I've picked up a project that uses ApplicationLoadBalancedFargateService, deployed via CDK, and I need to protect this with a WAF. Is it possible to add WAF to the load balancer or is the only way to put this behind CloudFront?
I think if I created the WebACL directly through the AWS Console I could then select object such as load balancers to apply it to, but not sure if that would include the ApplicationLoadBalancedFargateService instances.
Yes, the CDK can associate a WAF ACL with an ALB.
The CDK AWS::WAFv2 Construct Library exposes the CfnWebACL to create the ACL and the CfnWebACLAssociation to associate the WebACL with your ALB. These are so-called L1 constructs. They correspond 1:1 to CloudFormation equivalents.
You need to pass the ALB Arn to the association as the resourceArn. You can get the Arn from your ApplicationLoadBalancedFargateService construct, which has a property loadBalancer.loadBalancerArn.
const cfnWebACLAssociation = new wafv2.CfnWebACLAssociation(this, 'MyCfnWebACLAssociation', {
resourceArn: myAlbFargateService.loadBalancer.loadBalancerArn,
webAclArn: myCfnWebAcl.attrArn,
});