Unable to upgrade from v3.2.5 to v4.x about aws-waf-security-automations HOT 6 CLOSED

Hi, thanks for reporting this issue. We're going to look into it.

from aws-waf-security-automations.

Hi,
unfortunately I was not able to reproduce the issue. I deployed v3.2.5 in multiple configurations and multiple regions, and every time the upgrade to the latest v4.0.x worked fine.

• In AWS Console / CloudFormation, select the main solution stack
• Click "update stack"
• Click "replace existing template"
• Paste https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations.template into the url field
• Click next, next, next, submit

Is there anything you're doing differently?

from aws-waf-security-automations.

hi, im afraid not, that is the exact same process we use

i believe we might of had this template deployed in the past with this name and then deleted it
we are now trying to deploy with that same name,it seems to struggle with anything over v3.2.5

its as if the old version wasnt removed fully somehow - but it has gone from cloudformation console/cli exports

could there be anywhere else we would be checking where old things could be ?
or could we remove the validation check (if possible) for AppAccessLogBucket ?

from aws-waf-security-automations.

Hi,
can you verify two things for me please?

1. Is waf-dr-eu2-stack the name of your existing stack that you're trying to update?
2. Does this stack have an output with the key AppAccessLogBucket and the value of waf-dr-eu2-stack-AppAccessLogBucket? (AWS Cloudformation Console -> Select Stack -> Tab "Outputs")

If that is the case, you might be able to work around the problem using the following steps:

1. Update the stack with the existing template (v3.2.5) and change the input parameter "Custom Rule - Scanner & Probes / Activate Scanner & Probe Protection" temporarily to "no". This update will remove the problematic export from the stack.
2. Now update the stack with the new template version (v4.0.3).
3. Finally update the stack again with the existing template (v4.0.3) setting the input parameter back to the original value, in order to re-activate the Scanner/Probe protection feature.

Please be aware that during steps 1 to 3, the Scanner/Probe protection feature is temporarily disabled. Consider the security implications of this and proceed at your own risk.

from aws-waf-security-automations.

Hi

The output has AppAccessLogBucket with the value of my s3 bucket tbg-waf-eu2-logs-dr
I tried anyway and could remove Custom Rule - Scanner & Probes which worked fine, but then i still could not upgrade to v4 latest as it came with another error.
I was then unable to rollback and add Custom Rule - Scanner & Probes back in
So i had to delete the whole stack and recreated it again on v3.2.5

I did try the following though.
i created a new waf with template 3.2.5 and called it waf123 with all the same settings - this deployed successfully
I then upgraded it v4.0.3 and it deployed successfully

So it seems only when using the stack name waf-dr-eu2-stack does it not allow me to upgrade for some reason ??

Unfortunately i do need to keep the name waf-dr-eu2-stack for the time being for some downstream automation based on the name. Not sure why using the name waf-dr-eu2-stack would be an issue ??

from aws-waf-security-automations.

Hi, I'm sorry to hear that. I don't have any plausible explanation why there would be an update issue with one specific stack name.
Since you already deleted and recreated the stack, you should be able to do the same and install the latest version instead of v3.2.5, right?

It sounds like this is not an issue with the aws-waf-security-automations solution, but rather some state you AWS account is in. so I'm going to close this bug ticket. If you have an AWS Support plan, feel free to create a support request with AWS Support who is able to look at your actual account.

from aws-waf-security-automations.