AWS WAF v2: Associate web ACL from the CLI
📑 On this page
Part 692 of AWS from Zero. This is lesson 11 in the AWS WAF v2 track.
What we are learning
Use associate-web-acl to change one AWS WAF v2 configuration deliberately and inspect the resulting state. This lesson identifies the required input shape, saves the raw response, and keeps inspection separate from execution.
The AWS CLI operation is aws wafv2 associate-web-acl. Required operation inputs: --web-acl-arn (string), --resource-arn (string). The modeled top-level response contains no modeled response body.
Before you run it
aws sts get-caller-identity
REGION="${AWS_REGION:-ap-south-1}"
WEB_ACL_ARN="replace-with-web-acl-arn"
RESOURCE_ARN="replace-with-resource-arn"
aws wafv2 associate-web-acl helpUse a sandbox account or an approved learning environment. Read the operation help before supplying identifiers, ARNs, network ranges, policy documents, or customer data.
Cost note: Web ACLs, rules, requests, managed rule groups, and logging can incur charges.
The command
aws wafv2 associate-web-acl \
--web-acl-arn "$WEB_ACL_ARN" \
--resource-arn "$RESOURCE_ARN" \
--region "$REGION" \
--output json > part-692-response.jsonThe response is saved to part-692-response.json so inspection is separate from execution. The explicit variables above keep required identifiers visible before the API call.
Inspect the result
# A zero-byte response can be normal for operations without a response body.
wc -c part-692-response.json
aws wafv2 helpCompare the returned identifiers and status fields with the account, Region, and resource you intended to target. For asynchronous operations, continue with the service's matching get, list, or describe command until it reaches a terminal state.
One tiny variation
test -s part-692-response.json \
&& node -e "console.log(require('./part-692-response.json'))" \
|| echo "The operation returned no response document."This variation changes output inspection rather than adding another infrastructure concept. Keep the raw JSON while developing a query so a narrow projection does not hide an error or unexpected field.
Common mistake
Do not treat a zero exit code as proof that the intended state is active everywhere. AWS control planes can be eventually consistent, and some operations start asynchronous work.
Cleanup
# This operation is read-only, operational, or needs resource-specific rollback.
# Re-read the command output before changing shared infrastructure.
rm -f part-692-request.json part-692-response.json part-692-payload.bin part-692-debug.logLocal request and response files may contain account IDs, ARNs, names, or service configuration. Remove them when the lab is complete and follow dependency-aware cleanup for any AWS resource you created.
Next, we will learn AWS WAF v2: Put logging configuration from the CLI.