Add support for adding WAF to AppSync API

[jnelson788]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS AppSync now has support to add an AWS WAF. Please add this new functionality in terraform

New or Affected Resource(s)

• aws_appsync_graphql_api

Potential Terraform Configuration

resource "aws_waf_ipset" "ipset" {
  name = "tfIPSet"

  ip_set_descriptors {
    type  = "IPV4"
    value = "192.0.7.0/24"
  }
}

resource "aws_waf_rule" "wafrule" {
  depends_on  = [aws_waf_ipset.ipset]
  name        = "tfWAFRule"
  metric_name = "tfWAFRule"

  predicates {
    data_id = aws_waf_ipset.ipset.id
    negated = false
    type    = "IPMatch"
  }
}

resource "aws_waf_web_acl" "waf_acl" {
  depends_on = [
    aws_waf_ipset.ipset,
    aws_waf_rule.wafrule,
  ]
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rules {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = aws_waf_rule.wafrule.id
    type     = "REGULAR"
  }
}

resource "aws_appsync_graphql_api" "example_with_waf" {
  authentication_type = "API_KEY"
  name = "example"
  web_acl_id = aws_waf_web_acl.waf_acl.id

# ... other configuration ...
}

References

• 0000

[anGie44]

Hi @jnelson788, thank you for creating this issue! Looking at the dev guides for WAF and WAF Classic, I believe this AppSync support is only available to Terraform AWS Provider wafv2 resources at this time as the list of resources available to associate with a WebACL differs between the two services: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html (WAF i.e. wafv2 resources in the Terraform AWS Provider) vs. https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-associating-cloudfront-distribution.html (WAF Classic, i.e. waf/wafregional resources in the Terraform AWS Provider, support for API Gateway API, CloudFront distribution or Application Load Balancer).

With that said, if you are also using wafv2 (referred to as the WAF service by AWS) resources, you (and anyone who may come across this issue) should already be able to associate a wafv2_web_acl with an appsync_graphql_api resource via the resource_arn argument in the wafv2_web_acl_association resource e.g.

resource "aws_wafv2_web_acl_association" "test" {
  resource_arn = aws_appsync_graphql_api.test.arn
  web_acl_arn  = aws_wafv2_web_acl.test.arn
}

Announcement Ref: https://aws.amazon.com/blogs/mobile/appsync-waf/

Hope this helps! And please let me know if you have any additional questions :)

[DrFaust92]

Closing as the question was answered

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.