CreateWebACLMigrationStack - AWS WAFV2
Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsExamplesSee Also

CreateWebACLMigrationStack

Creates an AWS CloudFormation AWS WAFV2 template for the specified web ACL in the specified Amazon S3 bucket. Then, in CloudFormation, you create a stack from the template, to create the web ACL and its resources in AWS WAFV2. Use this to migrate your AWS WAF Classic web ACL to the latest version of AWS WAF.

Note

AWS WAF Classic support will end on September 30, 2025.

This is part of a larger migration procedure for web ACLs from AWS WAF Classic to the latest version of AWS WAF. For the full procedure, including caveats and manual steps to complete the migration and switch over to the new web ACL, see Migrating your AWS WAF Classic resources to AWS WAF in the AWS WAF Developer Guide.

Request Syntax

{
   "IgnoreUnsupportedType": boolean,
   "S3BucketName": "string",
   "WebACLId": "string"
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

IgnoreUnsupportedType

Indicates whether to exclude entities that can't be migrated or to stop the migration. Set this to true to ignore unsupported entities in the web ACL during the migration. Otherwise, if AWS WAF encounters unsupported entities, it stops the process and throws an exception.

Type: Boolean

Required: Yes

S3BucketName

The name of the Amazon S3 bucket to store the AWS CloudFormation template in. The S3 bucket must be configured as follows for the migration:

  • If the bucket is encrypted, the encryption must use Amazon S3 (SSE-S3) keys. The migration doesn't support encryption with AWS Key Management Service (SSE-KMS) keys.

  • The bucket name must start with aws-waf-migration-. For example, aws-waf-migration-my-web-acl.

  • The bucket must be in the Region where you are deploying the template. For example, for a web ACL in us-west-2, you must use an Amazon S3 bucket in us-west-2 and you must deploy the template stack to us-west-2.

  • The bucket policies must permit the migration process to write data. For listings of the bucket policies, see the Examples section.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 63.

Pattern: ^aws-waf-migration-[0-9A-Za-z\.\-_]*

Required: Yes

WebACLId

The UUID of the WAF Classic web ACL that you want to migrate to WAF v2.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: .*\S.*

Required: Yes

Response Syntax

{
   "S3ObjectUrl": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

S3ObjectUrl

The URL of the template created in Amazon S3.

Type: String

Length Constraints: Minimum length of 1.

Errors

For information about the errors that are common to all actions, see Common Errors.

WAFEntityMigrationException

The operation failed due to a problem with the migration. The failure cause is provided in the exception, in the MigrationErrorType:

  • ENTITY_NOT_SUPPORTED - The web ACL has an unsupported entity but the IgnoreUnsupportedType is not set to true.

  • ENTITY_NOT_FOUND - The web ACL doesn't exist.

  • S3_BUCKET_NO_PERMISSION - You don't have permission to perform the PutObject action to the specified Amazon S3 bucket.

  • S3_BUCKET_NOT_ACCESSIBLE - The bucket policy doesn't allow AWS WAF to perform the PutObject action in the bucket.

  • S3_BUCKET_NOT_FOUND - The S3 bucket doesn't exist.

  • S3_BUCKET_INVALID_REGION - The S3 bucket is not in the same Region as the web ACL.

  • S3_INTERNAL_ERROR - AWS WAF failed to create the template in the S3 bucket for another reason.

In addition, the exception includes specific details about the failure in the MigrationErrorReason.

HTTP Status Code: 400

WAFInternalErrorException

The operation failed because of a system problem, even though the request was valid. Retry your request.

HTTP Status Code: 500

WAFInvalidOperationException

The operation failed because there was nothing to do. For example:

  • You tried to remove a Rule from a WebACL, but the Rule isn't in the specified WebACL.

  • You tried to remove an IP address from an IPSet, but the IP address isn't in the specified IPSet.

  • You tried to remove a ByteMatchTuple from a ByteMatchSet, but the ByteMatchTuple isn't in the specified WebACL.

  • You tried to add a Rule to a WebACL, but the Rule already exists in the specified WebACL.

  • You tried to add a ByteMatchTuple to a ByteMatchSet, but the ByteMatchTuple already exists in the specified WebACL.

HTTP Status Code: 400

WAFInvalidParameterException

The operation failed because AWS WAF didn't recognize a parameter in the request. For example:

  • You specified an invalid parameter name.

  • You specified an invalid value.

  • You tried to update an object (ByteMatchSet, IPSet, Rule, or WebACL) using an action other than INSERT or DELETE.

  • You tried to create a WebACL with a DefaultAction Type other than ALLOW, BLOCK, or COUNT.

  • You tried to create a RateBasedRule with a RateKey value other than IP.

  • You tried to update a WebACL with a WafAction Type other than ALLOW, BLOCK, or COUNT.

  • You tried to update a ByteMatchSet with a FieldToMatch Type other than HEADER, METHOD, QUERY_STRING, URI, or BODY.

  • You tried to update a ByteMatchSet with a Field of HEADER but no value for Data.

  • Your request references an ARN that is malformed, or corresponds to a resource with which a web ACL cannot be associated.

HTTP Status Code: 400

WAFNonexistentItemException

The operation failed because the referenced object doesn't exist.

HTTP Status Code: 400

Examples

Amazon S3 bucket policy for global Amazon CloudFront applications

This example illustrates one usage of CreateWebACLMigrationStack.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "apiv2migration.waf.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<BUCKET_NAME>/AWSWAF/<CUSTOMER_ACCOUNT_ID>/*"
        }
    ]
                }

Amazon S3 bucket policy for Amazon API Gateway API or Application Load Balancer applications

This example illustrates one usage of CreateWebACLMigrationStack.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "apiv2migration.waf-regional.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<BUCKET_NAME>/AWSWAF/<CUSTOMER_ACCOUNT_ID>/*"
        }
    ]
}

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: