The Gothic Framework supports attaching an existing AWS WAF WebACL to the CloudFront distribution created during deployment. This gives you full control over your firewall rules without adding complexity to the Gothic CLI.
Add the wafArn property to your stage configuration in gothic-config.json. You can use a direct ARN, an SSM parameter reference, or null if no WAF is needed:
{
"projectName" : "my-project-name" ,
"goModuleName" : "my-go-module-name" ,
"deploy" : {
"stages" : {
"dev" : {
"wafArn" : "{{resolve:ssm:/gothic-app/dev/waf-arn}}" ,
"env" : {}
},
"staging" : {
"wafArn" : "arn:aws:wafv2:us-east-1:123456789:global/webacl/my-acl/abc-123" ,
"env" : {}
},
"prod" : {
"wafArn" : null ,
"env" : {}
}
}
}
} The wafArn property accepts three value types:
When a wafArn is provided, the Gothic deployment automatically sets the WebACLId on your CloudFront distribution. This is a plug-and-play approach — create and manage your WAF rules separately, then simply reference the ARN in your config.
If you prefer to create the WAF WebACL within the same SAM stack, you can define the resource in your sam-template.yaml and replace the wafArn template snippet with a !Ref or !GetAtt referencing your WebACL resource.
Now let's set up a custom domain for your deployment!