Aws-cdk: [apigateway] Support WebAclArn for an API Gateway stage
I'm submitting a ...
- [ ] :beetle: bug report
- [x] :rocket: feature request
- [x] :books: construct library gap
- [ ] :phone: security issue or vulnerability => Please see policy
- [ ] :question: support request => Please see note at the top of this template.
What is the current behavior?
I am unable to find the option to set the webACl of a stage of an api-gateway
What is the expected behavior (or behavior of feature suggested)?
I am able to set the webAcl of a stage of an api-gateway
What is the motivation / use case for changing the behavior or adding this feature?
It is important to be able to set the web acl of an api-gateway
Please tell us about your environment:
- CDK CLI Version: 0.30.0
- Module Version: 0.30.0
- OS: OSX Mojave
- Language: TypeScript
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)
I cannot seem to find the option to set the webAcl through aws-cdk of a stage of an api-gateway. This is how it looks like in the aws apigateway console
I've looked through these files.
https://github.com/aws/aws-cdk/blob/4a0272db5eb9aae5f440bb0813fdbad6514b60c3/packages/%40aws-cdk/aws-apigateway/lib/stage.ts
My current relevant code:
new apigateway.LambdaRestApi(this, `${name}-LambdaRpcGateway`, {
handler: lambdaFunc,
});
seanyu4296
All 7 comments
Looks like this is indeed a gap! Thank you for reporting it
NGL321
on 14 Aug 2019
Hi @seanyu4296 -
It looks like we don't yet have support for this attribute in CloudFormation resource type AWS::ApiGateway::Stage.
You can find the CloudFormation's coverage roadmap here - https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap. If they haven't already, feel free to open an issue for CloudFormation to add this attribute their resource type.
Once that's in place, you can immediately start using this in CDK via the escape hatches, until we cover up this gap in our APIGateway higher level construct support.
nija-at
on 21 Oct 2019
okay got it! Thanks @nija-at
seanyu4296
on 26 Oct 2019
I tried using the AWS::WAFRegional::WebACLAssociation cloudformation resource as suggested by the thread in cloudformation issue. I ended up finding this method https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-wafregional.CfnWebACLAssociation.html in @aws-cdk/waf-regional module, but I couldn't tie in the apigateway rest api as the resource arn with the webAcl, since getting the resourceArn for the api gateway rest api returns a cdk.Token which I tried to evaluate during cdk deploy through using Token.asString.
Here is a snippet of the code.
const gateway: apigateway.RestApi = new apigateway.LambdaRestApi(
this,
`${name}-Gateway`,
{
... props
},
}
);
// Current Problem: rpcGateway.restApiId is not evaluated as string during cdk deploy
new wafR.CfnWebACLAssociation(this, 'WAFFirewall', {
webAclId: 'some-id-here',
resourceArn: `arn:aws:apigateway:ap-southeast-1::/restapis/${Token.asString(gateway.restApiId)}/stages/prod`,
});
Do you guys have any suggestions to make this work properly? @NGL321 @nija-at
seanyu4296
on 29 Oct 2019
Apolgies for the delayed response.
@seanyu4296 - Don't try to process any generated tokens in your cdk code. Use it as if it returned the resolved value (in this case, the restApiId).
cdk's synthesis will automatically detect tokens embedded within strings and resolve them.
You should be able to simply do
new wafR.CfnWebACLAssociation(this, 'WAFFirewall', {
webAclId: 'some-id-here',
resourceArn: `arn:aws:apigateway:ap-southeast-1::/restapis/${gateway.restApiId}/stages/prod`,
});
Can you do this and check the output template that you can find in the cdk.out/ folder? The resourceArn attribute should be set as expected.
nija-at
on 21 Nov 2019
Closing this issue since there hasn't been a response in a while and until Cloudformation implements this attribute there aren't actionable steps for the CDK.
SomayaB
on 7 Jan 2020
Hi, just adding this just in case someone comes across this thread:
If you use WAFv2, don't try to use wafregional's CfnWebACLAssociation as proposed above: this won't work.
You have to use wafv2 equivalent:
import { CfnWebACLAssociation } from '@aws-cdk/aws-wafv2'
...
new CfnWebACLAssociation(this, 'WebACLAssoc', {
webAclArn: props.webACLArn,
resourceArn: `arn:aws:apigateway:eu-west-1::/restapis/${props.restApiId}/stages/${stageName}`
})
...
This did the job for me.
Hope this can save some time to other ppl ;)
ozeebee
on 12 Mar 2020
Related issues
mirazmamun
路
3Comments
Kent1
路
3Comments
artyom-melnikov
路
3Comments
nzspambot
路
3Comments
cybergoof
路
3Comments
Most helpful comment
Hi @seanyu4296 -
It looks like we don't yet have support for this attribute in CloudFormation resource type AWS::ApiGateway::Stage.
You can find the CloudFormation's coverage roadmap here - https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap. If they haven't already, feel free to open an issue for CloudFormation to add this attribute their resource type.
Once that's in place, you can immediately start using this in CDK via the escape hatches, until we cover up this gap in our APIGateway higher level construct support.