By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS WAF for App Runner

1

Hi,

I came across this announcement for WAF support in App Runner, and it mentions that this feature is available through the App Runner console, AWS CLI, and CloudFormation.

I can see this feature when I go to my App Runner service configuration, however, I'm deploying this through CloudFormation at the moment, planning on switching to Terraform later on, and neither the CloudFormation docs nor the Terraform docs seem to explain how to associate a WAF.

Does someone know how to get this set up with CloudFormation?

Topics
Security, Identity, & ComplianceManagement & GovernanceComputeContainers
Tags
AWS WAFAWS CloudFormationAWS App Runner
Language
English
Lukas
asked 6 months ago314 views
1 Answer
2
Accepted Answer

Hello.

This is a sample, but you can link AWS WAF's WebACL and AppRunner by doing the following.
"AWS::WAFv2::WebACLAssociation" is used to associate resources with WebACL.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html

  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: WebACL_AppRunner
      Scope: REGIONAL
      DefaultAction:
        Block: {}
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: WebACL_AppRunner
      Rules:
        -
          Name: rules-allow-ip
          Priority: 0
          Action:
            Allow: {}
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt WAFIPSet.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: rules-allow-ip

  WAFIPSet:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: IPAllowLists
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses: !Ref AllowAddresses

  ARforPl:
    Type: AWS::AppRunner::Service
    Properties:
      ServiceName: golang-container-app
      SourceConfiguration:
        AuthenticationConfiguration:
          AccessRoleArn: !GetAtt RoleForAR.Arn
        AutoDeploymentsEnabled: true
        ImageRepository:
          ImageIdentifier: !Ref EcrRepoUri
          ImageRepositoryType: ECR
          ImageConfiguration:
            Port: 80
      InstanceConfiguration:
        Cpu: 1 vCPU
        Memory: 2 GB

  WebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      WebACLArn: !GetAtt WebACL.Arn
      ResourceArn: !GetAtt ARforPl.ServiceArn
profile picture
EXPERT
Riku_Kobayashi
answered 6 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content