chore(cloudfront): prevent WebACL from being created in regions other than us-east-1 #32252
Conversation
github-actions
bot
added
the
repeat-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
| if (webAclId.startsWith('arn:')) { | ||
| const arnParts = Stack.of(this).splitArn(webAclId, ArnFormat.SLASH_RESOURCE_NAME); | ||
| if (!Token.isUnresolved(arnParts.region) && arnParts.region !== 'us-east-1') { | ||
| throw new Error(`WebACL for CloudFront distributions must be created in the us-east-1 region; received ${arnParts.region}`); | ||
| } | ||
| } |
There was a problem hiding this comment.
If a Web ACL created using AWS WAF Classic is specified, this validation will not be performed because the ACL ID received is not arn.
ren-yamanashi
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #32252 +/- ##
=======================================
Coverage 77.46% 77.46%
=======================================
Files 105 105
Lines 7168 7168
Branches 1314 1314
=======================================
Hits 5553 5553
Misses 1433 1433
Partials 182 182
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
Exemption Request Because this MR does not have any modifications that would change the existing snapshot test, |
aws-cdk-automation
added
the
pr-linter/exemption-requested
aws-cdk-automation
added
the
pr/needs-community-review
…ate-cloud-front-waf-region
ren-yamanashi
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
| * @param webAclId The WAF WebACL to associate with this distribution | ||
| */ | ||
| public attachWebAclId(webAclId: string) { | ||
| if (this.webAclId) { | ||
| throw new Error('A WebACL has already been attached to this distribution'); | ||
| } | ||
| if (webAclId.startsWith('arn:')) { |
There was a problem hiding this comment.
Isn't this validation also necessary in the place where the webacl props is being passed?
…ate-cloud-front-waf-region
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
pr/needs-maintainer-review
Reason for this change
When attaching a WebACL to CloudFront Distribution, the region must be
us-east-1, but no validation was done.see: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html
Description of changes
Add validation to the
attachWebAclIdmethod of CloudFront DistributionDescription of how you validated changes
Unit and integ testing
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license