fix(waf): updating cdn waf

Pocket · Aug 28, 2024 · 0815708 · 0815708
1 parent 7d927c3
commit 0815708
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 28 deletions.
diff --git a/infrastructure/braze-content-proxy/src/main.ts b/infrastructure/braze-content-proxy/src/main.ts
@@ -110,7 +110,7 @@ class BrazeContentProxy extends TerraformStack {
     return new wafv2WebAcl.Wafv2WebAcl(this, `${config.name}-waf`, {
       description: `Waf for ${config.name} ${config.environment} environment`,
       name: `${config.name}-waf-${config.environment}`,
-      scope: 'REGIONAL',
+      scope: 'CLOUDFRONT',
       defaultAction: { allow: {} },
       visibilityConfig: {
         cloudwatchMetricsEnabled: true,

diff --git a/infrastructure/client-api/src/main.ts b/infrastructure/client-api/src/main.ts
@@ -155,7 +155,7 @@ class ClientAPI extends TerraformStack {
     return new Wafv2WebAcl(this, `${config.name}-waf`, {
       description: `Waf for client-api-proxy ${config.environment} environment`,
       name: `${config.name}-waf-${config.environment}`,
-      scope: 'REGIONAL',
+      scope: 'CLOUDFRONT',
       defaultAction: { allow: {} },
       visibilityConfig: {
         cloudwatchMetricsEnabled: true,

diff --git a/packages/terraform-modules/src/pocket/PocketALBApplication.ts b/packages/terraform-modules/src/pocket/PocketALBApplication.ts
@@ -255,11 +255,7 @@ export class PocketALBApplication extends Construct {
     this.alb = alb;
 
     if (config.cdn) {
-      const cdn = this.createCDN(albRecord);
-      // If we have a CDN, add the WAF to the CDN
-      if (config.wafConfig) {
-        this.createWAFCDN(cdn, config.wafConfig.aclArn);
-      }
+      this.createCDN(albRecord);
     }
 
     // If we don't have a CDN add the WAF to the ALB
@@ -407,20 +403,6 @@ export class PocketALBApplication extends Construct {
     );
   }
 
-  private createWAFCDN(
-    cdn: cloudfrontDistribution.CloudfrontDistribution,
-    webAclArn: string,
-  ) {
-    new wafv2WebAclAssociation.Wafv2WebAclAssociation(
-      this,
-      'application_waf_association',
-      {
-        webAclArn: webAclArn,
-        resourceArn: cdn.arn,
-      },
-    );
-  }
-
   /**
    * Creates the ALB stack and certificates
    * @private
@@ -510,6 +492,7 @@ export class PocketALBApplication extends Construct {
         aliases: [this.config.domain],
         priceClass: 'PriceClass_200',
         tags: this.config.tags,
+        webAclId: this.config.wafConfig?.aclArn ?? undefined,
         origin: [
           {
             domainName: albRecord.fqdn,

diff --git a/packages/terraform-modules/src/pocket/__snapshots__/PocketALBApplication.spec.ts.snap b/packages/terraform-modules/src/pocket/__snapshots__/PocketALBApplication.spec.ts.snap
@@ -9413,7 +9413,8 @@ exports[`PocketALBApplication renders an external application with a CDN and a w
           "acm_certificate_arn": "\${aws_acm_certificate.testPocketApp_cdn_certificate_F1CBB9BB.arn}",
           "minimum_protocol_version": "TLSv1.1_2016",
           "ssl_support_method": "sni-only"
-        }
+        },
+        "web_acl_id": "some-arn"
       }
     },
     "aws_cloudwatch_dashboard": {
@@ -9723,12 +9724,6 @@ exports[`PocketALBApplication renders an external application with a CDN and a w
         "name_prefix": "testapp-ECSSecurityGroup",
         "vpc_id": "\${data.aws_vpc.testPocketApp_pocket_vpc_C4E157E3.id}"
       }
-    },
-    "aws_wafv2_web_acl_association": {
-      "testPocketApp_application_waf_association_03F7C3FB": {
-        "resource_arn": "\${aws_cloudfront_distribution.testPocketApp_cloudfront_distribution_FD7F01BF.arn}",
-        "web_acl_arn": "some-arn"
-      }
     }
   }
 }"