使用 Cloudformation 创建堆栈时 AWS::WAFv2::LoggingConfiguration 遇到无效的 ARN

Question

我有一个 Cloudformation 模板，可以创建 WAFv2 以及 Cloudwatch Logging。我在尝试设置 LoggingConfiguration 时遇到问题。我得到的实际错误看起来像这样：

Resource handler returned message: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: LOG_DESTINATION, parameter: arn:aws:logs:us-east-1:xxxxx:log-group:aws-waf-bar-foo:*

我的 LoggingConfiguration 看起来像这样：

"webAcllogging": {
      "Type": "AWS::WAFv2::LoggingConfiguration",
      "Properties": {
        "ResourceArn": {
          "Fn::GetAtt": [
            "webAcl",
            "Arn"
          ]
        },
        "LogDestinationConfigs": [
          {
            "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-bar-foo:*"
          }
        ],
        "RedactedFields": [
          {
            "SingleHeader": {
              "Name": "password"
            }
          }
        ]
      }
    },

我尝试更改一些内容，但仍然遇到此错误。有人知道为什么吗？

Answer 1

事实证明，您必须对 WAF 日志使用特殊的命名约定。

该名称需要加上前缀aws-waf-logs-。

所以LogDestinationConfigs应该如下：

"LogDestinationConfigs": [
    {
        "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-bar-foo:*"
    }
],