feat(cloudfront): support WAF security protections

[phuhung273]

Issue # (if applicable)

Closes #31737

Reason for this change

• Support WAF one-click security protections

Description of changes

• Add enableWafCoreProtections boolean to use default WAF security option

Description of how you validated changes

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[gshpychka]

Doesn't the WebACL have to be deployed in us-east-1?

[phuhung273]

Doesn't the WebACL have to be deployed in us-east-1?

Yes of course for CloudFront. According to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html

[gshpychka]

So what happens if the distribution isn't in us-east-1?

[phuhung273]

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

[gshpychka]

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

[phuhung273]

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope.

But if we want to associate an ACM certificate to the Distribution, this ACM certificate is required to stay in us-east-1.

[gshpychka]

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope.

But if we want to associate an ACM certificate to the Distribution, this ACM certificate is required to stay in us-east-1.

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

[phuhung273]

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

No, the CfnWebACL wont fail. With scope=CloudFront, it goes to Global. We can check it at WAF > WebACLs

[phuhung273]

@gshpychka youre rite, lemme have a test deploying entire stack to another region

[phuhung273]

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

Thanks so much for pointing that out. You're absolutely right. Confirm that enableWafCoreProtections fail to deploy if used outside of us-east-1 .

Looking through Issues, found this similar one #6242.

Added validation to ensure new flag cannot be used outside us-east-1

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: dce811a
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[phuhung273]

Hi all, I've found a similar implementation for creating a cloufront WebAcl #10500 which satisfy 2 requirements:

• WebAcl always in us-east-1 regardless of stack's region
• Doesn't have integration salt issue mentioned in https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/adr/cross-region-stack-references.md

Although we can replicate the same, I think better to finish off #17749 and reuse WebAcl L2 Contruct here.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.