryptoKey}
apigwBinary:
types:
- 'multipart/form-data'
customDomain:
domainName: ${opt:stage}-${opt:product}-api.io
basePath: ""
stage: ${self:custom.stage}
createRoute53Record: true
provider:
vpc:
securityGroupIds:
- sg-1234
subnetIds:
- subnet-1234
- subnet-1234
environment:
region: ${self:custom.region}
stage: ${self:custom.stage}
module: ${opt:product}
awsBucket: ${self:custom.awsBucket}
authToken: ${opt:authToken}
accountId: ${opt:accountId}
awsPermaBucket: ${self:custom.awsPermaBucket}
cryptoKey: ${opt:cryptoKey}
iamRoleStatements:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource: "*"
- Effect: Allow
Action:
- s3:*
Resource: "*"
- Effect: "Allow"
Action:
- "sqs:*"
Resource: "arn:aws:sqs:${opt:region}:*:${opt:stage}-${opt:product}-sqs-queue"
name: aws
runtime: nodejs12.x
stage: ${self:custom.stage}
region: ${self:custom.region}
memorySize: 256
timeout: 30
package:
exclude:
- "*/**"
include:
- build/**
- node_modules/**
functions:
orgSettingsAPI:
name: ${self:service}-${self:custom.stage}-api
handler: build/src/lambda.handler
events:
- http:
method: any
path: /api/{proxy+}
authorizer:
arn: arn:aws:lambda:${opt:region}:${self:custom.accountId}:function:authenticator-${self:custom.stage}-api
resultTtlInSeconds: 60
identitySource: method.request.header.Authorization
identityValidationExpression: ^Bearer.+
cors:
origins:
- "*"
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
allowCredentials: true
maxAge: 86400
- http:
method: any
path: /internal/{proxy+}
vpc:
securityGroupIds:
- sg-1234
subnetIds:
- subnet-1234
- subnet-1234
environment:
SqsQueueName: ${opt:stage}-${opt:product}-sqs-queue
reservedConcurrency: 10
events:
- sqs:
arn:
Fn::GetAtt:
- SqsQueue
- Arn
batchSize: 1
resources:
Resources:
GatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: EXPIRED_TOKEN
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
AuthFailureGatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: UNAUTHORIZED
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
当我调试部署过程时,它说:
无服务器:无法找到名为“name-of-my-acl”的 WAF。我是命名错误还是使用错误?
我不明白应该在 serverless.yml 文件中为我的 WAF 使用什么名称。
答案 0 :(得分:0)
发现问题,原来我需要添加
version: V2
就在名称之后,因为 AWS WAF 支持 V2。添加并重新部署 API 网关后,它就会附加到创建的 WAF。
PS:name 是我们要使用的 ACL 的名称。