in infra/resources/cloudfront-web-acl.ts [26:101]
constructor(scope: Construct, id: string, props: CloudFrontWebAclProps) {
super(scope, id);
this.name = props.name;
const Scope = 'CLOUDFRONT';
// The parameters for creating the Web ACL
const createWebACLRequest: WAFV2.Types.CreateWebACLRequest = {
Name: this.name,
DefaultAction: { Allow: {} },
Scope,
VisibilityConfig: {
CloudWatchMetricsEnabled: true,
MetricName: id,
SampledRequestsEnabled: true,
},
Rules: props.managedRules.map((rule, Priority) => ({
Name: `${rule.VendorName}-${rule.Name}`,
Priority,
Statement: { ManagedRuleGroupStatement: rule },
OverrideAction: { None: {} },
VisibilityConfig: {
MetricName: `${rule.VendorName}-${rule.Name}`,
CloudWatchMetricsEnabled: true,
SampledRequestsEnabled: true,
},
})),
};
// Create the Web ACL
const createCustomResource = new AwsCustomResource(this, `${id}-Create`, {
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: AwsCustomResourcePolicy.ANY_RESOURCE,
}),
onCreate: {
service: 'WAFV2',
action: 'createWebACL',
parameters: createWebACLRequest,
region: this.region,
physicalResourceId: PhysicalResourceId.fromResponse('Summary.Id'),
},
});
this.webAclId = createCustomResource.getResponseField('Summary.Id');
const getWebACLRequest: WAFV2.Types.GetWebACLRequest = {
Name: this.name,
Scope,
Id: this.webAclId,
};
// A second custom resource is used for managing the deletion of this construct, since both an Id and LockToken
// are required for Web ACL Deletion
new AwsCustomResource(this, `${id}-Delete`, {
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: AwsCustomResourcePolicy.ANY_RESOURCE,
}),
onCreate: {
service: 'WAFV2',
action: 'getWebACL',
parameters: getWebACLRequest,
region: this.region,
physicalResourceId: PhysicalResourceId.fromResponse('LockToken'),
},
onDelete: {
service: 'WAFV2',
action: 'deleteWebACL',
parameters: {
Name: this.name,
Scope,
Id: this.webAclId,
LockToken: new PhysicalResourceIdReference(),
},
region: this.region,
},
});
}