search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.63k stars 3.91k forks source link

@aws-cdk/aws-appsync-alpha: GraphqlApi - Support web ACL assignment #23417

Open paql4711 opened 1 year ago

paql4711 commented 1 year ago

Describe the feature

When using the GraphqlApi resource it is a best practice to attach Web access control lists (web ACLs) to the API since it is publicly exposed. It would be great to allow a direct assignment of the web ACL to the resource.

Use Case

With the current implementation it is not possible to directly assign web ACL, but you will need to create first the API and then create another L1 resource (CfnWebACLAssociation) which then assigns the web ACL to the API.

This creates unnecessary lines of code and would be much easier by setting it via a dedicated construct props.

Proposed Solution

Allow to directly assign the web ACL rules via a construct props as done for example within the Cloudfront Distribution resource with prop "webAclId".

Other Information

Version

Acknowledgements

CDK version used

2.55.1

Environment details (OS name and version, etc.)

Windows 10

peterwoodworth commented 1 year ago

Hey @paql4711, thanks for this feature request. I agree it would be great to set up this WAF association automatically instead of having to drop down to the L1s

As it is now, our WAF libraries are L1 only, and I think in this particular case it might be useful to have some L2s available first before implementing this in our AppSync module. However it would be possible to implement this without WAF L2s as well, I'm curious if anyone has opinions on how the AppSync Applications could implement this feature