AWS::WAFv2::WebACLAssociation CloudFormation 中应用程序负载均衡器的 ResourceArn
AWS::WAFv2::WebACLAssociation ResourceArn for Application Load Balancer in CloudFormation
我有一个创建 ElasticBeanstalk 环境的 CloudFormation 模板,如下所示:
"ApplicationEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": {
"Ref": "Application"
},
"SolutionStackName": "64bit Amazon Linux 2018.03 v2.11.2 running Java 8",
"VersionLabel": {
"Ref": "AppVersion"
},
"Tier": {
"Name": "WebServer",
"Type": "Standard"
},
"OptionSettings": [
...
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "EnvironmentType",
"Value": "LoadBalanced"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "LoadBalancerType",
"Value": "application"
},
...
---
"WAF": {
"Type": "AWS::WAFv2::WebACL",
"Properties": {
"DefaultAction": {
"Type": "BLOCK"
},
"Scope": "REGIONAL",
"VisibilityConfig": {
"CloudWatchMetricsEnabled": "false",
"MetricName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, "metric-waf" ] ] },
"SampledRequestsEnabled": "false"
},
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 0,
"Statement" : {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet"
}
}
}
]
}
},
"WAFAssociation": {
"Type" : "AWS::WAFv2::WebACLAssociation",
"Properties" : {
"ResourceArn" : ???,
"WebACLArn" : { "Ref": "WAF" }
}
}
我打算将 Beanstalk ALB 与 WebACL 相关联,但不知道如何引用模板创建的应用程序负载均衡器 ARN。我不能只放入硬编码的 ARN,因为它总是根据模板创建的内容而变化。
有什么方法可以在 ResourceArn 字段中引用 ALB ARN?或者我是否需要在 Beanstalk 选项设置中的某处应用 WebACL?
我认为唯一的方法是通过 自定义资源,它采用 EB 环境名称,使用 describe_environment_resources
API 调用来获取 EB 环境信息(包括 LA arn),然后 returns 回到你的卡住。
下面是此类资源的工作示例,您可以将其添加到模板中:
LambdaBasicExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
MyCustomResource:
Type: Custom::GetEBLoadBalancerArn
Properties:
ServiceToken: !GetAtt 'MyCustomFunction.Arn'
EBEnvName: !Ref MyEnv
MyCustomFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.lambda_handler
Description: "Get ARN of EB Load balancer"
Timeout: 30
Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
Runtime: python3.7
Code:
ZipFile: |
import json
import logging
import cfnresponse
import boto3
logger = logging.getLogger()
logger.setLevel(logging.INFO)
eb = boto3.client('elasticbeanstalk')
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
logger.info('got event {}'.format(event))
try:
responseData = {}
if event['RequestType'] in ["Create"]:
eb_env_name = event['ResourceProperties']['EBEnvName']
response = eb.describe_environment_resources(
EnvironmentName=eb_env_name
)
lb_arn = response['EnvironmentResources']['LoadBalancers'][0]['Name']
logger.info(str(response['EnvironmentResources']['LoadBalancers'][0]['Name']))
responseData = {
"LBArn": lb_arn
}
cfnresponse.send(event, context,
cfnresponse.SUCCESS, responseData)
else:
logger.info('Unexpected RequestType!')
cfnresponse.send(event, context,
cfnresponse.SUCCESS, responseData)
except Exception as err:
logger.error(err)
responseData = {"Data": str(err)}
cfnresponse.send(event,context,
cfnresponse.FAILED,responseData)
return
拥有您将要使用的资源:
"WAFAssociation": {
"Type" : "AWS::WAFv2::WebACLAssociation",
"Properties" : {
"ResourceArn" : { "GetAtt": ["MyCustomResource", "LBArn"] },
"WebACLArn" : { "Ref": "WAF" }
}
}
更新:这个答案是错误的。资源似乎在其他 EB 配置文件中可用,但模板本身没有
错误答案:
看起来 Cloudformation 允许您访问它创建的资源,即使它们没有直接在您的模板中定义。
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-format-resources-eb.html
因此,要与负载均衡器建立关联,只需使用 "Ref": "AWSEBV2LoadBalancer"
或 "Ref: "AWSEBLoadBalancer"
或其他任何方式
"WAFAssociation": {
"Type" : "AWS::WAFv2::WebACLAssociation",
"Properties" : {
"Ref" : "AWSEBV2LoadBalancer",
"WebACLArn" : { "Ref": "WAF" }
}
}
我有一个创建 ElasticBeanstalk 环境的 CloudFormation 模板,如下所示:
"ApplicationEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": {
"Ref": "Application"
},
"SolutionStackName": "64bit Amazon Linux 2018.03 v2.11.2 running Java 8",
"VersionLabel": {
"Ref": "AppVersion"
},
"Tier": {
"Name": "WebServer",
"Type": "Standard"
},
"OptionSettings": [
...
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "EnvironmentType",
"Value": "LoadBalanced"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "LoadBalancerType",
"Value": "application"
},
...
---
"WAF": {
"Type": "AWS::WAFv2::WebACL",
"Properties": {
"DefaultAction": {
"Type": "BLOCK"
},
"Scope": "REGIONAL",
"VisibilityConfig": {
"CloudWatchMetricsEnabled": "false",
"MetricName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, "metric-waf" ] ] },
"SampledRequestsEnabled": "false"
},
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 0,
"Statement" : {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet"
}
}
}
]
}
},
"WAFAssociation": {
"Type" : "AWS::WAFv2::WebACLAssociation",
"Properties" : {
"ResourceArn" : ???,
"WebACLArn" : { "Ref": "WAF" }
}
}
我打算将 Beanstalk ALB 与 WebACL 相关联,但不知道如何引用模板创建的应用程序负载均衡器 ARN。我不能只放入硬编码的 ARN,因为它总是根据模板创建的内容而变化。
有什么方法可以在 ResourceArn 字段中引用 ALB ARN?或者我是否需要在 Beanstalk 选项设置中的某处应用 WebACL?
我认为唯一的方法是通过 自定义资源,它采用 EB 环境名称,使用 describe_environment_resources
API 调用来获取 EB 环境信息(包括 LA arn),然后 returns 回到你的卡住。
下面是此类资源的工作示例,您可以将其添加到模板中:
LambdaBasicExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
MyCustomResource:
Type: Custom::GetEBLoadBalancerArn
Properties:
ServiceToken: !GetAtt 'MyCustomFunction.Arn'
EBEnvName: !Ref MyEnv
MyCustomFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.lambda_handler
Description: "Get ARN of EB Load balancer"
Timeout: 30
Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
Runtime: python3.7
Code:
ZipFile: |
import json
import logging
import cfnresponse
import boto3
logger = logging.getLogger()
logger.setLevel(logging.INFO)
eb = boto3.client('elasticbeanstalk')
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
logger.info('got event {}'.format(event))
try:
responseData = {}
if event['RequestType'] in ["Create"]:
eb_env_name = event['ResourceProperties']['EBEnvName']
response = eb.describe_environment_resources(
EnvironmentName=eb_env_name
)
lb_arn = response['EnvironmentResources']['LoadBalancers'][0]['Name']
logger.info(str(response['EnvironmentResources']['LoadBalancers'][0]['Name']))
responseData = {
"LBArn": lb_arn
}
cfnresponse.send(event, context,
cfnresponse.SUCCESS, responseData)
else:
logger.info('Unexpected RequestType!')
cfnresponse.send(event, context,
cfnresponse.SUCCESS, responseData)
except Exception as err:
logger.error(err)
responseData = {"Data": str(err)}
cfnresponse.send(event,context,
cfnresponse.FAILED,responseData)
return
拥有您将要使用的资源:
"WAFAssociation": {
"Type" : "AWS::WAFv2::WebACLAssociation",
"Properties" : {
"ResourceArn" : { "GetAtt": ["MyCustomResource", "LBArn"] },
"WebACLArn" : { "Ref": "WAF" }
}
}
更新:这个答案是错误的。资源似乎在其他 EB 配置文件中可用,但模板本身没有
错误答案:
看起来 Cloudformation 允许您访问它创建的资源,即使它们没有直接在您的模板中定义。
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-format-resources-eb.html
因此,要与负载均衡器建立关联,只需使用 "Ref": "AWSEBV2LoadBalancer"
或 "Ref: "AWSEBLoadBalancer"
或其他任何方式
"WAFAssociation": {
"Type" : "AWS::WAFv2::WebACLAssociation",
"Properties" : {
"Ref" : "AWSEBV2LoadBalancer",
"WebACLArn" : { "Ref": "WAF" }
}
}