-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add config option to attach a WAF ACL to API Gateway stage(s) #1816
Comments
Took a shot at trying to implement a new This may need to wait for Chalice v2 deployer (ie. #1833) or later once Cloudformation and SAM have better support for WAF ACLs with API Gateway Stages In the meantime I opened up a separate issue (#1838) to expose the ARN of the API Gateway Stage when using Terraform, which would allow us to implement a workaround for now until Chalice is able to handle WAF ACL associations with API Gateway Stages. |
Came up with a workaround for now wrapping the chalice.tf.json with some additional Terraform that can reference the APIGW resources from Chalice ie. resource "aws_wafv2_web_acl_association" "api" {
resource_arn = "${aws_api_gateway_rest_api.rest_api.arn}/stages/${aws_api_gateway_deployment.rest_api.stage_name}"
web_acl_arn = aws_wafv2_web_acl.common.arn
} |
WAF support on the API Gateway stage would be needed to pass a Well Architected review. |
#2992 made the stage an explicit resource, so that we can now refer to its `.arn` attribute.
In order to meet the AWS Foundational Security Best Practices we need to have a WAF ACL on our API Gateway stages, but Chalice does not currently support this AFAICT.
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-apigateway-4
Perhaps a new config value could be added (ie.
waf_acl_id
) which could be used to associate a WAF ACL with the API Gateway stage(s) in Chalice.The text was updated successfully, but these errors were encountered: