[英]How to get the CloudFront distribution ARN in a CloudFormation stack for WebACLAssociation?
I've setup a CloudFront distribution in CloudFormation and I'm building an AWS WAF ACL to act as a firewall for it.我已经在 CloudFormation 中设置了一个 CloudFront 分布,并且我正在构建一个 AWS WAF ACL 来充当它的防火墙。 To associate the ACL to the CloudFront distribution, I've added a
AWS::WAFv2::WebACLAssociation
entry which requires the ARN of the CloudFront distribution for the ResourceArn
entry.为了将 ACL 关联到 CloudFront 分配,我添加了一个
AWS::WAFv2::WebACLAssociation
条目,该条目需要 CloudFront 分配的 ARN 作为ResourceArn
条目。 However, I can't seem to find out how to get the CloudFront distribution ARN from the official documentation .但是,我似乎无法从官方文档中找到如何获取 CloudFront 分发 ARN。 I thought I could use
!Ref
however it used the CloudFront ID as per the documentation instead of the ARN.我以为我可以使用
!Ref
但是它根据文档使用 CloudFront ID 而不是 ARN。
How do I reference the CloudFront distribution ARN from the WebACLAssociation entry?如何从 WebACLAssociation 条目引用 CloudFront 分配 ARN?
Example below (other resources omitted for brevity):下面的示例(为简洁起见省略了其他资源):
---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFront
Parameters:
# ...
CloudFront:
Type: AWS::CloudFront::Distribution
DependsOn:
- IssuedCertificate
- S3Bucket
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub
- ${S3Bucket}.${S3WebEndpoint}
- {
S3Bucket: !Ref S3Bucket,
S3WebEndpoint:
!FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
}
Id: S3origin
CustomOriginConfig:
OriginProtocolPolicy: http-only
Enabled: "true"
Comment: !Sub Distribution for ${DomainName}
HttpVersion: http2
Aliases:
- !Ref DomainName
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: S3origin
Compress: True
DefaultTTL: 604800
ForwardedValues:
QueryString: "false"
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
PriceClass: PriceClass_100
ViewerCertificate:
AcmCertificateArn: !Ref Certificate
SslSupportMethod: sni-only
# ...
AWSWAF:
Type: AWS::WAFv2::WebACL
Properties:
Name: allowlist
Description: Allowlist
Scope: CLOUDFRONT
DefaultAction:
Block: {}
Rules:
- Name: ipset-rule
Priority: 0
Action:
Allow: {}
Statement:
IPSetReferenceStatement:
Arn: # <ARN>
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ipset-metrics
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: allowlist-metrics
AWSWAFAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !Ref CloudFront
WebACLArn: !Ref AWSWAF
There is no direct Attribute for the same but you can construct it:没有相同的直接属性,但您可以构造它:
arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFront}
Turns out I had been approaching the problem wrong all along.事实证明,我一直以来都在错误地解决问题。 Diving into the docs, I found that AWS details how to deploy an ACL for a CloudFront distribution here under the ResouceArn entry .
深入研究文档,我发现 AWS 在此处的 ResouceArn 条目下详细说明了如何为 CloudFront 分发部署 ACL。
To fix this issue, all I had to do was add the following to the CloudFront distribution DistributionConfig
and remove the WebACLAssociation
entry:要解决此问题,我所要做的就是将以下内容添加到 CloudFront 分发
DistributionConfig
并删除WebACLAssociation
条目:
WebACLId: !GetAtt AWSWAF.Arn
So the final CloudFront entry looked like this:因此,最终的 CloudFront 条目如下所示:
CloudFront:
Type: AWS::CloudFront::Distribution
DependsOn:
- IssuedCertificate
- S3Bucket
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub
- ${S3Bucket}.${S3WebEndpoint}
- {
S3Bucket: !Ref S3Bucket,
S3WebEndpoint:
!FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
}
Id: S3origin
CustomOriginConfig:
OriginProtocolPolicy: http-only
Enabled: "true"
Comment: !Sub Distribution for ${DomainName}
HttpVersion: http2
Aliases:
- !Ref DomainName
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: S3origin
Compress: True
DefaultTTL: 604800
ForwardedValues:
QueryString: "false"
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
PriceClass: PriceClass_100
ViewerCertificate:
AcmCertificateArn: !Ref Certificate
SslSupportMethod: sni-only
WebACLId: !GetAtt AWSWAF.Arn
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.