65.9K
CodeProject is changing. Read more.
Home

Get AWS Web ACL with PowerShell Core

Illya Reznykov
emptyStarIconemptyStarIconemptyStarIconemptyStarIconemptyStarIcon

0/5 (0 vote)

Sep 18, 2022

CPOL

2 min read

viewsIcon

3635

Functions that get information about web ACL by PowerShell Core with AWS CLI

Introduction

To manipulate AWS resources, we use PowerShell Core with AWS CLI v2. The post describes several functions which get information about web ACL. By documentation, AWS web ACL gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, and Amazon Cognito resources.

Background

Solution uses AWS CLI v2, Web ACL v2 and PowerShell Core v.7.2.

Function Get-WAF2WebAclARN

Function Get-WAF2WebAclARN seeks regional web ACL by its name and return ARN or $null if a web ACL is not found.

Code

Function Get-WAF2WebAclARN {
    <#
    .SYNOPSIS
    Get-WAF2WebAclARN Function seek web ACL by its name and return ARN 
    or $null if a web ACL is not found.
    .DESCRIPTION
    Get-WAF2WebAclARN Function seek regional web ACL by its name 
    and return ARN or $null if a web ACL is not found.
    .PARAMETER WebAclName
    Name of web ACL which is searched
    .PARAMETER RegionName
    Name of AWS Region where web ACL is searched
    .PARAMETER AwsProfile
    Name of user AWS profile name from .aws config file
    .INPUTS
    None. You cannot pipe objects to Get-WAF2WebAclARN.
    .OUTPUTS
    Get-WAF2WebAclARN returns $null or ARN of found web ACL
    .EXAMPLE
    PS> Get-WAF2WebAclARN "blog-web-acl"
    Returns ARN of web ACL "blog-web-acl" in the us-west-1 region 
    using default credentials
    .EXAMPLE
    PS> Get-WAF2WebAclARN "blog-web-acl" -RegionName "eu-west-1"
    Returns ARN of web ACL "blog-web-acl" in the eu-west-1 region 
    using default credentials
    .EXAMPLE
    PS> Get-WAF2WebAclARN "blog-web-acl" -AWSProfile "BlogAuthor"
    Returns ARN of web ACL "blog-web-acl" in the us-west-1 region 
    using credentials defined by BlogAuthor profile
    #>
    [CmdletBinding(DefaultParameterSetName = 'Default')]
    Param (
        # web ACL name
        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = 'Default')]
        [ValidateNotNullOrEmpty()]
        [string]$WebAclName,

        # region name
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [string]$RegionName = "us-west-1",

        # AWS profile name from User .aws config file
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [string]$AwsProfile = "default"
    )

    #region Initialization
    $functionName = $($myInvocation.MyCommand.Name);
    Write-Host "$($functionName)(webACL=$WebAclName, 
    region=$RegionName, profile=$AwsProfile) starts." -ForegroundColor Blue;

    $jsonObjects = $null;
    $strJsonObjects = $null;
    $awsObjects = $null;
    $existObject = $false;
    #endregion

    #region List web ACLs with the provided name
    $queryRequest = "WebACLs[?Name==``$WebAclName``]";
    $jsonObjects = aws --output json --profile $AwsProfile 
                       --region $RegionName --color on `
        wafv2 list-web-acls `
        --scope REGIONAL `
        --query $queryRequest;
        
    if (-not $?) {
        Write-Host "Listing web ACLs failed" -ForegroundColor Red;
        return $null;
    }
    if ($jsonObjects) {
        $strJsonObjects = [string]$jsonObjects;
        $awsObjects = ConvertFrom-Json -InputObject $strJsonObjects;
        $existObject = ($awsObjects.Count -gt 0);
    }
    if ($existObject) {
        $webAclARN = $awsObjects.ARN;
        Write-Verbose "Web ACL '$WebAclName' is found, ARN=$webAclARN";
        return $webAclARN;
    }
    else {
        Write-Verbose "Web ACL '$WebAclName' doesn't exist";
        return $null;
    }
    #endregion
}

Parameters

Functions has the following parameters:

  • string $WebAclName – the name of web ACL which is searched. Mandatory parameter with not empty value;
  • string $RegionName – the name of AWS Region where web ACL is searched. Optional parameter with default value us-west-1;
  • string $AwsProfile – the name of user AWS profile name from .aws config file. Optional parameter with default value default.

Return value

Function returns $null or ARN of found web ACL.

Workflow

Function is a wrapper to AWS CLI method aws wafv2 list-web-acls with query parameter...

$queryRequest = "WebACLs[?Name==``$WebAclName``]";

...which limits output to the required web ACL.

At lines 66-70, output is convert to the array of objects. At lines 71-79 result is checked and $null or ARN of found web ACL is returned.

Function Get-WAF2WebAclForResource

Function Get-WAF2WebAclForResource returns web ACL ARN if the web ACL is associated with the resource, that is defined by ARN. If a resource ARN is wrong or a web ACL is not associated with the resource, $null is returned.

Code

Function Get-WAF2WebAclForResource {
    <#
    .SYNOPSIS
    Get-WAF2WebAclForResource Function return web ACL ARN if it is associated
    with the resource.
    .DESCRIPTION
    Get-WAF2WebAclForResource Function return web ACL ARN if it is associated 
    with the resource. If a resource ARN is wrong or a web ACL is not associated 
    with the resource, $null is returned.
    .PARAMETER ResourceARN
    ARN of the resource which is checked for associated web ACL
    .PARAMETER RegionName
    Name of AWS Region where resource is searched
    .PARAMETER AwsProfile
    Name of user AWS profile name from .aws config file
    .INPUTS
    None. You cannot pipe objects to Get-WAF2WebAclForResource.
    .OUTPUTS
    Get-WAF2WebAclForResource returns $null or ARN of found web ACL
    .EXAMPLE
    PS> Get-WAF2WebAclForResource "arn:aws:elasticloadbalancing:us-west-1:123456789012:
    loadbalancer/app/load-balancer-EXAMPLE/0123456789abcdef"
    Returns ARN of web ACL if it associated with "load-balancer-EXAMPLE" 
    Load Balancer in the us-west-1 region, otherwise return $null. 
    To call AWS CLI the function uses default credentials.
    .EXAMPLE
    PS> Get-WAF2WebAclForResource "arn:aws:elasticloadbalancing:us-west-1:123456789012:
    loadbalancer/app/load-balancer-NONEXISTENT"
    Returns $null as resource ARN doesn't define 
    existent resource in the us-west-1 region.
    .EXAMPLE
    PS> Get-WAF2WebAclForResource "arn:aws:elasticloadbalancing:us-west-1:123456789012:
    loadbalancer/app/load-balancer-EXAMPLE/0123456789abcdef" -AWSProfile "BlogAuthor"
    Returns ARN of web ACL if it associated with "load-balancer-EXAMPLE" 
    Load Balancer in the us-west-1 region, otherwise return $null. 
    To call AWS CLI the function uses credentials defined by BlogAuthor profile.
    #>
    [CmdletBinding(DefaultParameterSetName = 'Default')]
    Param (
        # resource ARN
        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = 'Default')]
        [ValidateNotNullOrEmpty()]
        [string]$ResourceARN,

        # region name
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [string]$RegionName = "us-west-1",

        # AWS profile name from User .aws config file
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [string]$AwsProfile = "default"
    )
    
    #region Initialization
    $functionName = $($myInvocation.MyCommand.Name);
    Write-Host "$($functionName)(Resource=$ResourceARN, 
          region=$RegionName, profile=$AwsProfile) starts." -ForegroundColor Blue;

    $jsonObjects = $null;
    $strJsonObjects = $null;
    $awsObjects = $null;
    $existObject = $false;
    #endregion

    #region List associated Web ACL with resource
    $jsonObjects = aws --output json --profile $AwsProfile 
                       --region $RegionName --color on `
        wafv2 get-web-acl-for-resource `
        --resource-arn $ResourceARN;
    
    if (-not $?) {
        Write-Host "Getting web ACL associated with the resource failed, 
                    check the Resource ARN" -ForegroundColor Red;
        return $null;
    }

    if ($jsonObjects) {
        $strJsonObjects = [string]$jsonObjects;
        $awsObjects = ConvertFrom-Json -InputObject $strJsonObjects;
        $existObject = ($awsObjects.Count -gt 0);
    }
    if ($existObject) {
        $webAclARN = $awsObjects.WebACL.ARN;
        Write-Verbose "Web ACL ARN=$webAclARN is associated with the resource";
        return $webAclARN;
    }
    else {
        Write-Verbose "The resource doesn't have associated web ACL";
        return $null;
    }
    #endregion
}

Parameters

Functions has the following parameters:

  • string $ResourceARN – ARN of the resource that is checked for associated web ACL. Mandatory parameter with not empty value;
  • string $RegionName – the name of AWS Region where resource and associated web ACL is searched. Optional parameter with default value us-west-1;
  • string $AwsProfile – the name of user AWS profile name from .aws config file. Optional parameter with default value default.

Return value

Function returns $null or ARN of associated web ACL.

Workflow

Function is a wrapper to AWS CLI method aws wafv2 get-web-acl-for-resource.

Let’s note that this method returns an error if the call is not successful or resource ARN doesn’t define the existent AWS resource. Function doesn’t distinct these cases and error check at lines 61-64 always returns $null.

At lines 66-70 output is convert to the array of objects. At lines 71-79, result is checked and $null or ARN of found web ACL is returned.

  1. All used IP-addresses, names of servers, workstations, domains, are fictional and are used exclusively as a demonstration only.
  2. Information is provided «AS IS».