我已经在 CloudFormation 中设置了一个 CloudFront 发行版,并且正在构建一个 AWS WAF ACL 来充当它的防火墙。为了将 ACL 与 CloudFront 分配相关联,我添加了一个 AWS::WAFv2::WebACLAssociation
条目,该条目需要 CloudFront 分配的 ARN 作为 ResourceArn
条目。但是,我似乎无法找到如何从 official documentation 获取 CloudFront 分发 ARN 。我以为我可以使用 !Ref
但它根据文档使用了 CloudFront ID,而不是 ARN。
如何从 WebACLAssociation 条目引用 CloudFront 分配 ARN?
以下示例(为简洁起见,省略了其他资源):
---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFront
Parameters:
# ...
CloudFront:
Type: AWS::CloudFront::Distribution
DependsOn:
- IssuedCertificate
- S3Bucket
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub
- ${S3Bucket}.${S3WebEndpoint}
- {
S3Bucket: !Ref S3Bucket,
S3WebEndpoint:
!FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
}
Id: S3origin
CustomOriginConfig:
OriginProtocolPolicy: http-only
Enabled: "true"
Comment: !Sub Distribution for ${DomainName}
HttpVersion: http2
Aliases:
- !Ref DomainName
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: S3origin
Compress: True
DefaultTTL: 604800
ForwardedValues:
QueryString: "false"
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
PriceClass: PriceClass_100
ViewerCertificate:
AcmCertificateArn: !Ref Certificate
SslSupportMethod: sni-only
# ...
AWSWAF:
Type: AWS::WAFv2::WebACL
Properties:
Name: allowlist
Description: Allowlist
Scope: CLOUDFRONT
DefaultAction:
Block: {}
Rules:
- Name: ipset-rule
Priority: 0
Action:
Allow: {}
Statement:
IPSetReferenceStatement:
Arn: # <ARN>
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ipset-metrics
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: allowlist-metrics
AWSWAFAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !Ref CloudFront
WebACLArn: !Ref AWSWAF
最佳答案
没有相同的直接属性,但您可以构造它:
arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFront}
关于amazon-web-services - 如何在 WebACLAssociation 的 CloudFormation 堆栈中获取 CloudFront 分配 ARN?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/72001645/