├── .gitignore ├── .npmignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── bin └── cloudfront-waf-lambda.ts ├── cdk.json ├── jest.config.js ├── lib ├── cloudfront-waf-ipset-seeder.ts ├── cloudfront-waf-lambda-stack.ts ├── waf-seed-ip.py ├── waf-update-test.txt └── waf-update.py ├── package-lock.json ├── package.json ├── test └── cloudfront-waf-lambda.test.ts └── tsconfig.json /.gitignore: -------------------------------------------------------------------------------- 1 | *.js 2 | !jest.config.js 3 | *.d.ts 4 | node_modules 5 | 6 | # CDK asset staging directory 7 | .cdk.staging 8 | cdk.out 9 | 10 | # Parcel default cache directory 11 | .parcel-cache 12 | -------------------------------------------------------------------------------- /.npmignore: -------------------------------------------------------------------------------- 1 | *.ts 2 | !*.d.ts 3 | 4 | # CDK asset staging directory 5 | .cdk.staging 6 | cdk.out 7 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *master* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | 61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 62 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CloudFront WAF IP Set 2 | 3 | This project creates a WAF and IP Set that are scoped to the CloudFront IP Ranges. 4 | Customers can then use this WAF to only allow traffic to an Application load balancer or API gateway from a CloudFront Distribution. 5 | 6 | ## Components 7 | This stack deploys the following components 8 | 9 | - WAF: an AWS Web application firewall 10 | - IP Set: an IP Set scopped to the CloudFront ranges 11 | - Lambda: AWS lambda is used to parse the IP-Ranges.json file and update the IP set with the CloudFront ranges. This lambda is subscriped to an SNS topic that will trigger these changes automatically as AWS publishes new ranges. 12 | 13 | ## Deployment 14 | To deploy this solution run the below script from the root of the project. 15 | 16 | npm install 17 | cdk bootstrap 18 | cdk deploy 19 | 20 | Once the CDK project is finished deploying, you must manually associate the AWS Resources with your newly created WAF for them to be protected. 21 | 22 | ## Security 23 | 24 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 25 | 26 | ## License 27 | 28 | This library is licensed under the MIT-0 License. See the LICENSE file. 29 | 30 | -------------------------------------------------------------------------------- /bin/cloudfront-waf-lambda.ts: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | import 'source-map-support/register'; 7 | import * as cdk from '@aws-cdk/core'; 8 | import { CloudfrontWafLambdaStack } from '../lib/cloudfront-waf-lambda-stack'; 9 | 10 | const app = new cdk.App(); 11 | new CloudfrontWafLambdaStack(app, 'CloudfrontWafLambdaStack'); 12 | -------------------------------------------------------------------------------- /cdk.json: -------------------------------------------------------------------------------- 1 | { 2 | "app": "npx ts-node bin/cloudfront-waf-lambda.ts", 3 | "context": { 4 | "@aws-cdk/core:enableStackNameDuplicates": "true", 5 | "aws-cdk:enableDiffNoFail": "true" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /jest.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | roots: ['/test'], 3 | testMatch: ['**/*.test.ts'], 4 | transform: { 5 | '^.+\\.tsx?$': 'ts-jest' 6 | } 7 | }; 8 | -------------------------------------------------------------------------------- /lib/cloudfront-waf-ipset-seeder.ts: -------------------------------------------------------------------------------- 1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | // SPDX-License-Identifier: MIT-0 3 | 4 | import cfn = require('@aws-cdk/aws-cloudformation'); 5 | import lambda = require('@aws-cdk/aws-lambda'); 6 | import iam = require('@aws-cdk/aws-iam') 7 | import cdk = require('@aws-cdk/core'); 8 | import fs = require('fs'); 9 | 10 | export interface WafIPSetSeederProps { 11 | /** 12 | * ARN of Lambda to trigger 13 | */ 14 | LambdaARN: string; 15 | } 16 | 17 | export class WafIPSetSeeder extends cdk.Construct { 18 | public readonly response: string; 19 | 20 | constructor(scope: cdk.Construct, id: string, props: WafIPSetSeederProps) { 21 | super(scope, id); 22 | 23 | const ipSeederRole = new iam.Role(this,'ipseederRole',{ 24 | assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com') 25 | }) 26 | 27 | ipSeederRole.addManagedPolicy(iam.ManagedPolicy.fromManagedPolicyArn(this, 28 | 'AWSLambdaBasicExecutionRole', 29 | 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole')) 30 | 31 | const ipSeederLambdaInvokeStatement = new iam.PolicyStatement({ 32 | actions: [ 33 | "lambda:InvokeFunction" 34 | ], 35 | effect: iam.Effect.ALLOW, 36 | resources: [props.LambdaARN] 37 | }) 38 | ipSeederRole.addToPrincipalPolicy(ipSeederLambdaInvokeStatement) 39 | 40 | const resource = new cfn.CustomResource(this, 'WafIpSeederCustomLambdaResource', { 41 | provider: cfn.CustomResourceProvider.lambda(new lambda.SingletonFunction(this, 'Singleton', { 42 | uuid: '1fb3e13d-d78c-490f-b286-d74bd5d89289', 43 | code: new lambda.InlineCode(fs.readFileSync('lib/waf-seed-ip.py', { encoding: 'utf-8' })), 44 | handler: 'index.lambda_handler', 45 | description: "This lambda function is used to seed the intial IP set for CloudFront", 46 | timeout: cdk.Duration.seconds(30), 47 | runtime: lambda.Runtime.PYTHON_3_7, 48 | role: ipSeederRole 49 | })), 50 | properties: props 51 | }); 52 | 53 | this.response = resource.getAtt('Response').toString(); 54 | 55 | 56 | 57 | } 58 | } -------------------------------------------------------------------------------- /lib/cloudfront-waf-lambda-stack.ts: -------------------------------------------------------------------------------- 1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | // SPDX-License-Identifier: MIT-0 3 | 4 | import * as cdk from '@aws-cdk/core'; 5 | import lambda = require('@aws-cdk/aws-lambda'); 6 | import iam = require('@aws-cdk/aws-iam') 7 | import waf = require('@aws-cdk/aws-wafv2') 8 | import sns = require('@aws-cdk/aws-sns') 9 | import snsSub = require('@aws-cdk/aws-sns-subscriptions') 10 | import {WafIPSetSeeder} from './cloudfront-waf-ipset-seeder' 11 | import fs = require('fs'); 12 | 13 | 14 | export class CloudfrontWafLambdaStack extends cdk.Stack { 15 | constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) { 16 | super(scope, id, props); 17 | const IPSetName = 'CloudFront-IPs' 18 | 19 | // Create the Lambda and assign permission 20 | const lambdaFN = new lambda.Function(this, 'WafIPSetUpdaterLambda', { 21 | code: new lambda.InlineCode(fs.readFileSync('lib/waf-update.py', { encoding: 'utf-8' })), 22 | handler: 'index.lambda_handler', 23 | description: 'This lambda is used to update the CloudFront IP Sets in WAF', 24 | runtime: lambda.Runtime.PYTHON_3_7, 25 | environment: { 26 | 'SERVICE': 'CLOUDFRONT', 27 | 'IPSET_NAME': IPSetName, 28 | 'DEBUG': 'true' 29 | } 30 | }); 31 | 32 | const wafPolicyStatement = new iam.PolicyStatement({ 33 | actions: [ 34 | "waf:*", 35 | "waf-regional:*", 36 | "wafv2:*", 37 | "elasticloadbalancing:SetWebACL", 38 | "apigateway:SetWebACL" 39 | ], 40 | effect: iam.Effect.ALLOW, 41 | resources: ["*"] 42 | }) 43 | lambdaFN.role?.addToPrincipalPolicy(wafPolicyStatement) 44 | 45 | // Subscripe the Lambda to the AmazonIpSpaceChanged SNS topic 46 | const ipSNS = sns.Topic.fromTopicArn(this,'ipSNSTopic','arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged') 47 | ipSNS.addSubscription(new snsSub.LambdaSubscription(lambdaFN)) 48 | 49 | // Create IPSet 50 | 51 | const ipSet = new waf.CfnIPSet(this, 'ipset', { 52 | addresses: [], 53 | ipAddressVersion: "IPV4", 54 | scope: "REGIONAL", 55 | name: IPSetName 56 | }) 57 | 58 | // Create the WAF and Associate the IP Set 59 | const ipSetWaf = new waf.CfnWebACL(this, 'waf', { 60 | name: 'CloudFront-IPSet-WAF', 61 | description: "This waf is configured with an IPSet to restrict access from only CloudFront.", 62 | defaultAction: { 63 | block: {} 64 | }, 65 | scope: "REGIONAL", 66 | visibilityConfig: { 67 | cloudWatchMetricsEnabled: true, 68 | metricName: 'cloudfront-ipset-waf', 69 | sampledRequestsEnabled: true 70 | }, 71 | rules: [ 72 | { 73 | visibilityConfig: { 74 | cloudWatchMetricsEnabled: true, 75 | metricName: "cloudfront-waf-ipset-metrics", 76 | sampledRequestsEnabled: true 77 | }, 78 | priority: 0, 79 | statement: { 80 | ipSetReferenceStatement: { 81 | arn: ipSet.attrArn 82 | } 83 | }, 84 | name: "Restrict-CloudFront-IPs", 85 | action:{ 86 | allow:{} 87 | } 88 | }, 89 | ] 90 | }) 91 | 92 | // Custom Resource to seed the IP Set 93 | const ipSeeder = new WafIPSetSeeder(this,'ipSeeder',{ 94 | LambdaARN: lambdaFN.functionArn 95 | }) 96 | } 97 | } 98 | -------------------------------------------------------------------------------- /lib/waf-seed-ip.py: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: MIT-0 3 | 4 | def lambda_handler(event, context): 5 | import logging 6 | import boto3 7 | import json 8 | import cfnresponse 9 | 10 | logging.getLogger().setLevel(logging.INFO) 11 | 12 | resource_id = 'Seed-WAF-IPSet' 13 | 14 | try: 15 | logging.info('Input event: %s', event) 16 | 17 | # Check if this is a Create and we're failing Creates 18 | if event['RequestType'] == 'Create' and event['ResourceProperties'].get('FailCreate', False): 19 | raise RuntimeError('Create failure requested') 20 | 21 | if event['RequestType'] == 'Create': 22 | client = boto3.client('lambda') 23 | lambdaEvent = """{ 24 | "Records": [ 25 | { 26 | "EventVersion": "1.0", 27 | "EventSubscriptionArn": "arn:aws:sns:EXAMPLE", 28 | "EventSource": "aws:sns", 29 | "Sns": { 30 | "SignatureVersion": "1", 31 | "Timestamp": "1970-01-01T00:00:00.000Z", 32 | "Signature": "EXAMPLE", 33 | "SigningCertUrl": "EXAMPLE", 34 | "MessageId": "95df01b4-ee98-5cb9-9903-4c221d41eb5e", 35 | "Type": "Notification", 36 | "UnsubscribeUrl": "EXAMPLE", 37 | "TopicArn": "arn:aws:sns:EXAMPLE", 38 | "Subject": "TestInvoke" 39 | } 40 | } 41 | ] 42 | }""" 43 | 44 | payload = json.loads(lambdaEvent) 45 | payload['Records'][0]['Sns']['Message'] = '{\"create-time\": \"Intial Seed\", \"synctoken\": \"0123456789\", \"md5\": \"seed\", \"url\": \"https://ip-ranges.amazonaws.com/ip-ranges.json\"}' 46 | 47 | response = client.invoke( 48 | FunctionName=event['ResourceProperties']['LambdaARN'], 49 | InvocationType='Event', 50 | Payload=json.dumps(payload).encode() 51 | ) 52 | logging.info(response) 53 | 54 | cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, resource_id) 55 | except Exception as e: 56 | logging.exception(e) 57 | # cfnresponse's error message is always "see CloudWatch" 58 | cfnresponse.send(event, context, cfnresponse.FAILED, {}, resource_id) -------------------------------------------------------------------------------- /lib/waf-update-test.txt: -------------------------------------------------------------------------------- 1 | # This is a handy test event you can use when testing your lambda function. 2 | ''' 3 | Sample Event From SNS: 4 | { 5 | "Records": [ 6 | { 7 | "EventVersion": "1.0", 8 | "EventSubscriptionArn": "arn:aws:sns:EXAMPLE", 9 | "EventSource": "aws:sns", 10 | "Sns": { 11 | "SignatureVersion": "1", 12 | "Timestamp": "1970-01-01T00:00:00.000Z", 13 | "Signature": "EXAMPLE", 14 | "SigningCertUrl": "EXAMPLE", 15 | "MessageId": "95df01b4-ee98-5cb9-9903-4c221d41eb5e", 16 | "Message": "{\"create-time\": \"yyyy-mm-ddThh:mm:ss+00:00\", \"synctoken\": \"0123456789\", \"md5\": \"45be1ba64fe83acb7ef247bccbc45704\", \"url\": \"https://ip-ranges.amazonaws.com/ip-ranges.json\"}", 17 | "Type": "Notification", 18 | "UnsubscribeUrl": "EXAMPLE", 19 | "TopicArn": "arn:aws:sns:EXAMPLE", 20 | "Subject": "TestInvoke" 21 | } 22 | } 23 | ] 24 | } 25 | ''' 26 | -------------------------------------------------------------------------------- /lib/waf-update.py: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: MIT-0 3 | 4 | import urllib.parse 5 | import urllib.error 6 | import urllib.request 7 | import os 8 | import logging 9 | import json 10 | import hashlib 11 | import boto3 12 | 13 | 14 | def lambda_handler(event, context): 15 | # Set up logging 16 | if len(logging.getLogger().handlers) > 0: 17 | logging.getLogger().setLevel(logging.ERROR) 18 | else: 19 | logging.basicConfig(level=logging.DEBUG) 20 | 21 | # Set the environment variable DEBUG to 'true' if you want verbose debug details in CloudWatch Logs. 22 | try: 23 | if os.environ['DEBUG'] == 'true': 24 | logging.getLogger().setLevel(logging.INFO) 25 | except KeyError: 26 | pass 27 | 28 | try: 29 | # If you want a different service, set the SERVICE environment variable. 30 | # It defaults to CLOUDFRONT. Using 'jq' and 'curl' get the list of possible 31 | # services like this: 32 | # curl -s 'https://ip-ranges.amazonaws.com/ip-ranges.json' | jq -r '.prefixes[] | .service' ip-ranges.json | sort -u 33 | SERVICE = os.getenv('SERVICE', "CLOUDFRONT") 34 | 35 | message = json.loads(event['Records'][0]['Sns']['Message']) 36 | 37 | # Load the ip ranges from the url 38 | ip_ranges = json.loads(get_ip_groups_json(message['url'], message['md5'])) 39 | 40 | # Extract the service ranges 41 | # global_cf_ranges = get_ranges_for_service(ip_ranges, SERVICE, "GLOBAL") 42 | # region_cf_ranges = get_ranges_for_service(ip_ranges, SERVICE, "REGION") 43 | all_cf_ranges = get_ranges_for_service(ip_ranges, SERVICE) 44 | 45 | # Update the IP set 46 | result = update_ip_set(SERVICE, message['create-time'], all_cf_ranges) 47 | 48 | return result 49 | 50 | except Exception as e: 51 | logging.exception(e) 52 | raise e 53 | 54 | 55 | 56 | def get_ip_groups_json(url, expected_hash): 57 | 58 | logging.debug("Updating from " + url) 59 | 60 | response = urllib.request.urlopen(url) 61 | ip_json = response.read() 62 | 63 | if expected_hash == 'seed': 64 | logging.info('hash set to seed, bypassing md5 check') 65 | return ip_json 66 | 67 | m = hashlib.md5() 68 | m.update(ip_json) 69 | hash = m.hexdigest() 70 | 71 | if hash != expected_hash: 72 | raise Exception('MD5 Mismatch: got ' + hash + 73 | ' expected ' + expected_hash) 74 | 75 | return ip_json 76 | 77 | 78 | def get_ranges_for_service(ranges, service): 79 | 80 | service_ranges = list() 81 | for prefix in ranges['prefixes']: 82 | if prefix['service'] == service: 83 | logging.info(('Found ' + service + ' region: ' + 84 | prefix['region'] + ' range: ' + prefix['ip_prefix'])) 85 | service_ranges.append(prefix['ip_prefix']) 86 | 87 | return service_ranges 88 | 89 | 90 | def update_ip_set(service, time, ranges): 91 | client = boto3.client('wafv2') 92 | 93 | ip_set_list = client.list_ip_sets( 94 | Scope='REGIONAL' 95 | ) 96 | 97 | ip_set_name = os.environ['IPSET_NAME'] 98 | ip_set_description = 'IP Address ranges for service ' + service + ' as of ' + time 99 | 100 | for ipset in ip_set_list['IPSets']: 101 | if ipset['Name'] != ip_set_name: 102 | continue 103 | ipset_id = ipset['Id'] 104 | ipset_lock = ipset['LockToken'] 105 | break 106 | 107 | response = client.update_ip_set( 108 | Name=ip_set_name, 109 | Scope='REGIONAL', 110 | Id=ipset_id, 111 | Description=ip_set_description, 112 | Addresses=ranges, 113 | LockToken=ipset_lock 114 | ) 115 | return response -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "cloudfront-waf-lambda", 3 | "version": "0.1.0", 4 | "bin": { 5 | "cloudfront-waf-lambda": "bin/cloudfront-waf-lambda.js" 6 | }, 7 | "scripts": { 8 | "build": "tsc", 9 | "watch": "tsc -w", 10 | "test": "jest", 11 | "cdk": "cdk" 12 | }, 13 | "devDependencies": { 14 | "@aws-cdk/assert": "2.43.1", 15 | "@types/jest": "^29.0.3", 16 | "@types/node": "18.7.18", 17 | "aws-cdk": "2.43.1", 18 | "jest": "^29.0.3", 19 | "ts-jest": "^29.0.1", 20 | "ts-node": "^10.9.1", 21 | "typescript": "^4.8.3" 22 | }, 23 | "dependencies": { 24 | "@aws-cdk/aws-cloudformation": "^1.174.0", 25 | "@aws-cdk/aws-iam": "^1.174.0", 26 | "@aws-cdk/aws-lambda": "^1.174.0", 27 | "@aws-cdk/aws-sns": "^1.174.0", 28 | "@aws-cdk/aws-sns-subscriptions": "^1.174.0", 29 | "@aws-cdk/aws-wafv2": "^1.174.0", 30 | "@aws-cdk/core": "1.174.0", 31 | "source-map-support": "^0.5.21" 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /test/cloudfront-waf-lambda.test.ts: -------------------------------------------------------------------------------- 1 | import { expect as expectCDK, matchTemplate, MatchStyle } from '@aws-cdk/assert'; 2 | import * as cdk from '@aws-cdk/core'; 3 | import * as CloudfrontWafLambda from '../lib/cloudfront-waf-lambda-stack'; 4 | 5 | test('Empty Stack', () => { 6 | const app = new cdk.App(); 7 | // WHEN 8 | const stack = new CloudfrontWafLambda.CloudfrontWafLambdaStack(app, 'MyTestStack'); 9 | // THEN 10 | expectCDK(stack).to(matchTemplate({ 11 | "Resources": {} 12 | }, MatchStyle.EXACT)) 13 | }); 14 | -------------------------------------------------------------------------------- /tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "ES2018", 4 | "module": "commonjs", 5 | "lib": ["es2018"], 6 | "declaration": true, 7 | "strict": true, 8 | "noImplicitAny": true, 9 | "strictNullChecks": true, 10 | "noImplicitThis": true, 11 | "alwaysStrict": true, 12 | "noUnusedLocals": false, 13 | "noUnusedParameters": false, 14 | "noImplicitReturns": true, 15 | "noFallthroughCasesInSwitch": false, 16 | "inlineSourceMap": true, 17 | "inlineSources": true, 18 | "experimentalDecorators": true, 19 | "strictPropertyInitialization": false, 20 | "typeRoots": ["./node_modules/@types"] 21 | }, 22 | "exclude": ["cdk.out"] 23 | } 24 | --------------------------------------------------------------------------------