feat(cloudfront): support WAF security protections

[phuhung273]

Issue # (if applicable)

Closes #31737

Reason for this change

• Support WAF one-click security protections

Description of changes

• Add enableWafCoreProtections boolean to use default WAF security option

Description of how you validated changes

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[gshpychka]

Doesn't the WebACL have to be deployed in us-east-1?

[phuhung273]

Doesn't the WebACL have to be deployed in us-east-1?

Yes of course for CloudFront. According to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html

[gshpychka]

So what happens if the distribution isn't in us-east-1?

[phuhung273]

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

[gshpychka]

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

[phuhung273]

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope.

But if we want to associate an ACM certificate to the Distribution, this ACM certificate is required to stay in us-east-1.

[gshpychka]

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope.

But if we want to associate an ACM certificate to the Distribution, this ACM certificate is required to stay in us-east-1.

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

[phuhung273]

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

No, the CfnWebACL wont fail. With scope=CloudFront, it goes to Global. We can check it at WAF > WebACLs

[phuhung273]

@gshpychka youre rite, lemme have a test deploying entire stack to another region

[phuhung273]

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

Thanks so much for pointing that out. You're absolutely right. Confirm that enableWafCoreProtections fail to deploy if used outside of us-east-1 .

Looking through Issues, found this similar one #6242.

Added validation to ensure new flag cannot be used outside us-east-1

[gracelu0]

Can you add an assertion to this integration test to get the WebACL ID from the distributionConfig and then GetWebACL to verify the ACL was created and has the expected configuration?

Here's an example of assertions being used in an integration test: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac.ts#L25

[phuhung273]

I tried it for an entire day :( but seems like something is wrong with wafv2.getWebAcl. Using this snippet:

integ.assertions.awsApiCall('WAFV2', 'getWebACL', {
  Id: webAclId,
  Name: webAclName,
  Scope: 'CLOUDFRONT',
})

Return this error:
AccessDeniedException: Critical information is missing in your request: GetWebACLRequest(name=null, scope=CLOUDFRONT, id=arn:aws:wafv2:us-east-1:<ACCOUNT>:global/webacl/CreatedByCloudFront-cloudfrontwafprotectionDistroB056DD41/95b1327c-179c-4a43-97e5-a89a13a8418f, aRN=null)

But it return different when all request params are lowercase:

integ.assertions.awsApiCall('WAFV2', 'getWebACL', {
  id: webAclId,
  name: webAclName,
  scope: 'CLOUDFRONT',
})

Critical information is missing in your request: GetWebACLRequest(name=null, scope=null, id=null, aRN=null)

So we know Id, Name and Scope are the correct inputs. But somehow Id value is ARN and Name is null.

If you can review integration test file, would be super helpful. Thank you.

[phuhung273]

Even this simple snippet failed to verify created WebACL ARN

integ.assertions.awsApiCall('CloudFront', 'getDistributionConfig', {
  Id: distribution.distributionId,
})
  .assertAtPath(
    'DistributionConfig.WebACLId',
    ExpectedResult.stringLikeRegexp('arn:aws:wafv2:us-east-1:.*:global\/webacl\/')
  );

cloudfront-waf-protection: start: Building 87ec8ff4a4afe51819ee6e62a1c4f5c5646a0090bda79e2c66bfd071c8a07213:current_account-us-east-1
cloudfront-waf-protection: success: Built 87ec8ff4a4afe51819ee6e62a1c4f5c5646a0090bda79e2c66bfd071c8a07213:current_account-us-east-1
cloudfront-waf-protection: start: Publishing 87ec8ff4a4afe51819ee6e62a1c4f5c5646a0090bda79e2c66bfd071c8a07213:current_account-us-east-1
cloudfront-waf-protection: success: Published 87ec8ff4a4afe51819ee6e62a1c4f5c5646a0090bda79e2c66bfd071c8a07213:current_account-us-east-1
cloudfront-waf-protection: deploying... [1/1]
cloudfront-waf-protection: creating CloudFormation changeset...
❌  cloudfront-waf-protection failed: ToolkitError: Change includes a replacement which cannot be deployed with "--no-rollback", but terminal (TTY) is not attached so we are unable to get a confirmation from the user
  FAILED     aws-cloudfront/test/integ.cloudfront-waf-protection-integ-cloudfront-waf-protection-test/DefaultTest (undefined/us-east-1) 646.313s
      Integration test failed: Error: Command exited with status 1

Seems like integration test unstable recently. The configuration rules are verified in unit test

aws-cdk/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts

Lines 1399 to 1466 in cfbf565

	Template.fromStack(stack).hasResourceProperties('AWS::WAFv2::WebACL', Match.objectLike({
	Name: nameMatcher,
	DefaultAction: {
	Allow: {},
	},
	Scope: 'CLOUDFRONT',
	VisibilityConfig: {
	CloudWatchMetricsEnabled: true,
	MetricName: nameMatcher,
	SampledRequestsEnabled: true,
	},
	Rules: [
	{
	Name: 'AWS-AWSManagedRulesAmazonIpReputationList',
	Priority: 0,
	Statement: {
	ManagedRuleGroupStatement: {
	VendorName: 'AWS',
	Name: 'AWSManagedRulesAmazonIpReputationList',
	},
	},
	OverrideAction: {
	None: {},
	},
	VisibilityConfig: {
	SampledRequestsEnabled: true,
	CloudWatchMetricsEnabled: true,
	MetricName: 'AWS-AWSManagedRulesAmazonIpReputationList',
	},
	},
	{
	Name: 'AWS-AWSManagedRulesCommonRuleSet',
	Priority: 1,
	Statement: {
	ManagedRuleGroupStatement: {
	VendorName: 'AWS',
	Name: 'AWSManagedRulesCommonRuleSet',
	},
	},
	OverrideAction: {
	None: {},
	},
	VisibilityConfig: {
	SampledRequestsEnabled: true,
	CloudWatchMetricsEnabled: true,
	MetricName: 'AWS-AWSManagedRulesCommonRuleSet',
	},
	},
	{
	Name: 'AWS-AWSManagedRulesKnownBadInputsRuleSet',
	Priority: 2,
	Statement: {
	ManagedRuleGroupStatement: {
	VendorName: 'AWS',
	Name: 'AWSManagedRulesKnownBadInputsRuleSet',
	},
	},
	OverrideAction: {
	None: {},
	},
	VisibilityConfig: {
	SampledRequestsEnabled: true,
	CloudWatchMetricsEnabled: true,
	MetricName: 'AWS-AWSManagedRulesKnownBadInputsRuleSet',
	},
	},
	],
	}));

If we also need it in integration test, may take some time to find whats wrong here.

[phuhung273]

Found the workaround, integration assertion added.

[phuhung273]

The thing is, the salt keep changing every time. So integration test always fails... diffAssets: false doesn't work

Pull request has been modified.

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.21%. Comparing base (6df9bfe) to head (cad27bf).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #32021   +/-   ##
=======================================
  Coverage   82.21%   82.21%           
=======================================
  Files         119      119           
  Lines        6876     6876           
  Branches     1162     1162           
=======================================
  Hits         5653     5653           
  Misses       1120     1120           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.21% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.21% <ø> (ø)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: cad27bf
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository