Closed blair-anson closed 4 years ago
Thank you for the feedback. We will take a look and get back to you as soon as we can.
OK, we've had a little time to research the issue. The particular use case for this project is to attach a WAF Web ACL to an Application Load Balancer located in a region. The Web ACL would have an IP Set rule attached to it, and that IP Set would be populated with the current CloudFront service endpoint CIDRs. The goal here is to restrict traffic on the ALB to traffic coming from CloudFront only. In this way, the WAF IP Set and Web ACL are both regional resources, as they are ultimately associated with an ALB running in the region. Let me know if this addresses your concern, and if so, I will close the issue.
Oh of course, the WAF ACL in Cloudfront is for traffic inbound to cloudfront. Where as controlling traffic from cloudfront to an internal resource would require an ALB to run the WAF ACL your tool creates. Apologies for the daft question.
I have run this as per the readme file, and it successully created a WAF ACL. However that WAF ACL is not visible in CloudFront when creating a new distribution. I think the WAF ACL (and related settings) need to be created in the
global
region, whereas this cdk uses the default user's default region (ie.us-east-1
), howeverglobal
is not a valid region for cdk so doingexport AWS_DEFAULT_REGION=global
before runningcdk bootstrap
does not work. Perhaps there is another setting required in the cdk call to create the WAF ACL.