Minor modification to make sure wafs stay linked to CF (#896)

* Minor modification to make sure wafs stay linked to CF * testfixing
run-x · May 24, 2022 · 249887d · 249887d
1 parent 213ba4d
commit 249887d
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 0 deletions.
diff --git a/modules/cloudfront_distribution/cloudfront-distribution.json b/modules/cloudfront_distribution/cloudfront-distribution.json
@@ -22,6 +22,10 @@
       "type": "string",
       "description": "The name of the existing s3 object in your bucket which will serve as the 404 page."
     },
+    "web_acl_id": {
+      "type": "string",
+      "description": "The ID of the WAF ACL to add to cloudfront"
+    },
     "forward_https": {
       "type": "bool",
       "description": "Should cloudformation forward to https port 443 instead of http port 80?",

diff --git a/modules/cloudfront_distribution/cloudfront-distribution.md b/modules/cloudfront_distribution/cloudfront-distribution.md
@@ -53,6 +53,8 @@ modules:
   - type: k8s-base
     name: testbase
   - type: cloudfront-distribution
+    # Uncomment to add an AWS WAF to your cloudfront distribution
+    # web_acl_id: "your_web_acl_id_or_arn"
     links:
       - testbase
 ```
@@ -114,3 +116,7 @@ The initial configuration of the WAF allows all traffic:
 </a>
 
 Finally, please [configure AWS WAF rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) for your specific application protection needs.
+
+
+Lastly, make sure to pass your new WAF to Opta by setting the `web_acl_id` input (if you're using WAFv2
+set it to the arn of the ACL created, if you used AWS WAF Classic, then use the ACL ID).
diff --git a/modules/cloudfront_distribution/cloudfront-distribution.yaml b/modules/cloudfront_distribution/cloudfront-distribution.yaml
@@ -94,6 +94,11 @@ inputs:
     validator: str(required=False)
     description: ID of Route53 hosted zone to add a record for. By default uses the one created by the DNS module if the module is found.
     default: ""
+  - name: web_acl_id
+    user_facing: true
+    validator: str(required=False)
+    description: The ID of the WAF ACL to add to cloudfront
+    default: null
 extra_validators: { }
 outputs:
   - name: cloudfront_domain

diff --git a/modules/cloudfront_distribution/tf_module/main.tf b/modules/cloudfront_distribution/tf_module/main.tf
@@ -23,6 +23,7 @@ resource "aws_cloudfront_distribution" "distribution" {
   is_ipv6_enabled = true
   price_class     = var.price_class
   aliases         = var.acm_cert_arn == "" ? [] : concat(var.domains, formatlist("*.%s", var.domains))
+  web_acl_id      = var.web_acl_id
 
   dynamic "logging_config" {
     for_each = var.s3_log_bucket_name == null ? [] : [1]

diff --git a/modules/cloudfront_distribution/tf_module/variables.tf b/modules/cloudfront_distribution/tf_module/variables.tf
@@ -83,4 +83,8 @@ variable "enable_auto_dns" {
 
 variable "zone_id" {
   type = string
+}
+
+variable "web_acl_id" {
+  type = string
 }