Zenn
💣

[AWS CDK] APIGateway+WAFv2 Web ACL構成でデプロイしようとしてちょっとハマった点

2022/08/22に公開
AWS
TypeScript
WAF
Amazon API Gateway
AWS CDK
tech

AWS WAF couldn?t perform the operation because your resource doesn?t exist. というエラーが発生し、解決したメモになります。

環境

  • aws-cdk-lib 2.30.0
  • constructs 10.1.43

CDKコード

早速コードです。

import { Construct } from "constructs"
import * as cdk from "aws-cdk-lib"

export class WafStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props)

    // APIGW+Lambda
    const restApi = new cdk.aws_apigateway.RestApi(this, "restApi", {
      restApiName: "restApi",
      deployOptions: {
        stageName: "dev",
      },
    })
    const pingFn = new cdk.aws_lambda.Function(this, "pingFn", {
      code: cdk.aws_lambda.Code.fromInline(`
        exports.handler = (event, context, callback) => {
          callback(null, { statusCode: 200, body: JSON.stringify({ message: "pong" }) });
        };
      `),
      handler: "index.handler",
      runtime: cdk.aws_lambda.Runtime.NODEJS_16_X,
    })
    restApi.root.addMethod(
      "GET",
      new cdk.aws_apigateway.LambdaIntegration(pingFn)
    )

    // WAF Web ACL
    const webAcl = new cdk.aws_wafv2.CfnWebACL(this, "wafV2WebAcl", {
      defaultAction: { allow: {} },
      scope: "REGIONAL",
      visibilityConfig: {
        cloudWatchMetricsEnabled: true,
        sampledRequestsEnabled: true,
        metricName: "wafV2WebAcl",
      },
      rules: [
        {
          name: "AWSManagedRulesCommonRuleSet",
          priority: 1,
          statement: {
            managedRuleGroupStatement: {
              vendorName: "AWS",
              name: "AWSManagedRulesCommonRuleSet",
            },
          },
          overrideAction: { none: {} },
          visibilityConfig: {
            cloudWatchMetricsEnabled: true,
            sampledRequestsEnabled: true,
            metricName: "AWSManagedRulesCommonRuleSet",
          },
        },
      ],
    })

    // APIGWとWebACLを紐付ける
    const webAclAssociation = new cdk.aws_wafv2.CfnWebACLAssociation(
      this,
      "webAclAssociation",
      {
        resourceArn: `arn:aws:apigateway:${this.region}::/restapis/${restApi.restApiId}/stages/dev`,
        webAclArn: webAcl.attrArn,
      }
    )
    webAclAssociation.addDependsOn(webAcl)
    webAclAssociation.addDependsOn(restApi.node.defaultChild as cdk.CfnResource)
  }
}

事象

下記のエラーが発生しました。

12:28:38 AM | CREATE_FAILED        | AWS::WAFv2::WebACLAssociation | webAclAssociation
Resource handler returned message: "AWS WAF couldn?t perform the operation because your resource doesn?t exist. (Service: Wafv2, Status Cod
e: 400, Request ID: xxxxxxxxxxxxxxxxxxxxxxxxx, Extended Request ID: null)" (xxxxxxxxxxxxxxxxxxxxxxx,
HandlerErrorCode: NotFound)

ハマった点

    webAclAssociation.addDependsOn(webAcl)
    webAclAssociation.addDependsOn(restApi.node.defaultChild as cdk.CfnResource)

を記述しているのにリソースがないと言われて首を傾げていました。

解決法

amazon web services - AWS SAM - AWS::WAFv2::WebACLAssociation - AWS WAF couldn?t perform the operation because your resource doesn?t exist - Stack Overflow

こちらより、APIGatwayの中のstageを明示的に待つ必要がありそうなのでそのように試してみました。

-   webAclAssociation.addDependsOn(restApi.node.defaultChild as cdk.CfnResource)
+   webAclAssociation.addDependsOn(
+     restApi.deploymentStage.node.defaultChild as cdk.CfnResource
+   )

restApi.deploymentStage.node.defaultChildaddDepends に指定したところ、解決しました。

参考

Discussion