feat(aws-wafwebacl-cloudfront): created README for aws-wafwebacl-clou…

…dfront (#389) * created README for aws-wafwebacl-cloudfront * fixed cloudfront name * created aws-wafwebacl-cloudfront construct and tests * revert README changes in cloudfront constructs * updated variable name in wafwebacl-cloudfront-mediastore test * updated construct prop type to cloudfront.Distribution * updated s3 removal policy to destroy * delete trailing whitespace * Updated comment for existing cloudfront web distribution prop * delete trailing whitespace Co-authored-by: EC2 Default User <[email protected]> Co-authored-by: root <[email protected]>
awslabs · Sep 22, 2021 · bba361e · Samuelkwibe · Nov 17, 2021 · bba361e
1 parent 585a742
commit bba361e
Show file tree

Hide file tree

Showing 17 changed files with 3,753 additions and 0 deletions.
diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/.eslintignore b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/.eslintignore
@@ -0,0 +1,5 @@
+lib/*.js
+test/*.js
+*.d.ts
+coverage
+test/lambda/index.js
diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/.gitignore b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/.gitignore
@@ -0,0 +1,15 @@
+lib/*.js
+test/*.js
+*.js.map
+*.d.ts
+node_modules
+*.generated.ts
+dist
+.jsii
+
+.LAST_BUILD
+.nyc_output
+coverage
+.nycrc
+.LAST_PACKAGE
+*.snk
diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/.npmignore b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/.npmignore
@@ -0,0 +1,21 @@
+# Exclude typescript source and config
+*.ts
+tsconfig.json
+coverage
+.nyc_output
+*.tgz
+*.snk
+*.tsbuildinfo
+
+# Include javascript files and typescript declarations
+!*.js
+!*.d.ts
+
+# Exclude jsii outdir
+dist
+
+# Include .jsii
+!.jsii
+
+# Include .jsii
+!.jsii
diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/README.md b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/README.md
@@ -0,0 +1,94 @@
+# aws-wafwebacl-cloudfront module
+<!--BEGIN STABILITY BANNER-->
+
+---
+
+![Stability: Experimental](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge)
+
+> All classes are under active development and subject to non-backward compatible changes or removal in any
+> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model.
+> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
+
+---
+<!--END STABILITY BANNER-->
+
+| **Reference Documentation**:| <span style="font-weight: normal">https://docs.aws.amazon.com/solutions/latest/constructs/</span>|
+|:-------------|:-------------|
+<div style="height:8px"></div>
+
+
+| **Language**     | **Package**        |
+|:-------------|-----------------|
+|![Python Logo](https://docs.aws.amazon.com/cdk/api/latest/img/python32.png) Python|`aws_solutions_constructs.aws_wafwebacl_cloudfront`|
+|![Typescript Logo](https://docs.aws.amazon.com/cdk/api/latest/img/typescript32.png) Typescript|`@aws-solutions-constructs/aws-wafwebacl-cloudfront`|
+|![Java Logo](https://docs.aws.amazon.com/cdk/api/latest/img/java32.png) Java|`software.amazon.awsconstructs.services.wafwebaclcloudfront`|
+
+## Overview
+This AWS Solutions Construct implements an AWS WAF web ACL connected to Amazon CloudFront.
+
+Here is a minimal deployable pattern definition in Typescript:
+
+``` typescript
+import { CloudFrontToS3 } from '@aws-solutions-constructs/aws-cloudfront-s3';
+import { WafwebaclToCloudFront } from "@aws-solutions-constructs/aws-wafwebacl-cloudfront";
+
+const cloudfrontToS3 = new CloudFrontToS3(this, 'test-cloudfront-s3', {});
+
+// This construct can only be attached to a configured CloudFront.
+new WafwebaclToCloudFront(this, 'test-wafwebacl-cloudfront', {
+    existingCloudFrontWebDistribution: cloudfrontToS3.cloudFrontWebDistribution
+});
+```
+
+## Initializer
+
+``` text
+new WafwebaclToCloudFront(scope: Construct, id: string, props: WafwebaclToCloudFrontProps);
+```
+
+_Parameters_
+
+* scope [`Construct`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.Construct.html)
+* id `string`
+* props [`WafwebaclToCloudFrontProps`](#pattern-construct-props)
+
+## Pattern Construct Props
+
+| **Name**     | **Type**        | **Description** |
+|:-------------|:----------------|-----------------|
+|existingCloudFrontWebDistribution|[`cloudfront.Distribution`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Distribution.html)|The existing CloudFront instance that will be protected with the WAF web ACL. *Note that a WAF web ACL can only be added to a configured CloudFront, so this construct only accepts an existing CloudFrontWebDistribution and does not accept cloudfrontProps.*|
+|existingWebaclObj?|[`waf.CfnWebACL`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-wafv2.CfnWebACL.html)|Existing instance of a WAF web ACL, an error will occur if this and props is set.|
+|webaclProps?|[`waf.CfnWebACLProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-wafv2.CfnWebACLProps.html)|Optional user-provided props to override the default props for the AWS WAF web ACL. To use a different collection of managed rule sets, specify a new rules property. Use our [`wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number)`](../core/lib/waf-defaults.ts) function from core to create an array entry from each desired managed rule set.|
+
+## Pattern Properties
+
+| **Name**     | **Type**        | **Description** |
+|:-------------|:----------------|-----------------|
+|webacl|[`waf.CfnWebACL`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-wafv2.CfnWebACL.html)|Returns an instance of the waf.CfnWebACL created by the construct.|
+|cloudFrontWebDistribution|[`cloudfront.Distribution`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Distribution.html)|Returns an instance of cloudfront.Distribution created by the construct.|
+
+## Default settings
+
+Out of the box implementation of the Construct without any override will set the following defaults:
+
+### AWS WAF
+* Deploy a WAF web ACL with 7 [AWS managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html).
+    * AWSManagedRulesBotControlRuleSet
+    * AWSManagedRulesKnownBadInputsRuleSet
+    * AWSManagedRulesCommonRuleSet
+    * AWSManagedRulesAnonymousIpList
+    * AWSManagedRulesAmazonIpReputationList
+    * AWSManagedRulesAdminProtectionRuleSet
+    * AWSManagedRulesSQLiRuleSet
+
+    *Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps* 
+* Send metrics to Amazon CloudWatch
+
+### Amazon CloudFront
+* User provided CloudFront object is used as-is
+
+## Architecture
+![Architecture Diagram](architecture.png)
+
+***
+&copy; Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
diff --git a/...ce/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/architecture.png b/...ce/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/architecture.png
diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/lib/index.ts
@@ -0,0 +1,75 @@
+/**
+ *  Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
+ *  with the License. A copy of the License is located at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
+ *  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
+// Imports
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import * as waf from '@aws-cdk/aws-wafv2';
+import * as defaults from '@aws-solutions-constructs/core';
+// Note: To ensure CDKv2 compatibility, keep the import statement for Construct separate
+import { Construct } from '@aws-cdk/core';
+
+/**
+ * @summary The properties for the WafwebaclToCloudFront class.
+ */
+export interface WafwebaclToCloudFrontProps {
+  /**
+   * The existing CloudFront instance that will be protected with the WAF web ACL.
+   *
+   * This construct changes the CloudFront distribution by directly manipulating
+   * the CloudFormation output, so this must be the Construct and cannot be
+   * changed to the Interface (IDistribution)
+   */
+  readonly existingCloudFrontWebDistribution: cloudfront.Distribution ,
+  /**
+   * Existing instance of a WAF web ACL, an error will occur if this and props is set
+   */
+  readonly existingWebaclObj?: waf.CfnWebACL,
+  /**
+   * Optional user-provided props to override the default props for the AWS WAF web ACL.
+   *
+   * @default - Default properties are used.
+   */
+  readonly webaclProps?: waf.CfnWebACLProps,
+}
+
+/**
+ * @summary The WafwebaclToCloudFront class.
+ */
+export class WafwebaclToCloudFront extends Construct {
+  public readonly webacl: waf.CfnWebACL;
+  public readonly cloudFrontWebDistribution: cloudfront.Distribution;
+  /**
+   * @summary Constructs a new instance of the WafwebaclToCloudFront class.
+   * @param {cdk.App} scope - represents the scope for all the resources.
+   * @param {string} id - this is a a scope-unique id.
+   * @param {WafwebaclToCloudFrontProps} props - user provided props for the construct.
+   * @access public
+   */
+  constructor(scope: Construct, id: string, props: WafwebaclToCloudFrontProps) {
+    super(scope, id);
+    defaults.CheckProps(props);
+
+    // Build the Web ACL
+    this.webacl = defaults.buildWebacl(this, 'CLOUDFRONT', {
+      existingWebaclObj: props.existingWebaclObj,
+      webaclProps: props.webaclProps,
+    });
+
+    // Property override of CloudFront Cfn Template
+    const cfnExistingCloudFrontWebDistribution = props.existingCloudFrontWebDistribution.node.defaultChild as cloudfront.CfnDistribution;
+
+    cfnExistingCloudFrontWebDistribution.addPropertyOverride('DistributionConfig.WebACLId', this.webacl.attrArn);
+
+    this.cloudFrontWebDistribution = props.existingCloudFrontWebDistribution;
+  }
+}
diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/package.json b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/package.json
@@ -0,0 +1,108 @@
+{
+  "name": "@aws-solutions-constructs/aws-wafwebacl-cloudfront",
+  "version": "0.0.0",
+  "description": "CDK constructs for defining an AWS web WAF connected to Amazon CloudFront.",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/awslabs/aws-solutions-constructs.git",
+    "directory": "source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront"
+  },
+  "author": {
+    "name": "Amazon Web Services",
+    "url": "https://aws.amazon.com",
+    "organization": true
+  },
+  "license": "Apache-2.0",
+  "scripts": {
+    "build": "tsc -b .",
+    "lint": "eslint -c ../eslintrc.yml --ext=.js,.ts . && tslint --project .",
+    "lint-fix": "eslint -c ../eslintrc.yml --ext=.js,.ts --fix .",
+    "test": "jest --coverage",
+    "clean": "tsc -b --clean",
+    "watch": "tsc -b -w",
+    "integ": "cdk-integ",
+    "integ-assert": "cdk-integ-assert",
+    "integ-no-clean": "cdk-integ --no-clean",
+    "jsii": "jsii",
+    "jsii-pacmak": "jsii-pacmak",
+    "build+lint+test": "npm run jsii && npm run lint && npm test && npm run integ-assert",
+    "snapshot-update": "npm run jsii && npm test -- -u && npm run integ-assert"
+  },
+  "jsii": {
+    "outdir": "dist",
+    "targets": {
+      "java": {
+        "package": "software.amazon.awsconstructs.services.wafwebaclcloudfront",
+        "maven": {
+          "groupId": "software.amazon.awsconstructs",
+          "artifactId": "wafwebaclcloudfront"
+        }
+      },
+      "dotnet": {
+        "namespace": "Amazon.Constructs.AWS.WafwebaclCloudFront",
+        "packageId": "Amazon.Constructs.AWS.WafwebaclCloudFront",
+        "signAssembly": true,
+        "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png"
+      },
+      "python": {
+        "distName": "aws-solutions-constructs.aws-wafwebacl-cloudfront",
+        "module": "aws_solutions_constructs.aws_wafwebacl_cloudfront"
+      }
+    }
+  },
+  "dependencies": {
+    "@aws-cdk/aws-cloudfront": "0.0.0",
+    "@aws-cdk/aws-cloudfront-origins": "0.0.0",
+    "@aws-cdk/aws-s3": "0.0.0",
+    "@aws-cdk/aws-wafv2": "0.0.0",
+    "@aws-cdk/core": "0.0.0",
+    "@aws-cdk/aws-lambda": "0.0.0",
+    "@aws-solutions-constructs/core": "0.0.0",
+    "@aws-solutions-constructs/aws-cloudfront-apigateway-lambda": "0.0.0",
+    "@aws-solutions-constructs/aws-cloudfront-s3": "0.0.0",
+    "@aws-solutions-constructs/aws-cloudfront-mediastore": "0.0.0",
+    "constructs": "^3.2.0"
+  },
+  "devDependencies": {
+    "@aws-cdk/assert": "0.0.0",
+    "@types/jest": "^26.0.22",
+    "@types/node": "^10.3.0"
+  },
+  "jest": {
+    "moduleFileExtensions": [
+      "js"
+    ],
+    "coverageReporters": [
+      "text",
+      [
+        "lcov",
+        {
+          "projectRoot": "../../../../"
+        }
+      ]
+    ]
+  },
+  "peerDependencies": {
+    "@aws-cdk/aws-cloudfront": "0.0.0",
+    "@aws-cdk/aws-cloudfront-origins": "0.0.0",
+    "@aws-cdk/aws-s3": "0.0.0",
+    "@aws-cdk/aws-wafv2": "0.0.0",
+    "@aws-cdk/core": "0.0.0",
+    "@aws-cdk/aws-lambda": "0.0.0",
+    "@aws-solutions-constructs/core": "0.0.0",
+    "@aws-solutions-constructs/aws-cloudfront-apigateway-lambda": "0.0.0",
+    "@aws-solutions-constructs/aws-cloudfront-s3": "0.0.0",
+    "@aws-solutions-constructs/aws-cloudfront-mediastore": "0.0.0",
+    "constructs": "^3.2.0"
+  },
+  "keywords": [
+    "aws",
+    "cdk",
+    "awscdk",
+    "AWS Solutions Constructs",
+    "AWS WAF Web ACL",
+    "Amazon CloudFront"
+  ]
+}