fix: waf us-east-1

Author: jfbaeta

backend/cdk/bin/cdk.ts

@@ -4,15 +4,13 @@ import * as cdk from "aws-cdk-lib";
 import { MainStack } from "../lib/main-stack";
 
 const app = new cdk.App();
+
 new MainStack(app, "ChatModeration", {
-  /* If you don't specify 'env', this stack will be environment-agnostic.
-   * Account/Region-dependent features and context lookups will not work,
-   * but a single synthesized template can be deployed anywhere. */
-  /* Uncomment the next line to specialize this stack for the AWS Account
-   * and Region that are implied by the current CLI configuration. */
-  // env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
-  /* Uncomment the next line if you know exactly what Account and Region you
-   * want to deploy the stack to. */
-  // env: { account: '123456789012', region: 'us-east-1' },
-  /* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION,
+  },
+  crossRegionReferences: true,
 });
+
+app.synth();

backend/cdk/lib/front-end-stack.ts

@@ -2,11 +2,16 @@ import * as cdk from "aws-cdk-lib";
 import * as s3 from "aws-cdk-lib/aws-s3";
 import * as cloudfront from "aws-cdk-lib/aws-cloudfront";
 import * as iam from "aws-cdk-lib/aws-iam";
-import * as waf from "aws-cdk-lib/aws-wafv2";
 import { Construct } from "constructs";
 
 interface FrontEndProps extends cdk.NestedStackProps {
   stackName: string;
+  webAclArn: string;
+  crossRegionReferences: boolean;
+  env?: {
+    region?: string;
+    account?: string;
+  };
 }
 
 export class FrontEnd extends cdk.NestedStack {
@@ -56,36 +61,6 @@ export class FrontEnd extends cdk.NestedStack {
       removalPolicy: cdk.RemovalPolicy.DESTROY,
     });
 
-    // CloudFront WAF WebACL
-    const webAcl = new waf.CfnWebACL(this, "ChatModeration-CloudFrontWAF", {
-      name: "ChatModeration-CloudFrontWAF",
-      scope: "CLOUDFRONT",
-      defaultAction: { allow: {} },
-      visibilityConfig: {
-        cloudWatchMetricsEnabled: true,
-        metricName: "ChatModeration-CloudFrontWAF",
-        sampledRequestsEnabled: true,
-      },
-      rules: [
-        {
-          name: "LimitRequests100",
-          priority: 1,
-          action: { block: {} },
-          visibilityConfig: {
-            cloudWatchMetricsEnabled: true,
-            metricName: "LimitRequests100",
-            sampledRequestsEnabled: true,
-          },
-          statement: {
-            rateBasedStatement: {
-              limit: 100,
-              aggregateKeyType: "IP",
-            },
-          },
-        },
-      ],
-    });
-
     // CloudFront Distribution for Front-End Static Assets
     const cloudFrontDistribution = new cloudfront.CfnDistribution(
       this,
@@ -136,7 +111,7 @@ export class FrontEnd extends cdk.NestedStack {
             prefix: "cloudfront-logs/",
             includeCookies: false,
           },
-          webAclId: webAcl.attrArn,
+          webAclId: props.webAclArn,
         },
       }
     );

backend/cdk/lib/main-stack.ts

@@ -1,12 +1,19 @@
 import * as cdk from "aws-cdk-lib";
+import { Construct } from "constructs";
 import { Database } from "./database-stack";
 import { Guardrail } from "./guardrail-stack";
 import { PromptSwitch } from "./prompt-switch-stack";
 import { Api } from "./api-stack";
+import { Waf } from './waf-stack';
 import { FrontEnd } from "./front-end-stack";
 import { Observability } from "./observability-stack";
 
-export interface MainStackProps extends cdk.StackProps {}
+export interface MainStackProps extends cdk.StackProps {
+  env?: {
+    region?: string;
+    account?: string;
+  };
+}
 
 export class MainStack extends cdk.Stack {
   public readonly approvedMessagesTableName: string;
@@ -25,9 +32,11 @@ export class MainStack extends cdk.Stack {
   public readonly cloudFrontDistributionId: string;
   public readonly cloudFrontDistributionDomain: string;
 
-  public constructor(scope: cdk.App, id: string, props: MainStackProps = {}) {
-    super(scope, id, props);
-    this.templateOptions.description = 'Live Chat Content Moderation with generative AI on AWS (SO9005)'
+  constructor(scope: Construct, id: string, props?: MainStackProps) {
+    super(scope, id, {
+      ...props,
+      crossRegionReferences: true,
+    });
 
     // Database Nested Stack
     const database = new Database(this, "Database", {
@@ -56,9 +65,20 @@ export class MainStack extends cdk.Stack {
       promptSwitchParameterName: promptSwitch.promptSwitchParameterName,
     });
 
+    // WAF Nested Stack in us-east-1
+    const wafStack = new Waf(this, 'Waf', {
+      stackName: "Waf",
+      crossRegionReferences: true,
+      env: {
+        account: this.account,
+      },
+    });
+
     // Front-End Nested Stack
     const frontEnd = new FrontEnd(this, "FrontEnd", {
       stackName: "FrontEnd",
+      webAclArn: wafStack.webAclArn,
+      crossRegionReferences: true,
     });
 
     // Observability Stack

backend/cdk/lib/waf-stack.ts

@@ -0,0 +1,52 @@
+import * as cdk from "aws-cdk-lib";
+import * as waf from "aws-cdk-lib/aws-wafv2";
+import { Construct } from "constructs";
+
+interface WafProps extends cdk.StackProps {
+    crossRegionReferences: boolean;
+  }
+
+export class Waf extends cdk.Stack {
+  public readonly webAclArn: string;
+
+  constructor(scope: Construct, id: string, props: WafProps) {
+    super(scope, id, {
+      ...props,
+      env: {
+        region: 'us-east-1',  // Force WAF to be created in us-east-1
+        account: props.env?.account,
+      },
+    });
+
+    const webAcl = new waf.CfnWebACL(this, "ChatModeration-CloudFrontWAF", {
+      name: "ChatModeration-CloudFrontWAF",
+      scope: "CLOUDFRONT",
+      defaultAction: { allow: {} },
+      visibilityConfig: {
+        cloudWatchMetricsEnabled: true,
+        metricName: "ChatModeration-CloudFrontWAF",
+        sampledRequestsEnabled: true,
+      },
+      rules: [
+        {
+          name: "LimitRequests100",
+          priority: 1,
+          action: { block: {} },
+          visibilityConfig: {
+            cloudWatchMetricsEnabled: true,
+            metricName: "LimitRequests100",
+            sampledRequestsEnabled: true,
+          },
+          statement: {
+            rateBasedStatement: {
+              limit: 100,
+              aggregateKeyType: "IP",
+            },
+          },
+        },
+      ],
+    });
+
+    this.webAclArn = webAcl.attrArn;
+  }
+}

scripts/install.bash

@@ -119,7 +119,7 @@ deploy_cdk_stack() {
 
     echo -e "\n${BLUE}[INFO] CDK Output:${NC}"
     # Run 'cdk deploy' command
-    cdk deploy --require-approval never --outputs-file "$CDK_OUTPUTS_FILE"
+    cdk deploy --all --require-approval never --outputs-file "$CDK_OUTPUTS_FILE"
     if [ $? -ne 0 ]; then
         echo -e "\n${RED}[ERROR] CDK deployment failed. Aborting.${NC}"
         exit 1