AWS WAF for App Runner

Question

Hi,

I came across this [announcement](https://aws.amazon.com/about-aws/whats-new/2023/02/aws-app-runner-web-application-firewall-enhanced-security/) for WAF support in App Runner, and it mentions that this feature is available through the App Runner console, AWS CLI, and CloudFormation.

I can see this feature when I go to my App Runner service configuration, however, I'm deploying this through CloudFormation at the moment, planning on switching to Terraform later on, and neither the [CloudFormation docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apprunner-service.html) nor the Terraform docs seem to explain how to associate a WAF.

Does someone know how to get this set up with CloudFormation?

Accepted Answer

Hello.

This is a sample, but you can link AWS WAF's WebACL and AppRunner by doing the following.  
"AWS::WAFv2::WebACLAssociation" is used to associate resources with WebACL.  
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html  
```
  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: WebACL_AppRunner
      Scope: REGIONAL
      DefaultAction:
        Block: {}
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: WebACL_AppRunner
      Rules:
        -
          Name: rules-allow-ip
          Priority: 0
          Action:
            Allow: {}
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt WAFIPSet.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: rules-allow-ip

WAFIPSet:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: IPAllowLists
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses: !Ref AllowAddresses

ARforPl:
    Type: AWS::AppRunner::Service
    Properties:
      ServiceName: golang-container-app
      SourceConfiguration:
        AuthenticationConfiguration:
          AccessRoleArn: !GetAtt RoleForAR.Arn
        AutoDeploymentsEnabled: true
        ImageRepository:
          ImageIdentifier: !Ref EcrRepoUri
          ImageRepositoryType: ECR
          ImageConfiguration:
            Port: 80
      InstanceConfiguration:
        Cpu: 1 vCPU
        Memory: 2 GB

WebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      WebACLArn: !GetAtt WebACL.Arn
      ResourceArn: !GetAtt ARforPl.ServiceArn
```

AWS WAF for App Runner

관련 콘텐츠