Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudfront + Web ACL with static assets public accessible #350

Open
lucas-leme opened this issue Jul 22, 2022 · 3 comments
Open

Cloudfront + Web ACL with static assets public accessible #350

lucas-leme opened this issue Jul 22, 2022 · 3 comments
Labels
question Question about usage of the library

Comments

@lucas-leme
Copy link

Hi! I am building an internal next js application and i want it to be accessible only for certain IPs.

The solution that i am applying is to attach a web acl on cloudfront. But even with web acl all files inside _next/static are public available. How can i make it private?

My module code:

module "tf_next" {
  source  = "milliHQ/next-js/aws"
  version = "0.13.2"

  vpc_security_group_ids = var.vpc_security_group_ids
  vpc_subnet_ids         = var.vpc_subnet_ids
  lambda_attach_to_vpc   = true

  create_image_optimization = false

  cloudfront_webacl_id   = var.web_acl_arn
  cloudfront_price_class = "PriceClass_All"

  providers = {
    aws.global_region = aws.global
  }
}
@ofhouse
Copy link
Member

ofhouse commented Jul 25, 2022

Hey,

difficult to say what went wrong here.
It should be possible to build an IP-allowList with WebACL but have not tried it by myself.

Do you have the Web ACL configuration in Terraform available (for reproduction) as well?

@ofhouse ofhouse added the question Question about usage of the library label Jul 25, 2022
@lucas-leme
Copy link
Author

Here is my code. The vpc is only for data access (AWS RDS)

############## NEXT ###################

module "tf_next" {
  source  = "milliHQ/next-js/aws"
  version = "0.13.2"

  depends_on = [
    aws_waf_web_acl.waf_acl
  ]

  deployment_name = "interface"

  vpc_security_group_ids = var.vpc_security_group_ids
  vpc_subnet_ids         = var.vpc_subnet_ids
  lambda_attach_to_vpc   = true

  create_image_optimization = false

  cloudfront_webacl_id   = aws_waf_web_acl.waf_acl.id
  cloudfront_price_class = "PriceClass_All"

  providers = {
    aws.global_region = aws.global
  }
}

output "cloudfront_domain_name" {
  value = module.tf_next.cloudfront_domain_name
}



############# WAF #####################
resource "aws_waf_ipset" "ipset" {
  name = "tfIPSet"

  ip_set_descriptors {
    type  = "IPV4"
    value = var.ip
  }
}

resource "aws_waf_rule" "rule" {
  depends_on  = [aws_waf_ipset.ipset]
  name        = "tfWAFRule"
  metric_name = "tfWAFRule"

  predicates {
    data_id = aws_waf_ipset.ipset.id
    negated = false
    type    = "IPMatch"
  }

}

resource "aws_waf_web_acl" "waf_acl" {
  depends_on = [
    aws_waf_ipset.ipset,
    aws_waf_rule.rule,
  ]
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "BLOCK"
  }

  rules {
    action {
      type = "ALLOW"
    }

    priority = 1
    rule_id  = aws_waf_rule.rule.id
    type     = "REGULAR"
  }

}

@dgokcin
Copy link

dgokcin commented Oct 12, 2022

@lucas-leme how did this go? I am also looking for a solution to secure the deployed resources with this module.(we were using cloudflare waf in all of our other applications, can't found a way to use it here)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Question about usage of the library
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ofhouse @dgokcin @lucas-leme