search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
845 stars 361 forks source link

Need control over WAF name - do not want randomized #77

Closed torinwalker closed 5 years ago

torinwalker commented 5 years ago

We have deployed 2.1 previously. In the new 2.2 release, the stack deployment shows two stack deployments, one of which is named as I typed it, and the other (which is how the WAF name ends up) has some hyphenated, randomized suffix added to it.

Naming conventions in AWS are already difficult enough to manage in a large organization - not being able to name the WAF exactly how we need is maddening.

Please provide either a suggestion on what code to tweak to prevent this random suffix from being added, or provide an option to control it during deployment. The current version with its forced-naming convention is unacceptable.

hvital commented 5 years ago

Hi @torinwalker

Thanks for your feedback!

We're going to change the name conversion in next version. Some resources will use the main stack's name (not the nested stack's name - that contains those random characters you've mentioned) as prefix.

The idea is to instead of using the following name structure: Name: !Join [' - ', [!Ref 'AWS::StackName', 'Whitelist Set']]

Use this: Name: !Sub '${ParentStackName} - Whitelist Set'

Direct link for this example in ALB template here and CloufFront here.

Does it help you?

Regards,

trav-c commented 5 years ago

If I'm reading the change linked in the previous post correctly the resource names will still be dictated by the name of all parent stacks back to the root above the main WAF automation stack.

I'd personally really like to be able to pass a base-name in as a parameter, particularly since in my current use-case I'm pulling the WAF stack in from an already nested stack meaning names based on the stack name still contain random strings.

hvital commented 5 years ago

Got your point @trav-c

Unfortunately, we wont have time to include this change in v2.3.0 as we're running the final tests/reviews in order to publish it.

As soon as we have the new version published, I'll come back here and give you guidance about how to change the template to add this extra input parameter (so you can set custom prefix name for resources' names).

Regards,

Heitor

hvital commented 5 years ago

Hi @trav-c

I pushed v2.3.0. As I mentioned, we are using the Parent's stack name to prefix AWS WAF resources' name.

For you case, you can change this (for ALB/Regional WAF) and this (for CloudFront/Global WAF) resource.

If it makes sense, you can add this as input parameter or mapping in the main template.