feat(cloudfront): support WAF security protections #32021
Conversation
github-actions
bot
added
effort/medium
github-actions
bot
added
the
beginning-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
phuhung273
force-pushed
the
cloudfront-enable-waf
branch
from
c6c0cda to
48b4c10
Compare
phuhung273
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
|
Doesn't the WebACL have to be deployed in |
Yes of course for
|
|
So what happens if the distribution isn't in |
I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg |
I meant what happens if a user sets |
Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope. But if we want to associate an |
Wouldn't it try to deploy the |
No, the
|
|
@gshpychka youre rite, lemme have a test deploying entire stack to another region |
phuhung273
force-pushed
the
cloudfront-enable-waf
branch
from
48b4c10 to
6fe8d5e
Compare
Thanks so much for pointing that out. You're absolutely right. Confirm that Looking through Issues, found this similar one #6242. Added validation to ensure new flag cannot be used outside |
gracelu0
added
the
needs-security-review
...@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.cloudfront-waf-protection.ts
Outdated
Show resolved
Hide resolved
| * | ||
| * @default false | ||
| */ | ||
| readonly enableWafCoreProtections?: boolean; |
There was a problem hiding this comment.
can we make this a method instead? Since distribution has quite a few props already and this doesn't strictly map to a resource property, I think it's more ergonomic for the user to enable this like distribution.enableWafCoreProtections().
There was a problem hiding this comment.
Changed to method, usage is now:
distribution.enableWafProtection({
enableCoreProtection: true,
// enableRateLimitingProtection: true, // <------- will be added in the future since it cannot be used for S3 origin
// enableSqlInjectionProtection: true, // <------- will be added in the future since it cannot be used for S3 origin
});Will create another issue to add 2 more options, I dont know how to check if origin is S3. How do you think about this?
| enableWafCoreProtections: true, | ||
| }); | ||
|
|
||
| new IntegTest(app, 'integ-cloudfront-waf-protection-test', { |
There was a problem hiding this comment.
Can you add an assertion to this integration test to get the WebACL ID from the distributionConfig and then GetWebACL to verify the ACL was created and has the expected configuration?
Here's an example of assertions being used in an integration test: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac.ts#L25
There was a problem hiding this comment.
I tried it for an entire day :( but seems like something is wrong with wafv2.getWebAcl. Using this snippet:
integ.assertions.awsApiCall('WAFV2', 'getWebACL', {
Id: webAclId,
Name: webAclName,
Scope: 'CLOUDFRONT',
})Return this error:
AccessDeniedException: Critical information is missing in your request: GetWebACLRequest(name=null, scope=CLOUDFRONT, id=arn:aws:wafv2:us-east-1:<ACCOUNT>:global/webacl/CreatedByCloudFront-cloudfrontwafprotectionDistroB056DD41/95b1327c-179c-4a43-97e5-a89a13a8418f, aRN=null)
But it return different when all request params are lowercase:
integ.assertions.awsApiCall('WAFV2', 'getWebACL', {
id: webAclId,
name: webAclName,
scope: 'CLOUDFRONT',
})Critical information is missing in your request: GetWebACLRequest(name=null, scope=null, id=null, aRN=null)
So we know Id, Name and Scope are the correct inputs. But somehow Id value is ARN and Name is null.
If you can review integration test file, would be super helpful. Thank you.
aws-cdk-automation
removed
the
pr/needs-community-review
mergify
bot
dismissed
gracelu0’s stale review
Pull request has been modified.
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ Features must contain a change to an integration test file and the resulting snapshot.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #32021 +/- ##
=======================================
Coverage 80.79% 80.79%
=======================================
Files 232 232
Lines 14106 14106
Branches 2452 2452
=======================================
Hits 11397 11397
Misses 2429 2429
Partials 280 280
Flags with carried forward coverage won't be shown. Click here to find out more.
|
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
Closes #31737
Reason for this change
Description of changes
enableWafCoreProtectionsboolean to use default WAF security optionDescription of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license