hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.

https://registry.terraform.io/providers/hashicorp/aws

Mozilla Public License 2.0

9.82k stars 9.16k forks source link

[Enhancement]: Support WAF in Cognito user pools #29422

Closed danballance closed 1 year ago

danballance commented 1 year ago

Description

Cognito now supports enabling WAF in Cognito: https://aws.amazon.com/about-aws/whats-new/2022/08/amazon-cognito-enables-native-support-aws-waf/

I've had a look at the latest docs below and I don't think it's supported yet: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool

Are there any plans to support Cognito WAF in the future? Or perhaps I have missed how to enable this with Terraform somewhere?

Many thanks in advance.

Affected Resource(s) and/or Data Source(s)

aws_cognito_user_pool

Potential Terraform Configuration

No response

References

https://aws.amazon.com/about-aws/whats-new/2022/08/amazon-cognito-enables-native-support-aws-waf https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html

Would you like to implement a fix?

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

dtykalowski-tsh commented 1 year ago

This is already working, you need to attach WAF to Cognito from other side: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association

The following arguments are supported:

resource_arn - (Required) The Amazon Resource Name (ARN) of the resource to associate with the web ACL. This must be an ARN of an Application Load Balancer, an Amazon API Gateway stage, or an Amazon Cognito User Pool.

justinretzolk commented 1 year ago

Hey @danballance 👋 Thank you for taking the time to raise this! Can you confirm whether the information provided above resolves your issue?

kamaz commented 1 year ago

@justinretzolk I can confirm this works as expected.

I used an example which I've pasted below and it works as expected. I believe it can be closed unless @danballance still has problems configuring it.

resource "aws_cognito_user_pool" "main" {
  name = "my-pool"
}
resource "aws_wafv2_web_acl" "main" {
  name  = "my-waf"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "my-waf"
    sampled_requests_enabled   = false
  }
}

resource "aws_wafv2_web_acl_association" "main" {
  resource_arn = aws_cognito_user_pool.main.arn
  web_acl_arn  = aws_wafv2_web_acl.main.arn
}

justinretzolk commented 1 year ago

Given the info above, we'll close this issue out. If you feel we've done this in error, please do let us know.

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.