Observations and questions around MWAA in Cloudformation

Hi, before I dive into my question, I first wanted to share some observations I made working with the cloudformation template, which might be useful for other people, too. The template can be found here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-mwaa-environment.html

AirflowConfigurationOptions: as mentioned in other threads, don't try to configure the secrets manager backend until a fix from the AWS team is in place, right now it does break the environment.

DagS3Path/PluginsS3Path/RequirementsS3Path: the later ones state that they need an s3 URI (s3:/bucket/path/), that is not the case. They are just paths relative to the bucket defined in SourceBucketArn.

EnvironmentClass: the cloudformation docs don't specify the possible values for this and some of the screenshots in the mwaa docs show wrong keys in the UI. The right possibilities as of now are mw1.small/mw1.medium/mw1.large.

LoggingConfiguration > ModuleLoggingConfiguration: The docs say you can configure CloudWatchLogGroupArn, that did not work for me it was silently ignored. In fact at first my role did not have create log group permissions and I did get errors in cloud trail. It will always try to create log groups following this pattern arn:aws:logs:<region>:<account>:log-group:airflow-<environment-name>-[DagProcessing|WebServer|Task|Worker|Scheduler] - so make sure it has permissions to create and interact with these.

WebserverAccessMode: Possible values are not in the cloudformation docs, but can be found in the cli docs: PRIVATE_ONLY and PUBLIC_ONLY.

SourceBucketArn: Bucket name needs to start with airflow. This one was difficult to find, ended up checking the raw cloudformation schema for the pattern. "^arn:aws(-<latin char>)?:s3:::airflow-<latin char|number|dash>$" (sorry for the syntax but square brackets are considered links)

Which brings me finally to my question, which relates to the next step, i.e., using WebserverAccessMode PRIVATE_ONLY and adding (in cloudformation or in my case cdk_cloudformation) an application load balancer, without needing to hardcode URLs after creation. The cloudformation docs state there is a parameter WebserverUrl, which confuses me. How can this be a parameter? It feels this should be a _return value+ and show what is visible in the UI either as public endpoint or private VPC endpoint. Has anybody worked with this? Following the docs to get the URL I would most likely end up using a custom clouformation resource and calling get-environment to get the URL, because I cannot see how I could use WebserverURL as a parameter in a meaningful way.

Also for context, I have not found a way to restrict the public endpoint created with PUBLIC_ONLY IP wise. It is protected with IAM authentication, but it feels wrong to have an internal tool not restricted by IP whitelist.

Edited by: andreaslang on Jan 14, 2021 1:57 AM - just added info about s3 bucket