Home > Net >  How to get the CloudFront distribution ARN in a CloudFormation stack for WebACLAssociation?
How to get the CloudFront distribution ARN in a CloudFormation stack for WebACLAssociation?

Time:04-27

I've setup a CloudFront distribution in CloudFormation and I'm building an AWS WAF ACL to act as a firewall for it. To associate the ACL to the CloudFront distribution, I've added a AWS::WAFv2::WebACLAssociation entry which requires the ARN of the CloudFront distribution for the ResourceArn entry. However, I can't seem to find out how to get the CloudFront distribution ARN from the official documentation. I thought I could use !Ref however it used the CloudFront ID as per the documentation instead of the ARN.

How do I reference the CloudFront distribution ARN from the WebACLAssociation entry?

Example below (other resources omitted for brevity):

---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFront

Parameters:
  # ...
  CloudFront:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - IssuedCertificate
      - S3Bucket
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !Sub
              - ${S3Bucket}.${S3WebEndpoint}
              - {
                  S3Bucket: !Ref S3Bucket,
                  S3WebEndpoint:
                    !FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
                }
            Id: S3origin
            CustomOriginConfig:
              OriginProtocolPolicy: http-only
        Enabled: "true"
        Comment: !Sub Distribution for ${DomainName}
        HttpVersion: http2
        Aliases:
          - !Ref DomainName
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: S3origin
          Compress: True
          DefaultTTL: 604800
          ForwardedValues:
            QueryString: "false"
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_100
        ViewerCertificate:
          AcmCertificateArn: !Ref Certificate
          SslSupportMethod: sni-only
  # ...
  AWSWAF:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: allowlist
      Description: Allowlist
      Scope: CLOUDFRONT
      DefaultAction:
        Block: {}
      Rules:
        - Name: ipset-rule
          Priority: 0
          Action:
            Allow: {}
          Statement:
            IPSetReferenceStatement:
              Arn: # <ARN>
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: ipset-metrics
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: allowlist-metrics

  AWSWAFAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Ref CloudFront
      WebACLArn: !Ref AWSWAF

CodePudding user response:

There is no direct Attribute for the same but you can construct it:

arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFront}

CodePudding user response:

Turns out I had been approaching the problem wrong all along. Diving into the docs, I found that AWS details how to deploy an ACL for a CloudFront distribution here under the ResouceArn entry.

To fix this issue, all I had to do was add the following to the CloudFront distribution DistributionConfig and remove the WebACLAssociation entry:

WebACLId: !GetAtt AWSWAF.Arn

So the final CloudFront entry looked like this:

  CloudFront:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - IssuedCertificate
      - S3Bucket
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !Sub
              - ${S3Bucket}.${S3WebEndpoint}
              - {
                  S3Bucket: !Ref S3Bucket,
                  S3WebEndpoint:
                    !FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
                }
            Id: S3origin
            CustomOriginConfig:
              OriginProtocolPolicy: http-only
        Enabled: "true"
        Comment: !Sub Distribution for ${DomainName}
        HttpVersion: http2
        Aliases:
          - !Ref DomainName
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: S3origin
          Compress: True
          DefaultTTL: 604800
          ForwardedValues:
            QueryString: "false"
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_100
        ViewerCertificate:
          AcmCertificateArn: !Ref Certificate
          SslSupportMethod: sni-only
        WebACLId: !GetAtt AWSWAF.Arn
  • Related