Copilot-cli: WAF support?

Created on 3 May 2021 · 7Comments · Source: aws/copilot-cli

I have a requirement that my app cannot be accessible to the public. Is there support for attaching generated load balancers to a WAF or locking down the services somehow? I'm worried that if I edit the generated network resources to lock down to certain IP ranges, etc. that it will be overwritten when I redeploy.

Source

mikelhamer

Most helpful comment

For folks that need to support AWS WAF and have trouble attaching the load balancers, here is a snippet that may help!

Resources:
  SampleWebACLAssociation:
    Type: 'AWS::WAFv2::WebACLAssociation'
    Properties:
      WebACLArn: ExampleARNForWebACL
      ResourceArn: !Sub
        - 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/${ExportedLBFullName}'
        - { ExportedLBFullName: { 'Fn::ImportValue': !Sub '${App}-${Env}-PublicLoadBalancerFullName' }}

The idea is to use the PublicLoadBalancerFullName from our environment stack's output to reconstruct the load balancer's ARN.

Lou1415926 on 15 Jun 2021

👍2

All 7 comments

Hiya! I'll check more about WAF specifically tomorrow - but we do allow you to gate Load Balancer access via IP ranges:

https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#http-allowed-source-ips

kohidave on 3 May 2021

👍1

Hi @mikelhamer ! We'll close the issue for now but feel free to re-open it if the allowed_source_ips property doesn't help address your need

efekarakus on 4 May 2021

👍1

Opening this because I cannot have the list of allowed IP's in source control like this. They need to be able to live inside AWS infrastructure if possible. Any ideas?

@efekarakus looks like I dont actually have the ability to re-open myself

mikelhamer on 11 May 2021

Hi @mikelhamer ! I re-opened the issue.

One alternative might be is to use an nginx sidecar: https://aws.github.io/copilot-cli/docs/developing/sidecars/ to setup a list of allowed IP addresses (https://help.dreamhost.com/hc/en-us/articles/216456127-Blocking-IPs-with-Nginx)

The list can be securely stored in SSM and injected as an environment variable using the secrets field that's available under sidecars.

http:
  path: '/'
  target_container: 'nginx'

sidecars:
  nginx:
    port: 80
    image: 1234567890.dkr.ecr.us-west-2.amazonaws.com/reverse-proxy:revision_1
    secrets:
      ALLOW_LIST: '<ssm parameter name>'

efekarakus on 11 May 2021

👍1

@efekarakus somehow just now seeing this. Thanks for the suggestion!

mikelhamer on 8 Jun 2021

👍1

I also have a need to support AWS WAF. In my case, the need is to be able to use Web ACLs. I thought I could use Copilot's support for Additional AWS Resources, but I don't think I can. The ACL association requires the ARN of a load balancer. This is from the CloudFormation docs:

Resources:
  SampleWebACLAssociation:
    Type: 'AWS::WAFv2::WebACLAssociation'
    Properties:
      WebACLArn: ExampleARNForWebACL
      ResourceArn: ExampleARNForRegionalResource

I don't see a way to reference the load balancer's ARN from the CloudFormation template. Is there a way to do this that I'm not seeing?

sugarjig on 14 Jun 2021

👍1

For folks that need to support AWS WAF and have trouble attaching the load balancers, here is a snippet that may help!

Resources:
  SampleWebACLAssociation:
    Type: 'AWS::WAFv2::WebACLAssociation'
    Properties:
      WebACLArn: ExampleARNForWebACL
      ResourceArn: !Sub
        - 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/${ExportedLBFullName}'
        - { ExportedLBFullName: { 'Fn::ImportValue': !Sub '${App}-${Env}-PublicLoadBalancerFullName' }}

The idea is to use the PublicLoadBalancerFullName from our environment stack's output to reconstruct the load balancer's ARN.

Lou1415926 on 15 Jun 2021

👍2

Was this page helpful?

0 / 5 - 0 ratings