feat(cloudfront): add attachWebAclId method for Distribution

[go-to-k]

Reason for this change

I often create a custom construct for a WAF only. I also create resources (such as API Gateway, ALB, etc...) that attach the WAF in separate constructs. Instead of attaching the WAF in the target resource's construct, I create a method for attaching it in the WAF's construct.

In this way, the constructs can be loosely coupled, and the target resource's constructs can be more simply. The WAF can also be attached to multiple resources at once later.

export class Waf extends Construct {
  public readonly webAcl: CfnWebACL;

  constructor(scope: Construct, id: string, props: WafProps) {
    super(scope, id);
    this.webAcl = new CfnWebACL(this, 'WebAcl', {
      // ...
    },
  });

  public attachToRegionalResource(id: string, resourceArn: string) {
    new CfnWebACLAssociation(this, `${id}Association`, {
      resourceArn: resourceArn,
      webAclArn: this.webAcl.attrArn,
    });
  }
}

const waf = new Waf(this, 'Waf', { /* props */ });
waf.attachToRegionalResource('A', resourceA);
waf.attachToRegionalResource('B', resourceB);
waf.attachToRegionalResource('C', resourceC);

However, when attaching a WAF to a CloudFront, the WAF attaching configuration needs to be defined through CloudFront props, rather than using CfnWebACLAssociation.
To do this with the above WAF construct, a method is needed to pass a pre-defined CloudFront and override the properties of that definition with an escape hatch. This is a bit complicated.

  public attachToCloudFront(distribution: Distribution) {
    // override the webAcl using escape hatch
  }

In other words, it would be good if CloudFront also had a mechanism (like CfnWebACLAssociation) to attach WAF after defining resources.
This would allow WAF custom constructs to be more generic.

Description of changes

Add attachWebAclId method for Distribution.

declare const bucketOrigin: origins.S3Origin;
declare const webAcl: wafv2.CfnWebACL;

const distribution = new cloudfront.Distribution(stack, 'Distribution', {
  defaultBehavior: { origin: bucketOrigin },
});

distribution.attachWebAclId(webAcl.attrArn);

Description of how you validated changes

Both of unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: b519fcc
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository