Cloudformation-coverage-roadmap: WAFv2 Coverage Request

@luiseduardocolon here is the formal request.

Based on the comment from RalphLawrence on the forum post:
https://forums.aws.amazon.com/thread.jspa?messageID=929703&#929703

Looks like the WebACLAssociation for WAFv2 has been released, but doesn't work?

Not sure what's missing from https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WAFv2.html ?

Has this coverage ask just turned into a bug report on AWS::WAFv2::WebACLAssociation?

@jamiepmullan looks like we had a runaway doc deployment. We are rolling out the support for AWS::WAFv2::WebACLAssociation and it will be available soon.

@rjlohan this is just my speculation and maybe @jamiepmullan can correct me if I'm wrong, but I think that the release of the CloudFormation specs on 16th of January crossed this feature request (made on the same date) to support something like WebACLAssociation in WAFv2 (similar to what can be found in WAF(v1)).

In the release spec of CloudFormation of the 16th of January you could have found that AWS::WAFv2::WebACLAssociation was added. However when you would try to use it, CloudFormation would just bail out and give you an error telling you something that it doesn't know about AWS::WAFv2::WebACLAssociation (and indeed if you would check the JSON specs you would not find AWS::WAFv2::WebACLAssociation).

In the meantime the release notes of the CloudFormation specs on the 16th of January have been corrected and the statement that AWS::WAFv2::WebACLAssociation had been released is removed (this is where I think the confusion is coming from :)).

So, in the end, I think, this issue is just a feature request to be able to associate a AWS::WAFv2::WebACL with regional resources (ELB and API Gateway) directly from CloudFormation.

Ah sorry @rjlohan I've missed your last comment, seems you already found out :)

Any progress on this ? Still waiting to be able to use AWS::WAFv2::WebACLAssociation.

Also interested in seeing this

For those who are searching, I've tested with this and it's working :

    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Ref ApiGatewayStageArn
      WebACLArn: !GetAtt WafWebAcl.Arn

See API Doc to respect ResourceArn and WebACLArn format.

Any official response about the AWS::WAFv2::WebACLAssociation support?
@darylounet I've tried it but got this:
User {stack-role} is not authorized to perform: apigateway:SetWebACL on resource: {api-gateway-stage} (Service: Wafv2, Status Code: 400, Request ID: xxx)

@Trandel I use it in a SAM template, I don't know if it make a difference. Have you tried with an admin role user ?

I have used it on a admin role, maybe it's not ready in the eu-west-1 region. Which one did you try?

I have used it on a admin role, maybe it's not ready in the eu-west-1 region. Which one did you try?

on eu-central-1

Thanks @darylounet
Looks like AWS is rolling out the update. It worked on us-east-1.
For Ireland I'm just getting an empty ChangeSet when adding this CFN resource.

100% works in US-EAST-1!

It's announced (February 6, 2020) : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html
And available in documentation : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html

I think you can close this issue.