search

aws / copilot-cli

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.
https://aws.github.io/copilot-cli/
Apache License 2.0
3.5k stars 408 forks source link

WAF support? #2254

Open mikelhamer opened 3 years ago

mikelhamer commented 3 years ago

I have a requirement that my app cannot be accessible to the public. Is there support for attaching generated load balancers to a WAF or locking down the services somehow? I'm worried that if I edit the generated network resources to lock down to certain IP ranges, etc. that it will be overwritten when I redeploy.

kohidave commented 3 years ago

Hiya! I'll check more about WAF specifically tomorrow - but we do allow you to gate Load Balancer access via IP ranges:

https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#http-allowed-source-ips

efekarakus commented 3 years ago

Hi @mikelhamer ! We'll close the issue for now but feel free to re-open it if the allowed_source_ips property doesn't help address your need

mikelhamer commented 3 years ago

Opening this because I cannot have the list of allowed IP's in source control like this. They need to be able to live inside AWS infrastructure if possible. Any ideas?

@efekarakus looks like I dont actually have the ability to re-open myself

efekarakus commented 3 years ago

Hi @mikelhamer ! I re-opened the issue.

One alternative might be is to use an nginx sidecar: https://aws.github.io/copilot-cli/docs/developing/sidecars/ to setup a list of allowed IP addresses (https://help.dreamhost.com/hc/en-us/articles/216456127-Blocking-IPs-with-Nginx)

The list can be securely stored in SSM and injected as an environment variable using the secrets field that's available under sidecars.

http:
  path: '/'
  target_container: 'nginx'

sidecars:
  nginx:
    port: 80
    image: 1234567890.dkr.ecr.us-west-2.amazonaws.com/reverse-proxy:revision_1
    secrets:
      ALLOW_LIST: '<ssm parameter name>'
mikelhamer commented 3 years ago

@efekarakus somehow just now seeing this. Thanks for the suggestion!

sugarjig commented 3 years ago

I also have a need to support AWS WAF. In my case, the need is to be able to use Web ACLs. I thought I could use Copilot's support for Additional AWS Resources, but I don't think I can. The ACL association requires the ARN of a load balancer. This is from the CloudFormation docs:

Resources:
  SampleWebACLAssociation:
    Type: 'AWS::WAFv2::WebACLAssociation'
    Properties:
      WebACLArn: ExampleARNForWebACL
      ResourceArn: ExampleARNForRegionalResource

I don't see a way to reference the load balancer's ARN from the CloudFormation template. Is there a way to do this that I'm not seeing?

Lou1415926 commented 3 years ago

For folks that need to support AWS WAF and have trouble attaching the load balancers, here is a snippet that may help!

Resources:
  SampleWebACLAssociation:
    Type: 'AWS::WAFv2::WebACLAssociation'
    Properties:
      WebACLArn: ExampleARNForWebACL
      ResourceArn: !Sub
        - 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/${ExportedLBFullName}'
        - { ExportedLBFullName: { 'Fn::ImportValue': !Sub '${App}-${Env}-PublicLoadBalancerFullName' }}

The idea is to use the PublicLoadBalancerFullName from our environment stack's output to reconstruct the load balancer's ARN.