CreateWebACLMigrationStack
Creates an AWS CloudFormation AWS WAFV2 template for the specified web ACL in the specified Amazon S3 bucket. Then, in CloudFormation, you create a stack from the template, to create the web ACL and its resources in AWS WAFV2. Use this to migrate your AWS WAF Classic web ACL to the latest version of AWS WAF.
Note
Deprecation notice: AWS WAF Classic support will end on September 30, 2025.
This is part of a larger migration procedure for web ACLs from AWS WAF Classic to the latest version of AWS WAF. For the full procedure, including caveats and manual steps to complete the migration and switch over to the new web ACL, see Migrating your AWS WAF Classic resources to AWS WAF in the AWS WAF Developer Guide.
Request Syntax
{
"IgnoreUnsupportedType": boolean
,
"S3BucketName": "string
",
"WebACLId": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- IgnoreUnsupportedType
-
Indicates whether to exclude entities that can't be migrated or to stop the migration. Set this to true to ignore unsupported entities in the web ACL during the migration. Otherwise, if AWS WAF encounters unsupported entities, it stops the process and throws an exception.
Type: Boolean
Required: Yes
- S3BucketName
-
The name of the Amazon S3 bucket to store the AWS CloudFormation template in. The S3 bucket must be configured as follows for the migration:
-
If the bucket is encrypted, the encryption must use Amazon S3 (SSE-S3) keys. The migration doesn't support encryption with AWS Key Management Service (SSE-KMS) keys.
-
The bucket name must start with
aws-waf-migration-
. For example,aws-waf-migration-my-web-acl
. -
The bucket must be in the Region where you are deploying the template. For example, for a web ACL in
us-west-2
, you must use an Amazon S3 bucket inus-west-2
and you must deploy the template stack tous-west-2
. -
The bucket policies must permit the migration process to write data. For listings of the bucket policies, see the Examples section.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 63.
Pattern:
^aws-waf-migration-[0-9A-Za-z\.\-_]*
Required: Yes
-
- WebACLId
-
The UUID of the WAF Classic web ACL that you want to migrate to WAF v2.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern:
.*\S.*
Required: Yes
Response Syntax
{
"S3ObjectUrl": "string"
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- S3ObjectUrl
-
The URL of the template created in Amazon S3.
Type: String
Length Constraints: Minimum length of 1.
Errors
For information about the errors that are common to all actions, see Common Errors.
- WAFEntityMigrationException
-
The operation failed due to a problem with the migration. The failure cause is provided in the exception, in the
MigrationErrorType
:-
ENTITY_NOT_SUPPORTED
- The web ACL has an unsupported entity but theIgnoreUnsupportedType
is not set to true. -
ENTITY_NOT_FOUND
- The web ACL doesn't exist. -
S3_BUCKET_NO_PERMISSION
- You don't have permission to perform thePutObject
action to the specified Amazon S3 bucket. -
S3_BUCKET_NOT_ACCESSIBLE
- The bucket policy doesn't allow AWS WAF to perform thePutObject
action in the bucket. -
S3_BUCKET_NOT_FOUND
- The S3 bucket doesn't exist. -
S3_BUCKET_INVALID_REGION
- The S3 bucket is not in the same Region as the web ACL. -
S3_INTERNAL_ERROR
- AWS WAF failed to create the template in the S3 bucket for another reason.
In addition, the exception includes specific details about the failure in the
MigrationErrorReason
.HTTP Status Code: 400
-
- WAFInternalErrorException
-
The operation failed because of a system problem, even though the request was valid. Retry your request.
HTTP Status Code: 500
- WAFInvalidOperationException
-
The operation failed because there was nothing to do. For example:
-
You tried to remove a
Rule
from aWebACL
, but theRule
isn't in the specifiedWebACL
. -
You tried to remove an IP address from an
IPSet
, but the IP address isn't in the specifiedIPSet
. -
You tried to remove a
ByteMatchTuple
from aByteMatchSet
, but theByteMatchTuple
isn't in the specifiedWebACL
. -
You tried to add a
Rule
to aWebACL
, but theRule
already exists in the specifiedWebACL
. -
You tried to add a
ByteMatchTuple
to aByteMatchSet
, but theByteMatchTuple
already exists in the specifiedWebACL
.
HTTP Status Code: 400
-
- WAFInvalidParameterException
-
The operation failed because AWS WAF didn't recognize a parameter in the request. For example:
-
You specified an invalid parameter name.
-
You specified an invalid value.
-
You tried to update an object (
ByteMatchSet
,IPSet
,Rule
, orWebACL
) using an action other thanINSERT
orDELETE
. -
You tried to create a
WebACL
with aDefaultAction
Type
other thanALLOW
,BLOCK
, orCOUNT
. -
You tried to create a
RateBasedRule
with aRateKey
value other thanIP
. -
You tried to update a
WebACL
with aWafAction
Type
other thanALLOW
,BLOCK
, orCOUNT
. -
You tried to update a
ByteMatchSet
with aFieldToMatch
Type
other than HEADER, METHOD, QUERY_STRING, URI, or BODY. -
You tried to update a
ByteMatchSet
with aField
ofHEADER
but no value forData
. -
Your request references an ARN that is malformed, or corresponds to a resource with which a web ACL cannot be associated.
HTTP Status Code: 400
-
- WAFNonexistentItemException
-
The operation failed because the referenced object doesn't exist.
HTTP Status Code: 400
Examples
Amazon S3 bucket policy for global Amazon CloudFront applications
This example illustrates one usage of CreateWebACLMigrationStack.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "apiv2migration.waf.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<BUCKET_NAME>/AWSWAF/<CUSTOMER_ACCOUNT_ID>/*" } ] }
Amazon S3 bucket policy for Amazon API Gateway API or Application Load Balancer applications
This example illustrates one usage of CreateWebACLMigrationStack.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "apiv2migration.waf-regional.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<BUCKET_NAME>/AWSWAF/<CUSTOMER_ACCOUNT_ID>/*" } ] }
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: