@gradientedge/cdk-utils 5.9.0 → 5.12.0

package/dist/src/lib/construct/api-to-eventbridge-target/main.js

@@ -477,6 +477,10 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
             this.apiDestinedRestApi.api = apig.RestApi.fromRestApiId(this, `${this.id}-sns-rest-api`, cdk.Fn.importValue(this.props.api.importedRestApiRef));
             return;
         }
+        const accessLogGroup = this.logManager.createLogGroup(`${this.id}-sns-rest-api-access-log`, this, {
+            logGroupName: `/custom/api/${this.id}-destined-rest-api-access-${this.props.stage}`,
+            removalPolicy: cdk.RemovalPolicy.DESTROY,
+        });
         this.apiDestinedRestApi.api = new apig.RestApi(this, `${this.id}-sns-rest-api`, {
             ...{
                 defaultIntegration: this.apiDestinedRestApi.integration,
@@ -489,6 +493,8 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
                     loggingLevel: apig.MethodLoggingLevel.INFO,
                     metricsEnabled: true,
                     stageName: this.props.stage,
+                    accessLogDestination: new apig.LogGroupLogDestination(accessLogGroup),
+                    accessLogFormat: apig.AccessLogFormat.jsonWithStandardFields(),
                 },
                 endpointConfiguration: {
                     types: [apig.EndpointType.REGIONAL],

package/dist/src/lib/construct/site-with-ecs-backend/main.d.ts

@@ -9,6 +9,7 @@ import * as logs from 'aws-cdk-lib/aws-logs';
 import * as route53 from 'aws-cdk-lib/aws-route53';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
 import { Construct } from 'constructs';
 import { CommonConstruct } from '../../common';
 import { SiteWithEcsBackendProps } from '../../types';
@@ -61,6 +62,7 @@ export declare class SiteWithEcsBackend extends CommonConstruct {
     siteDomainNames: string[];
     siteCloudfrontFunction: cloudfront.Function;
     siteFunctionAssociations: cloudfront.FunctionAssociation[];
+    siteWebAcl: wafv2.CfnWebACL;
     constructor(parent: Construct, id: string, props: SiteWithEcsBackendProps);
     /**
      * @summary Initialise and provision resources
@@ -149,6 +151,11 @@ export declare class SiteWithEcsBackend extends CommonConstruct {
      * @protected
      */
     protected resolveSiteFunctionAssociations(): void;
+    /**
+     * @summary Method to create WAF
+     * @protected
+     */
+    protected createSiteWebAcl(): void;
     /**
      * Method to create Site distribution
      * @protected

package/dist/src/lib/construct/site-with-ecs-backend/main.js

@@ -80,6 +80,7 @@ class SiteWithEcsBackend extends common_1.CommonConstruct {
     siteDomainNames;
     siteCloudfrontFunction;
     siteFunctionAssociations;
+    siteWebAcl;
     constructor(parent, id, props) {
         super(parent, id, props);
         this.props = props;
@@ -107,6 +108,7 @@ class SiteWithEcsBackend extends common_1.CommonConstruct {
         this.createSiteOrigin();
         this.createSiteCloudfrontFunction();
         this.resolveSiteFunctionAssociations();
+        this.createSiteWebAcl();
         this.createDistribution();
         this.createNetworkMappings();
         this.invalidateDistributionCache();
@@ -305,12 +307,21 @@ class SiteWithEcsBackend extends common_1.CommonConstruct {
             ];
         }
     }
+    /**
+     * @summary Method to create WAF
+     * @protected
+     */
+    createSiteWebAcl() {
+        if (!this.props.siteWebAcl)
+            throw 'SiteWebAcl props undefined';
+        this.siteWebAcl = this.wafManager.createWebAcl(`${this.id}-waf`, this, this.props.siteWebAcl);
+    }
     /**
      * Method to create Site distribution
      * @protected
      */
     createDistribution() {
-        this.siteDistribution = this.cloudFrontManager.createDistributionWithHttpOrigin(`${this.id}-distribution`, this, this.props.siteDistribution, this.siteOrigin, this.siteDomainNames, this.siteLogBucket, this.siteCertificate, this.siteFunctionAssociations);
+        this.siteDistribution = this.cloudFrontManager.createDistributionWithHttpOrigin(`${this.id}-distribution`, this, this.props.siteDistribution, this.siteOrigin, this.siteDomainNames, this.siteLogBucket, this.siteCertificate, this.siteFunctionAssociations, this.siteWebAcl.attrId);
     }
     /**
      * Method to create Route53 records for distribution

package/dist/src/lib/construct/static-site/main.d.ts

@@ -3,6 +3,7 @@ import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
 import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 import * as route53 from 'aws-cdk-lib/aws-route53';
 import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
 import { Construct } from 'constructs';
 import { CommonConstruct } from '../../common';
 import { StaticSiteProps } from '../../types';
@@ -39,6 +40,7 @@ export declare class StaticSite extends CommonConstruct {
     siteOriginAccessIdentity: cloudfront.OriginAccessIdentity;
     siteCloudfrontFunction: cloudfront.Function;
     siteFunctionAssociations: cloudfront.FunctionAssociation[];
+    siteWebAcl: wafv2.CfnWebACL;
     constructor(parent: Construct, id: string, props: StaticSiteProps);
     /**
      * @summary Initialise and provision resources
@@ -76,6 +78,11 @@ export declare class StaticSite extends CommonConstruct {
      * @protected
      */
     protected resolveSiteFunctionAssociations(): void;
+    /**
+     * @summary Method to create WAF
+     * @protected
+     */
+    protected createSiteWebAcl(): void;
     /**
      * @summary Method to create a site cloudfront distribution
      * @protected

package/dist/src/lib/construct/static-site/main.js

@@ -62,6 +62,7 @@ class StaticSite extends common_1.CommonConstruct {
     siteOriginAccessIdentity;
     siteCloudfrontFunction;
     siteFunctionAssociations;
+    siteWebAcl;
     constructor(parent, id, props) {
         super(parent, id, props);
         this.props = props;
@@ -79,6 +80,7 @@ class StaticSite extends common_1.CommonConstruct {
         this.createSiteOrigin();
         this.createSiteCloudfrontFunction();
         this.resolveSiteFunctionAssociations();
+        this.createSiteWebAcl();
         this.createSiteDistribution();
         this.createSiteRouteAssets();
         this.deploySite();
@@ -142,6 +144,15 @@ class StaticSite extends common_1.CommonConstruct {
             ];
         }
     }
+    /**
+     * @summary Method to create WAF
+     * @protected
+     */
+    createSiteWebAcl() {
+        if (!this.props.siteWebAcl)
+            throw 'SiteWebAcl props undefined';
+        this.siteWebAcl = this.wafManager.createWebAcl(`${this.id}-waf`, this, this.props.siteWebAcl);
+    }
     /**
      * @summary Method to create a site cloudfront distribution
      * @protected
@@ -149,7 +160,7 @@ class StaticSite extends common_1.CommonConstruct {
     createSiteDistribution() {
         if (!this.props.siteDistribution)
             throw 'SiteDistribution props undefined';
-        this.siteDistribution = this.cloudFrontManager.createDistributionWithS3Origin(`${this.id}-distribution`, this, this.props.siteDistribution, this.siteOrigin, this.siteBucket, this.siteLogBucket, this.siteOriginAccessIdentity, this.siteCertificate, this.props.siteAliases, this.siteFunctionAssociations);
+        this.siteDistribution = this.cloudFrontManager.createDistributionWithS3Origin(`${this.id}-distribution`, this, this.props.siteDistribution, this.siteOrigin, this.siteBucket, this.siteLogBucket, this.siteOriginAccessIdentity, this.siteCertificate, this.props.siteAliases, this.siteFunctionAssociations, this.siteWebAcl.attrId);
     }
     /**
      * @summary Method to create route53 records for static site

package/dist/src/lib/manager/aws/cloudfront-manager.d.ts

@@ -49,8 +49,9 @@ export declare class CloudFrontManager {
      * @param {cloudfront.OriginAccessIdentity?} oai
      * @param {acm.ICertificate?} certificate
      * @param {string[]?} aliases
+     * @param {string?} webAclId
      */
-    createCloudFrontDistribution(id: string, scope: common.CommonConstruct, props: types.CloudFrontProps, siteBucket?: s3.IBucket, logBucket?: s3.IBucket, oai?: cloudfront.OriginAccessIdentity, certificate?: acm.ICertificate, aliases?: string[]): cdk.aws_cloudfront.CloudFrontWebDistribution;
+    createCloudFrontDistribution(id: string, scope: common.CommonConstruct, props: types.CloudFrontProps, siteBucket?: s3.IBucket, logBucket?: s3.IBucket, oai?: cloudfront.OriginAccessIdentity, certificate?: acm.ICertificate, aliases?: string[], webAclId?: string): cdk.aws_cloudfront.CloudFrontWebDistribution;
     /**
      * Method to create a CloudFront distribution with S3 Origin
      * @param {string} id scoped id of the resource
@@ -63,8 +64,9 @@ export declare class CloudFrontManager {
      * @param {acm.ICertificate?} certificate
      * @param {string[]?} aliases
      * @param {cloudfront.FunctionAssociation?} defaultFunctionAssociations
+     * @param {string?} webAclId
      */
-    createDistributionWithS3Origin(id: string, scope: common.CommonConstruct, props: types.DistributionProps, origin: origins.S3Origin, siteBucket: s3.IBucket, logBucket?: s3.IBucket, oai?: cloudfront.OriginAccessIdentity, certificate?: acm.ICertificate, aliases?: string[], defaultFunctionAssociations?: cloudfront.FunctionAssociation[]): cdk.aws_cloudfront.Distribution;
+    createDistributionWithS3Origin(id: string, scope: common.CommonConstruct, props: types.DistributionProps, origin: origins.S3Origin, siteBucket: s3.IBucket, logBucket?: s3.IBucket, oai?: cloudfront.OriginAccessIdentity, certificate?: acm.ICertificate, aliases?: string[], defaultFunctionAssociations?: cloudfront.FunctionAssociation[], webAclId?: string): cdk.aws_cloudfront.Distribution;
     /**
      * Method to create a CloudFront distribution with HTTP Origin
      * @param {string} id scoped id of the resource
@@ -75,8 +77,9 @@ export declare class CloudFrontManager {
      * @param {s3.IBucket?} logBucket
      * @param {acm.ICertificate?} certificate
      * @param {cloudfront.FunctionAssociation?} defaultFunctionAssociations
+     * @param {string?} webAclId
      */
-    createDistributionWithHttpOrigin(id: string, scope: common.CommonConstruct, props: types.DistributionProps, origin: origins.HttpOrigin, domainNames: string[], logBucket?: s3.IBucket, certificate?: acm.ICertificate, defaultFunctionAssociations?: cloudfront.FunctionAssociation[]): cdk.aws_cloudfront.Distribution;
+    createDistributionWithHttpOrigin(id: string, scope: common.CommonConstruct, props: types.DistributionProps, origin: origins.HttpOrigin, domainNames: string[], logBucket?: s3.IBucket, certificate?: acm.ICertificate, defaultFunctionAssociations?: cloudfront.FunctionAssociation[], webAclId?: string): cdk.aws_cloudfront.Distribution;
     /**
      * @summary Method to provision a Lambda@Edge function
      *

package/dist/src/lib/manager/aws/cloudfront-manager.js

@@ -78,8 +78,9 @@ class CloudFrontManager {
      * @param {cloudfront.OriginAccessIdentity?} oai
      * @param {acm.ICertificate?} certificate
      * @param {string[]?} aliases
+     * @param {string?} webAclId
      */
-    createCloudFrontDistribution(id, scope, props, siteBucket, logBucket, oai, certificate, aliases) {
+    createCloudFrontDistribution(id, scope, props, siteBucket, logBucket, oai, certificate, aliases, webAclId) {
         if (!siteBucket)
             throw `SiteBucket not defined`;
         if (!certificate)
@@ -113,7 +114,7 @@ class CloudFrontManager {
                 securityPolicy: cloudfront.SecurityPolicyProtocol.TLS_V1_1_2016,
                 sslMethod: cloudfront.SSLMethod.SNI,
             }),
-            webACLId: props.webACLId,
+            webACLId: webAclId,
         });
         utils.createCfnOutput(`${id}-distributionId`, scope, distribution.distributionId);
         utils.createCfnOutput(`${id}-distributionDomainName`, scope, distribution.distributionDomainName);
@@ -131,8 +132,9 @@ class CloudFrontManager {
      * @param {acm.ICertificate?} certificate
      * @param {string[]?} aliases
      * @param {cloudfront.FunctionAssociation?} defaultFunctionAssociations
+     * @param {string?} webAclId
      */
-    createDistributionWithS3Origin(id, scope, props, origin, siteBucket, logBucket, oai, certificate, aliases, defaultFunctionAssociations) {
+    createDistributionWithS3Origin(id, scope, props, origin, siteBucket, logBucket, oai, certificate, aliases, defaultFunctionAssociations, webAclId) {
         const distribution = new cloudfront.Distribution(scope, `${id}`, {
             certificate: certificate,
             comment: `${id} - ${scope.props.stage} stage`,
@@ -157,7 +159,7 @@ class CloudFrontManager {
             logFilePrefix: props.logFilePrefix ?? `edge/`,
             minimumProtocolVersion: props.minimumProtocolVersion ?? cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021,
             priceClass: props.priceClass ?? cloudfront.PriceClass.PRICE_CLASS_ALL,
-            webAclId: props.webAclId,
+            webAclId: webAclId,
         });
         utils.createCfnOutput(`${id}-distributionId`, scope, distribution.distributionId);
         utils.createCfnOutput(`${id}-distributionDomainName`, scope, distribution.distributionDomainName);
@@ -173,8 +175,9 @@ class CloudFrontManager {
      * @param {s3.IBucket?} logBucket
      * @param {acm.ICertificate?} certificate
      * @param {cloudfront.FunctionAssociation?} defaultFunctionAssociations
+     * @param {string?} webAclId
      */
-    createDistributionWithHttpOrigin(id, scope, props, origin, domainNames, logBucket, certificate, defaultFunctionAssociations) {
+    createDistributionWithHttpOrigin(id, scope, props, origin, domainNames, logBucket, certificate, defaultFunctionAssociations, webAclId) {
         const distribution = new cloudfront.Distribution(scope, `${id}`, {
             certificate: certificate,
             comment: `${id} - ${scope.props.stage} stage`,
@@ -199,7 +202,7 @@ class CloudFrontManager {
             logFilePrefix: props.logFilePrefix ?? `edge/`,
             minimumProtocolVersion: props.minimumProtocolVersion ?? cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021,
             priceClass: props.priceClass ?? cloudfront.PriceClass.PRICE_CLASS_ALL,
-            webAclId: props.webAclId,
+            webAclId: webAclId,
         });
         utils.createCfnOutput(`${id}-distributionId`, scope, distribution.distributionId);
         utils.createCfnOutput(`${id}-distributionDomainName`, scope, distribution.distributionDomainName);

package/dist/src/lib/manager/aws/iam-manager.d.ts

@@ -146,6 +146,11 @@ export declare class IamManager {
      * @param {string[]} resourceArns list of ARNs to allow access to
      */
     statementForReadTableItems(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
+    /**
+     * @summary Method to create iam statement to write items from dynamodb table
+     * @param {string[]} resourceArns list of ARNs to allow access to
+     */
+    statementForWriteTableItems(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement for cloud trail
      * @param {string} id scoped id of the resource

package/dist/src/lib/manager/aws/iam-manager.js

@@ -337,6 +337,17 @@ class IamManager {
             resources: resourceArns ?? ['*'],
         });
     }
+    /**
+     * @summary Method to create iam statement to write items from dynamodb table
+     * @param {string[]} resourceArns list of ARNs to allow access to
+     */
+    statementForWriteTableItems(resourceArns) {
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions: ['dynamodb:BatchWriteItem', 'dynamodb:DeleteItem', 'dynamodb:PutItem', 'dynamodb:UpdateItem'],
+            resources: resourceArns ?? ['*'],
+        });
+    }
     /**
      * @summary Method to create iam statement for cloud trail
      * @param {string} id scoped id of the resource

package/dist/src/lib/types/aws/index.d.ts

@@ -72,6 +72,7 @@ export interface SiteWithEcsBackendProps extends CommonStackProps {
     siteSubDomain: string;
     siteTask: ecsPatterns.ApplicationLoadBalancedFargateServiceProps;
     siteVpc: ec2.VpcProps;
+    siteWebAcl?: WafWebACLProps;
     useExistingHostedZone: boolean;
     nodeEnv: string;
     logLevel: string;
@@ -94,6 +95,7 @@ export interface StaticSiteProps extends CommonStackProps {
     siteRecordName?: string;
     siteSubDomain?: string;
     siteAliases?: string[];
+    siteWebAcl?: WafWebACLProps;
     useExistingHostedZone: boolean;
     nodeEnv: string;
     logLevel: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gradientedge/cdk-utils",
-  "version": "5.9.0",
+  "version": "5.12.0",
   "description": "Utilities for AWS CDK provisioning",
   "main": "dist/index.js",
   "engines": {

package/src/lib/construct/api-to-eventbridge-target/main.ts

@@ -532,6 +532,12 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
       )
       return
     }
+
+    const accessLogGroup = this.logManager.createLogGroup(`${this.id}-sns-rest-api-access-log`, this, {
+      logGroupName: `/custom/api/${this.id}-destined-rest-api-access-${this.props.stage}`,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+    })
+
     this.apiDestinedRestApi.api = new apig.RestApi(this, `${this.id}-sns-rest-api`, {
       ...{
         defaultIntegration: this.apiDestinedRestApi.integration,
@@ -544,6 +550,8 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
           loggingLevel: apig.MethodLoggingLevel.INFO,
           metricsEnabled: true,
           stageName: this.props.stage,
+          accessLogDestination: new apig.LogGroupLogDestination(accessLogGroup),
+          accessLogFormat: apig.AccessLogFormat.jsonWithStandardFields(),
         },
         endpointConfiguration: {
           types: [apig.EndpointType.REGIONAL],

package/src/lib/construct/site-with-ecs-backend/main.ts

@@ -11,6 +11,7 @@ import * as logs from 'aws-cdk-lib/aws-logs'
 import * as route53 from 'aws-cdk-lib/aws-route53'
 import * as s3 from 'aws-cdk-lib/aws-s3'
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'
+import * as wafv2 from 'aws-cdk-lib/aws-wafv2'
 import { Construct } from 'constructs'
 import { CommonConstruct } from '../../common'
 import { SiteWithEcsBackendProps } from '../../types'
@@ -65,6 +66,7 @@ export class SiteWithEcsBackend extends CommonConstruct {
   siteDomainNames: string[]
   siteCloudfrontFunction: cloudfront.Function
   siteFunctionAssociations: cloudfront.FunctionAssociation[]
+  siteWebAcl: wafv2.CfnWebACL
 
   constructor(parent: Construct, id: string, props: SiteWithEcsBackendProps) {
     super(parent, id, props)
@@ -95,6 +97,7 @@ export class SiteWithEcsBackend extends CommonConstruct {
     this.createSiteOrigin()
     this.createSiteCloudfrontFunction()
     this.resolveSiteFunctionAssociations()
+    this.createSiteWebAcl()
     this.createDistribution()
     this.createNetworkMappings()
     this.invalidateDistributionCache()
@@ -339,6 +342,16 @@ export class SiteWithEcsBackend extends CommonConstruct {
     }
   }
 
+  /**
+   * @summary Method to create WAF
+   * @protected
+   */
+  protected createSiteWebAcl() {
+    if (!this.props.siteWebAcl) throw 'SiteWebAcl props undefined'
+
+    this.siteWebAcl = this.wafManager.createWebAcl(`${this.id}-waf`, this, this.props.siteWebAcl)
+  }
+
   /**
    * Method to create Site distribution
    * @protected
@@ -352,7 +365,8 @@ export class SiteWithEcsBackend extends CommonConstruct {
       this.siteDomainNames,
       this.siteLogBucket,
       this.siteCertificate,
-      this.siteFunctionAssociations
+      this.siteFunctionAssociations,
+      this.siteWebAcl.attrId
     )
   }
 

package/src/lib/construct/static-site/main.ts

@@ -3,6 +3,7 @@ import * as cloudfront from 'aws-cdk-lib/aws-cloudfront'
 import * as origins from 'aws-cdk-lib/aws-cloudfront-origins'
 import * as route53 from 'aws-cdk-lib/aws-route53'
 import * as s3 from 'aws-cdk-lib/aws-s3'
+import * as wafv2 from 'aws-cdk-lib/aws-wafv2'
 import { Construct } from 'constructs'
 import { CommonConstruct } from '../../common'
 import { StaticSiteProps } from '../../types'
@@ -43,6 +44,7 @@ export class StaticSite extends CommonConstruct {
   siteOriginAccessIdentity: cloudfront.OriginAccessIdentity
   siteCloudfrontFunction: cloudfront.Function
   siteFunctionAssociations: cloudfront.FunctionAssociation[]
+  siteWebAcl: wafv2.CfnWebACL
 
   constructor(parent: Construct, id: string, props: StaticSiteProps) {
     super(parent, id, props)
@@ -63,6 +65,7 @@ export class StaticSite extends CommonConstruct {
     this.createSiteOrigin()
     this.createSiteCloudfrontFunction()
     this.resolveSiteFunctionAssociations()
+    this.createSiteWebAcl()
     this.createSiteDistribution()
     this.createSiteRouteAssets()
     this.deploySite()
@@ -153,6 +156,16 @@ export class StaticSite extends CommonConstruct {
     }
   }
 
+  /**
+   * @summary Method to create WAF
+   * @protected
+   */
+  protected createSiteWebAcl() {
+    if (!this.props.siteWebAcl) throw 'SiteWebAcl props undefined'
+
+    this.siteWebAcl = this.wafManager.createWebAcl(`${this.id}-waf`, this, this.props.siteWebAcl)
+  }
+
   /**
    * @summary Method to create a site cloudfront distribution
    * @protected
@@ -170,7 +183,8 @@ export class StaticSite extends CommonConstruct {
       this.siteOriginAccessIdentity,
       this.siteCertificate,
       this.props.siteAliases,
-      this.siteFunctionAssociations
+      this.siteFunctionAssociations,
+      this.siteWebAcl.attrId
     )
   }
 

package/src/lib/manager/aws/cloudfront-manager.ts

@@ -61,6 +61,7 @@ export class CloudFrontManager {
    * @param {cloudfront.OriginAccessIdentity?} oai
    * @param {acm.ICertificate?} certificate
    * @param {string[]?} aliases
+   * @param {string?} webAclId
    */
   public createCloudFrontDistribution(
     id: string,
@@ -70,7 +71,8 @@ export class CloudFrontManager {
     logBucket?: s3.IBucket,
     oai?: cloudfront.OriginAccessIdentity,
     certificate?: acm.ICertificate,
-    aliases?: string[]
+    aliases?: string[],
+    webAclId?: string
   ) {
     if (!siteBucket) throw `SiteBucket not defined`
     if (!certificate) throw `Certificate not defined`
@@ -103,7 +105,7 @@ export class CloudFrontManager {
         securityPolicy: cloudfront.SecurityPolicyProtocol.TLS_V1_1_2016,
         sslMethod: cloudfront.SSLMethod.SNI,
       }),
-      webACLId: props.webACLId,
+      webACLId: webAclId,
     })
 
     utils.createCfnOutput(`${id}-distributionId`, scope, distribution.distributionId)
@@ -124,6 +126,7 @@ export class CloudFrontManager {
    * @param {acm.ICertificate?} certificate
    * @param {string[]?} aliases
    * @param {cloudfront.FunctionAssociation?} defaultFunctionAssociations
+   * @param {string?} webAclId
    */
   public createDistributionWithS3Origin(
     id: string,
@@ -135,7 +138,8 @@ export class CloudFrontManager {
     oai?: cloudfront.OriginAccessIdentity,
     certificate?: acm.ICertificate,
     aliases?: string[],
-    defaultFunctionAssociations?: cloudfront.FunctionAssociation[]
+    defaultFunctionAssociations?: cloudfront.FunctionAssociation[],
+    webAclId?: string
   ) {
     const distribution = new cloudfront.Distribution(scope, `${id}`, {
       certificate: certificate,
@@ -161,7 +165,7 @@ export class CloudFrontManager {
       logFilePrefix: props.logFilePrefix ?? `edge/`,
       minimumProtocolVersion: props.minimumProtocolVersion ?? cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021,
       priceClass: props.priceClass ?? cloudfront.PriceClass.PRICE_CLASS_ALL,
-      webAclId: props.webAclId,
+      webAclId: webAclId,
     })
 
     utils.createCfnOutput(`${id}-distributionId`, scope, distribution.distributionId)
@@ -180,6 +184,7 @@ export class CloudFrontManager {
    * @param {s3.IBucket?} logBucket
    * @param {acm.ICertificate?} certificate
    * @param {cloudfront.FunctionAssociation?} defaultFunctionAssociations
+   * @param {string?} webAclId
    */
   public createDistributionWithHttpOrigin(
     id: string,
@@ -189,7 +194,8 @@ export class CloudFrontManager {
     domainNames: string[],
     logBucket?: s3.IBucket,
     certificate?: acm.ICertificate,
-    defaultFunctionAssociations?: cloudfront.FunctionAssociation[]
+    defaultFunctionAssociations?: cloudfront.FunctionAssociation[],
+    webAclId?: string
   ) {
     const distribution = new cloudfront.Distribution(scope, `${id}`, {
       certificate: certificate,
@@ -215,7 +221,7 @@ export class CloudFrontManager {
       logFilePrefix: props.logFilePrefix ?? `edge/`,
       minimumProtocolVersion: props.minimumProtocolVersion ?? cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021,
       priceClass: props.priceClass ?? cloudfront.PriceClass.PRICE_CLASS_ALL,
-      webAclId: props.webAclId,
+      webAclId: webAclId,
     })
 
     utils.createCfnOutput(`${id}-distributionId`, scope, distribution.distributionId)

package/src/lib/manager/aws/iam-manager.ts

@@ -343,6 +343,18 @@ export class IamManager {
     })
   }
 
+  /**
+   * @summary Method to create iam statement to write items from dynamodb table
+   * @param {string[]} resourceArns list of ARNs to allow access to
+   */
+  public statementForWriteTableItems(resourceArns?: string[]) {
+    return new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: ['dynamodb:BatchWriteItem', 'dynamodb:DeleteItem', 'dynamodb:PutItem', 'dynamodb:UpdateItem'],
+      resources: resourceArns ?? ['*'],
+    })
+  }
+
   /**
    * @summary Method to create iam statement for cloud trail
    * @param {string} id scoped id of the resource

package/src/lib/types/aws/index.ts

@@ -75,6 +75,7 @@ export interface SiteWithEcsBackendProps extends CommonStackProps {
   siteSubDomain: string
   siteTask: ecsPatterns.ApplicationLoadBalancedFargateServiceProps
   siteVpc: ec2.VpcProps
+  siteWebAcl?: WafWebACLProps
   useExistingHostedZone: boolean
   nodeEnv: string
   logLevel: string
@@ -98,6 +99,7 @@ export interface StaticSiteProps extends CommonStackProps {
   siteRecordName?: string
   siteSubDomain?: string
   siteAliases?: string[]
+  siteWebAcl?: WafWebACLProps
   useExistingHostedZone: boolean
   nodeEnv: string
   logLevel: string