feat: add WAF to restrict AppSync origins in production#39
Merged
takaokouji merged 3 commits intomainfrom Jan 10, 2026
Merged
Conversation
- Create a WAFv2 WebACL for the production stage. - Restrict the 'Origin' header to 'https://smalruby.app' and 'https://smalruby.jp'. - Associate the WebACL with the AppSync GraphQL API. - Add unit tests to verify WAF creation and origin restriction logic. Part of smalruby/smalruby3-develop#10
- Set isolatedModules: true in tsconfig.json to resolve ts-jest warning. - Replace deprecated DnsValidatedCertificate with Certificate in mesh-v2-stack.ts. - Note: Removed region: 'us-east-1' from certificate as AppSync custom domains are regional and Certificate construct uses the stack's region.
Contributor
Author
調査結果: 証明書作成の修正について問題コミット 6b4652b で 根本原因
npm test 警告の真の原因元々の警告は ts-jest の警告であり、
推奨する修正方針
理由:
代替案の検討:
非推奨警告について:
修正内容コミット 6b4652b の以下の変更を元に戻します: const certificate = new acm.DnsValidatedCertificate(this, 'ApiCertificate', {
domainName: customDomain,
hostedZone: zone,
region: 'us-east-1',
});
この修正により、既存の証明書を削除せずに継続使用できます。 参考資料 |
AppSync custom domains require certificates to be located in us-east-1. The standard Certificate construct does not support cross-region creation, so reverting to DnsValidatedCertificate with region: 'us-east-1' to ensure successful deployment in regional stacks (e.g., ap-northeast-1). This resolves the "Certificate must be in us-east-1" error during deployment. Co-Authored-By: Gemini <noreply@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds AWS WAFv2 configuration to the AppSync GraphQL API to restrict access based on the
Originheader. This restriction is only applied to theprod(production) stage.Implementation Details
CfnWebACLwith a ruleAllowSpecificOrigins.ByteMatchStatementon theOriginheader with aLOWERCASEtransformation.https://smalruby.apphttps://smalruby.jplocalhost) or without anOriginheader are blocked by the default action.CfnWebACLAssociation.Test Coverage
test/mesh-v2.test.tsto:STAGE=prod.stg).Part of smalruby/smalruby3-develop#10