@aligent/aws-waf-stack
v0.1.1
Published
## Overview
Downloads
3
Keywords
Readme
Aligent AWS WAF stack
Overview
This repository defines a Node module for a AWS CDK stack module which can be included into an environment.
How to use: Creating a new WAFStack with automated build pipeline
Please note the following instructions rely on @aligent/aws-cdk-pipeline-stack which provides automated stack deployments based on AWS CodePipelines. The pipelines portions can be disregarded if you would prefer to only deploy the WAF stack.
This stack configures an AWS CodePipeline application which will deploy an instance of the WAFStack based on changes to the configured repository/branch. There are two AWS accounts involved: ToolsAccount and TargetAccount, where we don't want the TargetAccount to access to the whole version control system, e.g. BitBucket or GitHub, as they currently can't limit the access to repository level.
- Configure a CDK project on your local, run
cdk deploy
to create a CodePipeline in ToolsAccount via CloudFormation - Push the project code to the repository/branch
- CodePipeline Source stage picks up the change in the repository/branch and initiate the pipeline
- CodePipeline Deploy stage initiates Target Account Cloudformation stack creation/update
- TargetAccount's CloudFormation creates/configures/updates WAF resources
NOTE: npm ver.7 will cause an issue a later stage hence ver.6 is required until this issue is resolved: https://github.com/npm/cli/issues/2610
Install cdk first (npm install -g aws-cdk
, or this instruction) and follow the steps described below.
In order to have AWS ToolsAccount be able to talk to the version control system, create CodeStar Connection. This is a one-off task between the two, though, hence reusable across multiple projects. Connecting to BitBucket, for example
Initialise a CDK project
$ npx cdk init app --language=typescript
Bootstrap the TargetAccount to grant the ToolsAccount the permission to create resources. This is per-region basis.
$ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap \ --profile <TargetAccountProfile> \ --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \ --trust <ToolsAccountId> \ aws://<TargetAccountId>/<region>
Install this node module
$ npm install @aligent/aws-cdk-waf-stack $ npm install @aligent/aws-cdk-pipeline-stack
Replace project files
- Replace
bin/<projectName.ts>
in the project withsample/waf.ts
of this repo - Replace
lib/<projectName-stack.ts>
in the project withsample/environments.ts
of this repo
- Replace
Update
lib/environments.ts
with the details. You need the below information- CodeStar Connection ARN that was created in Step 1
- BitBucket (or other version control system) repository/branch details
- Office and AWS NAT GW IP addresses to be allowed anytime
- User-Agent string to bypass the AWS default BadBot rule
- ARNs of FE Application Load Balancers this WAF rule is to be associated with
Update
bin/waf.ts
if needed, e.g. additional environments or stack name changes.Run
npm install
and updatecdk.json
:app
: replace<project_name.ts>
withwaf.ts
.context
: add"@aws-cdk/core:newStyleStackSynthesis": true
Rebuild
cdk.context.json
(not needed in this project/stack)Test by running
npx cdk synth
andnpx cdk ls
. For further testing and customisation, refer to the Local development section below. By now you are going to see two stacks per each environment; one for Pipeline deployment, the other for direct deployment. See Step 12 down below.Push the code to the relevant branch
Deploy the stack, e.g.
npx cdk deploy <target-WAF-environment> --profile <ToolsAccountProfile>
to create the CodePipeline, followed by TargetAccount WAF resource creation.If you don't need a pipeline/cross-account deployment, deploy
<target-WAF-environment>/<target-WAF-environment>/stack
directly to the target account bynpx cdk deploy <StackName> --profile <TargetAccountProfile>
Monitor and activate
By default, WebACL this stack creates will work in COUNT mode to begin with.After a certain period of monitoring under real traffic and load, apply necessary changes, e.g. IP allow_list or rate limit, to avoid service interruptions before switching to BLOCK mode.
Local development
NPM link can be used to develop the module locally.
- Pull this repository locally
cd
into this repository- run
npm link
cd
into the downstream repo (target project, etc) and runnpm link 'aws-waf-stack'
The downstream repository should now include a symlink to this module. Allowing local changes to be tested before pushing.