我想将 WAFv2 Web ACL 关联到 API GatewayV2 HTTP 阶段。
按照 terraform docs,我尝试了这个:
resource "aws_wafv2_web_acl_association" "this" {
resource_arn = aws_apigatewayv2_stage.this.arn
web_acl_arn = aws_wafv2_web_acl.this.arn
}
但是,这没有被接受,错误是:
错误:WAFInvalidParameterException:错误原因:ARN 无效。有效的 ARN 以 arn: 开头,并包括其他信息,以冒号或斜杠分隔。,字段:RESOURCE_ARN,参数:arn:aws:apigateway:eu-west-2::/apis/abcd1234/stages/my-stage
在 AWS docs中,ARN 的模式是:
arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
但是,只有旧 API Gateway 的 ARN 在其 ARN 中使用“ restapis ”。v2 网关仅使用“ apis .
- 这就是 ARN 无效的原因吗?
- 如何将 AWS API GatewayV2 HTTP 阶段关联到 AWS WAFv2 Web ACL?
根据要求,这是网关的代码:
resource "aws_apigatewayv2_api" "this" {
name = "example-http-api"
protocol_type = "HTTP"
}
resource "aws_lambda_function" "this" {
filename = "example.zip"
function_name = "Example"
role = var.lambda_arn
handler = "index.handler"
runtime = "nodejs10.x"
}
resource "aws_apigatewayv2_integration" "get" {
api_id = aws_apigatewayv2_api.this.id
integration_type = "AWS_PROXY"
integration_method = "GET"
integration_uri = aws_lambda_function.this.invoke_arn
}
resource "aws_apigatewayv2_route" "get" {
api_id = aws_apigatewayv2_api.this.id
route_key = "$default"
target = "path/${aws_apigatewayv2_integration.get.id}"
}
resource "aws_apigatewayv2_stage" "this" {
api_id = aws_apigatewayv2_api.this.id
name = "example-stage"
}
以及 Web-ACL 的代码:
resource "aws_wafv2_web_acl" "this" {
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "common-rule-set"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "common-rule-set"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "web-acl"
sampled_requests_enabled = false
}
}