carter3d
commented
4 years ago Thank you for the feedback. We will take a look and get back to you as soon as we can.
Closed blair-anson closed 4 years ago
carter3d
commented
4 years ago Thank you for the feedback. We will take a look and get back to you as soon as we can.
carter3d
commented
4 years ago OK, we've had a little time to research the issue. The particular use case for this project is to attach a WAF Web ACL to an Application Load Balancer located in a region. The Web ACL would have an IP Set rule attached to it, and that IP Set would be populated with the current CloudFront service endpoint CIDRs. The goal here is to restrict traffic on the ALB to traffic coming from CloudFront only. In this way, the WAF IP Set and Web ACL are both regional resources, as they are ultimately associated with an ALB running in the region. Let me know if this addresses your concern, and if so, I will close the issue.
blair-anson
commented
4 years ago Oh of course, the WAF ACL in Cloudfront is for traffic inbound to cloudfront. Where as controlling traffic from cloudfront to an internal resource would require an ALB to run the WAF ACL your tool creates. Apologies for the daft question.
I have run this as per the readme file, and it successully created a WAF ACL. However that WAF ACL is not visible in CloudFront when creating a new distribution. I think the WAF ACL (and related settings) need to be created in the
globalregion, whereas this cdk uses the default user's default region (ie.us-east-1), howeverglobalis not a valid region for cdk so doingexport AWS_DEFAULT_REGION=globalbefore runningcdk bootstrapdoes not work. Perhaps there is another setting required in the cdk call to create the WAF ACL.