Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cloudfront): add attachWebAclId method for Distribution #30567

Merged
merged 11 commits into from
Nov 21, 2024

Conversation

go-to-k
Copy link
Contributor

@go-to-k go-to-k commented Jun 17, 2024

Reason for this change

I often create a custom construct for a WAF only. I also create resources (such as API Gateway, ALB, etc...) that attach the WAF in separate constructs. Instead of attaching the WAF in the target resource's construct, I create a method for attaching it in the WAF's construct.

In this way, the constructs can be loosely coupled, and the target resource's constructs can be more simply. The WAF can also be attached to multiple resources at once later.

export class Waf extends Construct {
  public readonly webAcl: CfnWebACL;

  constructor(scope: Construct, id: string, props: WafProps) {
    super(scope, id);
    this.webAcl = new CfnWebACL(this, 'WebAcl', {
      // ...
    },
  });

  public attachToRegionalResource(id: string, resourceArn: string) {
    new CfnWebACLAssociation(this, `${id}Association`, {
      resourceArn: resourceArn,
      webAclArn: this.webAcl.attrArn,
    });
  }
}

const waf = new Waf(this, 'Waf', { /* props */ });
waf.attachToRegionalResource('A', resourceA);
waf.attachToRegionalResource('B', resourceB);
waf.attachToRegionalResource('C', resourceC);

However, when attaching a WAF to a CloudFront, the WAF attaching configuration needs to be defined through CloudFront props, rather than using CfnWebACLAssociation.
To do this with the above WAF construct, a method is needed to pass a pre-defined CloudFront and override the properties of that definition with an escape hatch. This is a bit complicated.

  public attachToCloudFront(distribution: Distribution) {
    // override the webAcl using escape hatch
  }

In other words, it would be good if CloudFront also had a mechanism (like CfnWebACLAssociation) to attach WAF after defining resources.
This would allow WAF custom constructs to be more generic.

Description of changes

Add attachWebAclId method for Distribution.

declare const bucketOrigin: origins.S3Origin;
declare const webAcl: wafv2.CfnWebACL;

const distribution = new cloudfront.Distribution(stack, 'Distribution', {
  defaultBehavior: { origin: bucketOrigin },
});

distribution.attachWebAclId(webAcl.attrArn);

Description of how you validated changes

Both of unit and integ tests.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the distinguished-contributor [Pilot] contributed 50+ PRs to the CDK label Jun 17, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team June 17, 2024 11:31
@github-actions github-actions bot added the p2 label Jun 17, 2024
@go-to-k go-to-k marked this pull request as draft June 17, 2024 11:51
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation dismissed their stale review June 17, 2024 11:55

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@go-to-k go-to-k marked this pull request as ready for review June 17, 2024 12:25
go-to-k added 2 commits June 17, 2024 21:36
style for README

Revert "style for README"

This reverts commit 7cb05fa.
@go-to-k go-to-k force-pushed the cloudfront-waf-method branch from a728be9 to 43b40a2 Compare June 17, 2024 13:16
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 17, 2024
This was referenced Jun 24, 2024
Copy link
Contributor

@badmintoncryer badmintoncryer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution. I can't wait to try out this feature myself!

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Nov 17, 2024
Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contributing!

Copy link
Contributor

mergify bot commented Nov 20, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Nov 20, 2024
Copy link
Contributor

mergify bot commented Nov 20, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@go-to-k
Copy link
Contributor Author

go-to-k commented Nov 21, 2024

@Mergifyio update

Copy link
Contributor

mergify bot commented Nov 21, 2024

update

✅ Branch has been successfully updated

Copy link
Contributor

mergify bot commented Nov 21, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@go-to-k
Copy link
Contributor Author

go-to-k commented Nov 21, 2024

@Mergifyio update

Copy link
Contributor

mergify bot commented Nov 21, 2024

update

✅ Branch has been successfully updated

Copy link

codecov bot commented Nov 21, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.17%. Comparing base (5d61a1b) to head (cf6979c).
Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #30567   +/-   ##
=======================================
  Coverage   77.17%   77.17%           
=======================================
  Files         105      105           
  Lines        7169     7169           
  Branches     1315     1315           
=======================================
  Hits         5533     5533           
  Misses       1455     1455           
  Partials      181      181           
Flag Coverage Δ
suite.unit 77.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 77.17% <ø> (ø)
---- 🚨 Try these New Features:

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: cf6979c
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

mergify bot commented Nov 21, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit cbe2bec into aws:main Nov 21, 2024
17 checks passed
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 21, 2024
@go-to-k go-to-k deleted the cloudfront-waf-method branch November 26, 2024 00:18
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants