This is a CDK stack to create / update IP Sets that have Global and Regional CloudFront IP addresses when the AWS IP addresses range is changed. And if you want, enable to notify you result of refresh IP Set via slack.
About AWS WAF IP Set, you can see AWS Documents.
These IP Sets help to limit the requests to the ALB to access via CloudFront. The IP Sets are updated by triggering notifications of IP Range changes by AWS, so it can keep up with the latest IP Range.
- Subscribe the
AmazonIpSpaceChangedtopic of Amazon SNS. It's provided by AWS. - When the notification is received, a Lambda function is triggered.
- The Lambda function get newest IP address ranges from
ip-ranges.json, and create or update 2 AWS WAF IP Sets in specified a region.- One IP Set is a collection of Global CloudFront IP addresses.
- The other one, Regional CloudFront IP addresses.
- The each default IP Sets names are
<Stack-Name>-CloudFront-Globaland<Stack-Name>-CloudFront-Regional.
- If you want, you can receive a notification to result of refresh IP Set via Slack. Using Amazon EventBridge destination API to invoke Slack API.
- Specify context variable
slackWebHookUrlat deploy. - ex:
cdk deploy -c slackWebHookUrl=https://hooks.slack.com/.....
- Specify context variable
git clone https://github.com/msysh/aws-sample-cdk-auto-update-waf-ip-set-of-cloudfront.gitcd aws-sample-cdk-auto-update-waf-ip-set-of-cloudfront/lambdanpm installoryarn installcd ../npm run buildoryarn buildcdk deploy -c slackWebHookUrl=https://hooks.slack.com/.....: deploy this stack to your default AWS account/region- If you need not slack notification,
cdk deply
- If you need not slack notification,
cdk destroy- Delete AWS WAF IP Sets using Management Console or AWS CLI.