From 0815708f9403b6bdae1f9001a74880499d4d1a9e Mon Sep 17 00:00:00 2001 From: Daniel Brooks Date: Wed, 28 Aug 2024 10:15:10 -0700 Subject: [PATCH] fix(waf): updating cdn waf --- .../braze-content-proxy/src/main.ts | 2 +- infrastructure/client-api/src/main.ts | 2 +- .../src/pocket/PocketALBApplication.ts | 21 ++----------------- .../PocketALBApplication.spec.ts.snap | 9 ++------ 4 files changed, 6 insertions(+), 28 deletions(-) diff --git a/infrastructure/braze-content-proxy/src/main.ts b/infrastructure/braze-content-proxy/src/main.ts index 1cecc7606..a11f0fac0 100644 --- a/infrastructure/braze-content-proxy/src/main.ts +++ b/infrastructure/braze-content-proxy/src/main.ts @@ -110,7 +110,7 @@ class BrazeContentProxy extends TerraformStack { return new wafv2WebAcl.Wafv2WebAcl(this, `${config.name}-waf`, { description: `Waf for ${config.name} ${config.environment} environment`, name: `${config.name}-waf-${config.environment}`, - scope: 'REGIONAL', + scope: 'CLOUDFRONT', defaultAction: { allow: {} }, visibilityConfig: { cloudwatchMetricsEnabled: true, diff --git a/infrastructure/client-api/src/main.ts b/infrastructure/client-api/src/main.ts index c3bdd66a0..c767ab3e5 100644 --- a/infrastructure/client-api/src/main.ts +++ b/infrastructure/client-api/src/main.ts @@ -155,7 +155,7 @@ class ClientAPI extends TerraformStack { return new Wafv2WebAcl(this, `${config.name}-waf`, { description: `Waf for client-api-proxy ${config.environment} environment`, name: `${config.name}-waf-${config.environment}`, - scope: 'REGIONAL', + scope: 'CLOUDFRONT', defaultAction: { allow: {} }, visibilityConfig: { cloudwatchMetricsEnabled: true, diff --git a/packages/terraform-modules/src/pocket/PocketALBApplication.ts b/packages/terraform-modules/src/pocket/PocketALBApplication.ts index 61200a3ee..837678058 100644 --- a/packages/terraform-modules/src/pocket/PocketALBApplication.ts +++ b/packages/terraform-modules/src/pocket/PocketALBApplication.ts @@ -255,11 +255,7 @@ export class PocketALBApplication extends Construct { this.alb = alb; if (config.cdn) { - const cdn = this.createCDN(albRecord); - // If we have a CDN, add the WAF to the CDN - if (config.wafConfig) { - this.createWAFCDN(cdn, config.wafConfig.aclArn); - } + this.createCDN(albRecord); } // If we don't have a CDN add the WAF to the ALB @@ -407,20 +403,6 @@ export class PocketALBApplication extends Construct { ); } - private createWAFCDN( - cdn: cloudfrontDistribution.CloudfrontDistribution, - webAclArn: string, - ) { - new wafv2WebAclAssociation.Wafv2WebAclAssociation( - this, - 'application_waf_association', - { - webAclArn: webAclArn, - resourceArn: cdn.arn, - }, - ); - } - /** * Creates the ALB stack and certificates * @private @@ -510,6 +492,7 @@ export class PocketALBApplication extends Construct { aliases: [this.config.domain], priceClass: 'PriceClass_200', tags: this.config.tags, + webAclId: this.config.wafConfig?.aclArn ?? undefined, origin: [ { domainName: albRecord.fqdn, diff --git a/packages/terraform-modules/src/pocket/__snapshots__/PocketALBApplication.spec.ts.snap b/packages/terraform-modules/src/pocket/__snapshots__/PocketALBApplication.spec.ts.snap index 0f0ea59a4..eb30f0b4b 100644 --- a/packages/terraform-modules/src/pocket/__snapshots__/PocketALBApplication.spec.ts.snap +++ b/packages/terraform-modules/src/pocket/__snapshots__/PocketALBApplication.spec.ts.snap @@ -9413,7 +9413,8 @@ exports[`PocketALBApplication renders an external application with a CDN and a w "acm_certificate_arn": "\${aws_acm_certificate.testPocketApp_cdn_certificate_F1CBB9BB.arn}", "minimum_protocol_version": "TLSv1.1_2016", "ssl_support_method": "sni-only" - } + }, + "web_acl_id": "some-arn" } }, "aws_cloudwatch_dashboard": { @@ -9723,12 +9724,6 @@ exports[`PocketALBApplication renders an external application with a CDN and a w "name_prefix": "testapp-ECSSecurityGroup", "vpc_id": "\${data.aws_vpc.testPocketApp_pocket_vpc_C4E157E3.id}" } - }, - "aws_wafv2_web_acl_association": { - "testPocketApp_application_waf_association_03F7C3FB": { - "resource_arn": "\${aws_cloudfront_distribution.testPocketApp_cloudfront_distribution_FD7F01BF.arn}", - "web_acl_arn": "some-arn" - } } } }"