Open jrbeilke opened 2 years ago
Took a shot at trying to implement a new waf_acl_arn
config option, but ran into some complications in trying to handle the different Chalice deployment methods and lack of support in Cloudformation and SAM for accessing the ARN of an API Gateway Stage.
ie. https://github.com/aws/serverless-application-model/issues/792
This may need to wait for Chalice v2 deployer (ie. #1833) or later once Cloudformation and SAM have better support for WAF ACLs with API Gateway Stages
In the meantime I opened up a separate issue (#1838) to expose the ARN of the API Gateway Stage when using Terraform, which would allow us to implement a workaround for now until Chalice is able to handle WAF ACL associations with API Gateway Stages.
Came up with a workaround for now wrapping the chalice.tf.json with some additional Terraform that can reference the APIGW resources from Chalice ie.
resource "aws_wafv2_web_acl_association" "api" {
resource_arn = "${aws_api_gateway_rest_api.rest_api.arn}/stages/${aws_api_gateway_deployment.rest_api.stage_name}"
web_acl_arn = aws_wafv2_web_acl.common.arn
}
WAF support on the API Gateway stage would be needed to pass a Well Architected review.
In order to meet the AWS Foundational Security Best Practices we need to have a WAF ACL on our API Gateway stages, but Chalice does not currently support this AFAICT.
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-apigateway-4
Perhaps a new config value could be added (ie.
waf_acl_id
) which could be used to associate a WAF ACL with the API Gateway stage(s) in Chalice.