aws-solutions/aws-waf-security-automations

Updating the stack removes configured IP set

anwar-sadat85 opened this issue · 2 comments

anwar-sadat85 commented

Describe the bug
When updating the stack from version 3.1.0 to 3.2.4, the IPs configured in the "WhitelistSetIPV4" are all deleted.

To Reproduce

  1. Install stack version 3.1.0 in a newly created account
  2. Add a few IPs to the WhitelistSetIPv4 IP set
  3. Update the stack with version 3.2.4 (Leave IP retention at -1 for all the retention options, existing values for other params and default for the new parameters)
  4. After update is completed, view WhitelistSetIPv4 IP set. It is empty

Expected behavior
We expect the IP addresses in WhitelistSetIPv4 to be preserved when the stack is updated

Please complete the following information about the solution:

  • Version: [e.g. v3.2.4]

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "AWS WAF Security Automations v3.1: This AWS CloudFormation template helps you provision the AWS WAF Security Automations stack without worrying about creating and configuring the underlying AWS infrastructure". If the description does not contain the version information, you can look at the mappings section of the template:

Mappings:
  SourceCode:
    General:
      TemplateBucket: 'solutions-reference'
      SourceBucket: 'solutions'
      KeyPrefix: 'waf-security-automation/v3.1'
  • Region: ap-southeast-2
  • Was the solution modified from the version published on this repository? No
  • If the answer to the previous question was yes, are the changes available on GitHub?
  • Have you checked your service quotas for the sevices this solution uses? Yes
  • Were there any errors in the CloudWatch Logs? No

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context
Add any other context about the problem here.

anwar-sadat85 commented

Params for 3.1.1
ActivateAWSManagedRulesParam no
ActivateBadBotProtectionParam yes
ActivateCrossSiteScriptingProtectionParam yes
ActivateHttpFloodProtectionParam yes - AWS WAF rate based rule
ActivateReputationListsProtectionParam yes
ActivateScannersProbesProtectionParam yes - AWS Lambda log parser
ActivateSqlInjectionProtectionParam yes
AppAccessLogBucket <bucket_name>
EndpointType ALB
ErrorThreshold 50
KeepDataInOriginalS3Location No
RequestThreshold 100
WAFBlockPeriod 240

Params for 3.2.4 update

ActivateAWSManagedRulesParam Use existing value
ActivateBadBotProtectionParam Use existing value
ActivateCrossSiteScriptingProtectionParam Use existing value
ActivateHttpFloodProtectionParam Use existing value
ActivateReputationListsProtectionParam Use existing value
ActivateScannersProbesProtectionParam Use existing value
ActivateSqlInjectionProtectionParam Use existing value
AppAccessLogBucket Use existing value
EndpointType Use existing value
ErrorThreshold Use existing value
IPRetentionPeriodAllowedParam -1
IPRetentionPeriodDeniedParam -1
KeepDataInOriginalS3Location Use existing value
RequestThreshold Use existing value
SNSEmailParam -
SqlInjectionProtectionSensitivityLevelParam LOW
WAFBlockPeriod Use existing value

aijunpeng commented

Track this in an internal ticket. closing the issue.