Restrict access to load balancer via cloudfront

[psladek-seekr]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave "+1" or "me too" comments. They generate extra noise for issue followers and do not help prioritize the request.

Tell us about your request What do you want us to build?

_Would like to extend support in the aws:elbv2:listenerrule:rulename to support the implementation of https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

Is this request specific to an Elastic Beanstalk platform? If so, which one(s)?

No

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

_Would like to be able to implement the restriction via aws_elastic_beanstalkenvironment in terraform. Or be able to configure it in the UI. HostHeaders and PathPatterns are the only ones supported. Http headers is required and doesn't exist. Being able to implement the 403 fixed response rule would also be ideal.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbv2-listenerrule

Are you currently working around this issue? How are you currently solving this problem?

Not sure yet. Might have to go without or manually modify the alb rules and hope i can work around it.

Additional context Anything else we should know?

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[codezninja]

@psladek-seekr I'm seeking something to do something similar where you able to workaround this issue?

[danieljamesscott]

You should be able to do this by creating a security group for the load balancer and using the CloudFront prefix list: https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/

[codezninja]

So I do that already. But i wanted to remove the security group restrictions and use only custom headers

[psladek-seekr]

Haven't found any workaround.

[codezninja]

So I have found a way through .ebextensions. Credited to this blog post

Resources:
  AWSEBV2LoadBalancerListener443:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn:
        Ref: AWSEBV2LoadBalancer
      Port: 443
      Protocol: HTTPS
      DefaultActions:
        - Type: fixed-response
          FixedResponseConfig:
            ContentType: text/plain
            MessageBody: "oops"
            StatusCode: 403
      Certificates:
        - CertificateArn: This property must be defined, but can be any value here (real value in main CFN template)

  AWSEBV2LoadBalancerListener443default:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    Properties:
      Actions:
        - Type: forward
          TargetGroupArn:
            Ref: AWSEBV2LoadBalancerTargetGroup
      Conditions:
        - Field: http-header
          HttpHeaderConfig:
            HttpHeaderName: MySecureTokenHeaderName
            Values:
              - "Fn::GetOptionSetting":
                  Namespace: "aws:elasticbeanstalk:application:environment"
                  OptionName: "SecureTokenValue"
      ListenerArn:
        Ref: AWSEBV2LoadBalancerListener443
      Priority: 1