WAFv2 WebACLAssociation "The ARN isn't valid" - direct setup works

I've been trying to connect my ApiGateway RestApi to my WAF WebACL for some time now.

I am working with the serverless framework so I have the Cloudformation template serverless.yml.

Here is my setup:

    MyWafWebACL:
      Type: 'AWS::WAFv2::WebACL'
      Properties:
        Name: 'WhitelistedIPsWebACL'
        Scope: 'REGIONAL'
        DefaultAction:
          Allow: {}
        Rules:
          - Name: 'AllowWhitelistedIPsIPv4'
            Priority: 0
            Action:
              Allow: {}
            Statement:
              IPSetReferenceStatement:
                ARN: !GetAtt MyWafIPSetIPv4.Arn
            VisibilityConfig:
              SampledRequestsEnabled: true
              CloudWatchMetricsEnabled: true
              MetricName: 'AllowWhitelistedIPsIPv4Metric'
          - Name: 'AllowWhitelistedIPsIPv6'
            Priority: 1
            Action:
              Allow: {}
            Statement:
              IPSetReferenceStatement:
                ARN: !GetAtt MyWafIPSetIPv6.Arn
            VisibilityConfig:
              SampledRequestsEnabled: true
              CloudWatchMetricsEnabled: true
              MetricName: 'AllowWhitelistedIPsIPv6Metric'
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName: 'WhitelistedIPsMetric'

    ApiGatewayRestApi:
      Type: 'AWS::ApiGateway::RestApi'
      Properties:
        Name: 'ApiGatewayRestApi'
        Description: 'Standard REST gateway'

    MyWafWebACLAssociation:
      Type: 'AWS::WAFv2::WebACLAssociation'
      Properties:
        WebAclArn: !Ref MyWafWebACL
        ResourceArn: !Sub "arn:aws:apigateway:${AWS::Region}::/restapis/${ApiGatewayRestApi}/stages/dev"

When commenting out the WebACLAssociation everything deploys fine and the resources are created correctly. I can also make the association in the web interface without issue but I want to deploy to different stages and having to do this manually when it should work normally is error-prone and I would like to avoid it at all cost.

I have tried the following:

• Use the ResourceArn directly as in no !Sub but the exact ARN -> "ARN isn't valid"
• Use the ResourceArn with the id of the Path "/" -> "Resource doesn't exist"
• Use various other formats of creating the ResourceArn like fn join etc. -> "ARN isn't valid"

Does anybody have an idea why this could be happening?

Thanks in advance.

I found the answer when searching through repost.

It is mentioned here that the issue is not the ResourceArn of the apigateway but the WebAclArn. The error messages being thrown are wrong.

The WebAclArn cannot be referenced like !Ref MyWafWebACL because this seems to be an object with multiple values. The correct reference is !GetAtt MyWafWebACL.Arn which points to the arn directly.

This solved my issues.