Cloudfront exports Domain name only - Need ARN

[afgallo]

After having reviewed the Copilot source code and deploying a test application, it seems Copilot exports the CloudFrontDomainName only. I'd like to attach a WAF to my Cloudfront instance through an env add-on. This add-on will need the CloudFront ARN as per https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html. How can I achieve this or can Copilot export what I need in a future release please?

---

UPDATE:

I've just realised this isn't the right way to attach a WAF to Cloudfront:

For Amazon CloudFront, don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the AWS::WAFv2::WebACL to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see AWS::CloudFront::Distribution.

What would be the right way to attach a WAF to Cloudfront (Load Balanced Web Service) using AWS Copilot?

[bvtujo]

hmm, this looks like a case for Environment overrides and addons.

That is, you'll need to define your WebACL in an addons stack in the environment, then amend the AWS::CloudFront::Distribution resource with copilot env override to include the ARN of the web ACL, through a Fn::GetAtt intrinsic.

This is getting a little complicated, so I'll give some partially filled examples. you'll want to configure your web ACL however you like; I've left the properties unfilled.

so, as far as I can tell, you'll need to set up the following env addons stack:

Parameters:
  App:
    Type: string
  Env:
    Type: string
Resources:
  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties: 
      CaptchaConfig: 
        CaptchaConfig
      ChallengeConfig: 
        ChallengeConfig
      CustomResponseBodies: 
        Key: Value
      DefaultAction: 
        DefaultAction
      Description: String
      Name: String
      Rules: 
        - Rule
      Scope: String
      Tags: 
        - Tag
      TokenDomains: 
        - String
      VisibilityConfig: 
        VisibilityConfig
Outputs:
  WebACLArn:
    Value: !GetAtt WebACL.Arn

Then, you'll want to run copilot env override --tool yamlpatch. This will create a new file, copilot/environments/envname/overrides.yaml. You'll want to add the following patch.

- op: add
  path: /Resources/CloudFrontDistribution/Properties/DistributionConfig/WebACLId
  value: 
    Fn::GetAtt:
      - AddonsStack
      - Outputs.WebACLArn

This should wire everything up correctly. the addons stack will get created before the CDN, and it will refer to the Outputs section of the addons stack.

I referred to the following resources for this answer:

• Dealing with outputs in nested stacks
• Web ACL CFN Return values
• CloudFront WebACLId property description

[afgallo]

Thanks @bvtujo! This is looking very promising. After giving your suggestion a go, I got the following error:

Resource handler returned message: "Error reason: The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT (Service: Wafv2, Status Code: 400, Request ID: 9966d582-9391-46ac-9e00-a2e16ab9f688)" (RequestToken: dd8ad57d-eb6e-442a-b8d6-5c3ebea7da07, HandlerErrorCode: InvalidRequest)

I Googled this error a bit and it seems to be related to resources being created outside of the region us-east-1. My stack is deployed to a different region indeed (FYI I am updating an existing env and trying to add WAF now).

Where to go from here (see below some info that might help you help me 😄 )?

environments/development/manifest.yml

name: development
type: Environment

network:
  vpc:
    id: vpc-x
    subnets:
      public:
        - id: subnet-a
        - id: subnet-b
        - id: subnet-c
      private:
        - id: subnet-d
        - id: subnet-e
        - id: subnet-f

cdn:
  terminate_tls: true

http:
  public:
    ingress:
      cdn: true

# Configure observability for your environment resources.
observability:
  container_insights: true

environments/overrides/cfn.patches.yml

- op: add
  path: /Resources/CloudFrontDistribution/Properties/DistributionConfig/WebACLId
  value:
    Fn::GetAtt:
      - AddonsStack
      - Outputs.WebACLArn

api/manifest.yml

name: api
type: Load Balanced Web Service

http:
  stickiness: false
  redirect_to_https: false
  path: '/'
  healthcheck:
    path: '/hc'
    success_codes: '200'
    healthy_threshold: 3
    unhealthy_threshold: 3
    interval: 10s
    timeout: 3s

image:
  build: Dockerfile
  port: 3001
  healthcheck:
    command: ['CMD-SHELL', 'curl -f http://localhost:3001/hc || exit 1']
    interval: 5s
    retries: 2
    timeout: 5s
    start_period: 0s

cpu: 256
memory: 512
platform: linux/x86_64
count: 1
exec: true

network:
  connect: true
  vpc:
    placement: 'private'

variables:
  ...

secrets:
 ...

[iamhopaul123]

Hello @afgallo. It's probably because the WebACL you specified was not in us-east-1 required by CloudFront. At this point, I think we can either 1) In env addons stack create a custom resource which calls WAF API to create it in us-east-1 and use its ARN as the physical ID 2) create the WAF in us-east-1 before env deployment.

For option 1, we have very similar scenario where we need to replicate an ACM certificate to us-east-1.

• How we refer to the ARN in CF distribution: https://github.com/aws/copilot-cli/blob/mainline/internal/pkg/template/templates/environment/partials/cdn-resources.yml#L124
• How we implement the custom resource: https://github.com/aws/copilot-cli/blob/mainline/cf-custom-resources/lib/cert-replicator.js

Please let me know if anything is still unclear to you. I would agree that Copilot native implementation will help quite a lot for this undifferentiated heavy-lifting.

[afgallo]

Thanks @iamhopaul123 for explaining this issue further. I think it is indeed undifferentiated heavy-lifting and hopefully Copilot will address this soon. I think this is becoming a little too complex and although I would love to have all my deployment needs centralised and managed within Copilot, I guess I will go with option 2 with a separate ClouFormation stack.

[afgallo]

Just reporting back, the approach to create a WAF manually and then patch my Copilot env has worked nicely for a single env. I do have a question, though. My environments are logically separated by different AWS accounts which means I'll deploy a different WAF with different settings to different environments.

How can I achieve the desired outcome @iamhopaul123 @bvtujo ? This is what I've tried without any luck:

- op: add
  path: /Mappings
  value:
    WAFMap:
      development:
        WAFArn: 'replace_me'
      staging:
        WAFArn: 'replace_me'
      production:
        WAFArn: 'replace_me'

- op: add
  path: /Resources/CloudFrontDistribution/Properties/DistributionConfig/WebACLId
  value: !FindInMap [WAFMap, !Ref Env, WAFArn]

ValidationError: Template format error: Unresolved resource dependencies [Env] in the Resources block of the template

[iamhopaul123]

Hello @afgallo. That should be an easy fix: seems like you just need to use !Ref EnvironmentName instead of !Ref Env because that's the real parameter name.