如何在云形式堆栈中获取用于网络类别的云范围分布？

发布于 2025-01-23 20:41:37 字数 2673 浏览 4 评论 0原文

我已经在CloudFormation中设置了云范围分布，并且正在建立一个AWS WAF ACL，以充当防火墙。为了将ACL与CloudFront Distribution相关联，我添加了A aws :: WAFV2 :: WebAclassociation条目，该条目需要resourcearn条目的云方面分布的ARN。但是，我似乎找不到如何从官方文档。我以为我可以使用！ref，但是它根据文档而不是ARN使用了CloudFront ID。

如何从网络类别的条目中引用云方分布？

下面的示例（简短省略的其他资源）：

---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFront

Parameters:
  # ...
  CloudFront:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - IssuedCertificate
      - S3Bucket
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !Sub
              - ${S3Bucket}.${S3WebEndpoint}
              - {
                  S3Bucket: !Ref S3Bucket,
                  S3WebEndpoint:
                    !FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
                }
            Id: S3origin
            CustomOriginConfig:
              OriginProtocolPolicy: http-only
        Enabled: "true"
        Comment: !Sub Distribution for ${DomainName}
        HttpVersion: http2
        Aliases:
          - !Ref DomainName
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: S3origin
          Compress: True
          DefaultTTL: 604800
          ForwardedValues:
            QueryString: "false"
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_100
        ViewerCertificate:
          AcmCertificateArn: !Ref Certificate
          SslSupportMethod: sni-only
  # ...
  AWSWAF:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: allowlist
      Description: Allowlist
      Scope: CLOUDFRONT
      DefaultAction:
        Block: {}
      Rules:
        - Name: ipset-rule
          Priority: 0
          Action:
            Allow: {}
          Statement:
            IPSetReferenceStatement:
              Arn: # <ARN>
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: ipset-metrics
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: allowlist-metrics

  AWSWAFAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Ref CloudFront
      WebACLArn: !Ref AWSWAF

原文

I've setup a CloudFront distribution in CloudFormation and I'm building an AWS WAF ACL to act as a firewall for it. To associate the ACL to the CloudFront distribution, I've added a AWS::WAFv2::WebACLAssociation entry which requires the ARN of the CloudFront distribution for the ResourceArn entry. However, I can't seem to find out how to get the CloudFront distribution ARN from the official documentation. I thought I could use !Ref however it used the CloudFront ID as per the documentation instead of the ARN.

How do I reference the CloudFront distribution ARN from the WebACLAssociation entry?

Example below (other resources omitted for brevity):

---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFront

Parameters:
  # ...
  CloudFront:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - IssuedCertificate
      - S3Bucket
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !Sub
              - ${S3Bucket}.${S3WebEndpoint}
              - {
                  S3Bucket: !Ref S3Bucket,
                  S3WebEndpoint:
                    !FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
                }
            Id: S3origin
            CustomOriginConfig:
              OriginProtocolPolicy: http-only
        Enabled: "true"
        Comment: !Sub Distribution for ${DomainName}
        HttpVersion: http2
        Aliases:
          - !Ref DomainName
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: S3origin
          Compress: True
          DefaultTTL: 604800
          ForwardedValues:
            QueryString: "false"
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_100
        ViewerCertificate:
          AcmCertificateArn: !Ref Certificate
          SslSupportMethod: sni-only
  # ...
  AWSWAF:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: allowlist
      Description: Allowlist
      Scope: CLOUDFRONT
      DefaultAction:
        Block: {}
      Rules:
        - Name: ipset-rule
          Priority: 0
          Action:
            Allow: {}
          Statement:
            IPSetReferenceStatement:
              Arn: # <ARN>
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: ipset-metrics
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: allowlist-metrics

  AWSWAFAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Ref CloudFront
      WebACLArn: !Ref AWSWAF

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

枫林﹌晚霞¤ 2025-01-30 20:41:37

没有相同的直接属性，但您可以构造它：

arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFront}

There is no direct Attribute for the same but you can construct it:

arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFront}

回复收藏 0 原文

药祭#氼 2025-01-30 20:41:37

原来，我一直在解决这个问题。潜入文档时，我发现AWS详细介绍了如何部署ACL的CloudFront Distribution 在resoucearn条目下。

要解决此问题，我所要做的就是将以下内容添加到CloudFront Distribution DistributconConfig 并删除webaclassociation条目：

WebACLId: !GetAtt AWSWAF.Arn

因此，最终的CloudFront条目看起来像这样：

  CloudFront:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - IssuedCertificate
      - S3Bucket
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !Sub
              - ${S3Bucket}.${S3WebEndpoint}
              - {
                  S3Bucket: !Ref S3Bucket,
                  S3WebEndpoint:
                    !FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
                }
            Id: S3origin
            CustomOriginConfig:
              OriginProtocolPolicy: http-only
        Enabled: "true"
        Comment: !Sub Distribution for ${DomainName}
        HttpVersion: http2
        Aliases:
          - !Ref DomainName
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: S3origin
          Compress: True
          DefaultTTL: 604800
          ForwardedValues:
            QueryString: "false"
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_100
        ViewerCertificate:
          AcmCertificateArn: !Ref Certificate
          SslSupportMethod: sni-only
        WebACLId: !GetAtt AWSWAF.Arn

Turns out I had been approaching the problem wrong all along. Diving into the docs, I found that AWS details how to deploy an ACL for a CloudFront distribution here under the ResouceArn entry.

To fix this issue, all I had to do was add the following to the CloudFront distribution DistributionConfig and remove the WebACLAssociation entry:

WebACLId: !GetAtt AWSWAF.Arn

So the final CloudFront entry looked like this:

  CloudFront:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - IssuedCertificate
      - S3Bucket
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !Sub
              - ${S3Bucket}.${S3WebEndpoint}
              - {
                  S3Bucket: !Ref S3Bucket,
                  S3WebEndpoint:
                    !FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
                }
            Id: S3origin
            CustomOriginConfig:
              OriginProtocolPolicy: http-only
        Enabled: "true"
        Comment: !Sub Distribution for ${DomainName}
        HttpVersion: http2
        Aliases:
          - !Ref DomainName
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: S3origin
          Compress: True
          DefaultTTL: 604800
          ForwardedValues:
            QueryString: "false"
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_100
        ViewerCertificate:
          AcmCertificateArn: !Ref Certificate
          SslSupportMethod: sni-only
        WebACLId: !GetAtt AWSWAF.Arn

回复收藏 0 原文

~没有更多了~