[英]How to get the CloudFront distribution ARN in a CloudFormation stack for WebACLAssociation?
我已经在 CloudFormation 中设置了一个 CloudFront 分布,并且我正在构建一个 AWS WAF ACL 来充当它的防火墙。 为了将 ACL 关联到 CloudFront 分配,我添加了一个AWS::WAFv2::WebACLAssociation条目,该条目需要 CloudFront 分配的 ARN 作为ResourceArn条目。 但是,我似乎无法从官方文档中找到如何获取 CloudFront 分发 ARN。 我以为我可以使用!Ref但是它根据文档使用 CloudFront ID 而不是 ARN。
如何从 WebACLAssociation 条目引用 CloudFront 分配 ARN?
下面的示例(为简洁起见省略了其他资源):
---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFront
Parameters:
# ...
CloudFront:
Type: AWS::CloudFront::Distribution
DependsOn:
- IssuedCertificate
- S3Bucket
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub
- ${S3Bucket}.${S3WebEndpoint}
- {
S3Bucket: !Ref S3Bucket,
S3WebEndpoint:
!FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
}
Id: S3origin
CustomOriginConfig:
OriginProtocolPolicy: http-only
Enabled: "true"
Comment: !Sub Distribution for ${DomainName}
HttpVersion: http2
Aliases:
- !Ref DomainName
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: S3origin
Compress: True
DefaultTTL: 604800
ForwardedValues:
QueryString: "false"
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
PriceClass: PriceClass_100
ViewerCertificate:
AcmCertificateArn: !Ref Certificate
SslSupportMethod: sni-only
# ...
AWSWAF:
Type: AWS::WAFv2::WebACL
Properties:
Name: allowlist
Description: Allowlist
Scope: CLOUDFRONT
DefaultAction:
Block: {}
Rules:
- Name: ipset-rule
Priority: 0
Action:
Allow: {}
Statement:
IPSetReferenceStatement:
Arn: # <ARN>
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ipset-metrics
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: allowlist-metrics
AWSWAFAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !Ref CloudFront
WebACLArn: !Ref AWSWAF
没有相同的直接属性,但您可以构造它:
arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFront}
事实证明,我一直以来都在错误地解决问题。 深入研究文档,我发现 AWS 在此处的 ResouceArn 条目下详细说明了如何为 CloudFront 分发部署 ACL。
要解决此问题,我所要做的就是将以下内容添加到 CloudFront 分发DistributionConfig并删除WebACLAssociation条目:
WebACLId: !GetAtt AWSWAF.Arn
因此,最终的 CloudFront 条目如下所示:
CloudFront:
Type: AWS::CloudFront::Distribution
DependsOn:
- IssuedCertificate
- S3Bucket
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub
- ${S3Bucket}.${S3WebEndpoint}
- {
S3Bucket: !Ref S3Bucket,
S3WebEndpoint:
!FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
}
Id: S3origin
CustomOriginConfig:
OriginProtocolPolicy: http-only
Enabled: "true"
Comment: !Sub Distribution for ${DomainName}
HttpVersion: http2
Aliases:
- !Ref DomainName
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: S3origin
Compress: True
DefaultTTL: 604800
ForwardedValues:
QueryString: "false"
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
PriceClass: PriceClass_100
ViewerCertificate:
AcmCertificateArn: !Ref Certificate
SslSupportMethod: sni-only
WebACLId: !GetAtt AWSWAF.Arn
如何获取新创建的 aws_cloudformation_stack 的 arn terraform
[英]How to get the arn of a newly created aws_cloudformation_stack terraform
CloudFormation 中应用程序负载均衡器的 AWS::WAFv2::WebACLAssociation ResourceArn
[英]AWS::WAFv2::WebACLAssociation ResourceArn for Application Load Balancer in CloudFormation
如何在 cloudformation 策略文档中引用资源 ARN? (山药)
[英]How to reference a resource ARN in a cloudformation policy document ? (yaml)
AWS::WAFv2::LoggingConfiguration 在使用 Cloudformation 创建堆栈时遇到无效的 ARN
[英]AWS::WAFv2::LoggingConfiguration encounter invalid ARN when creating stack with Cloudformation
如何从 CloudFormation 模板启用/禁用 Cloudfront 日志记录?
[英]How to enable/disable Cloudfront logging from CloudFormation template?
如何在另一个堆栈参数中导入 cloudformation 堆栈 output?
[英]How to import cloudformation stack output inside another stack parameter?
如何使用 route 53、cloudfront distribution 和 elastic beanstalk 修复 504 ERROR
[英]How to fix 504 ERROR with route 53, cloudfront distribution and elastic beanstalk
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.