Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(wafv2): add WebACL L2 Construct

See original GitHub issue

Description

Now, @aws-cdk/aws-wafv2 has no L2 Construct. I will implements L2 Constructs.

Use Case

When users create WebACL, this Cunstruct will support it.

Proposed Solution

We can create L2 constructs for aws-wafv2.

Other information

No response

Acknowledge

I may be able to implement this feature request
This feature might incur a breaking change

Design

ref: cloudformation

Usage

Define WebACL

import * as wafv2 from 'aws-cdk-lib/aws-wafv2'
import * as wafv2Statement from 'aws-cdk-lib/aws-wafv2-statement'

const webAcl = new wafv2.WebACL(this, "WebACL", {
  scope: wafv2.Scope.REGIONAL,
  defaultAction: wafv2.DefaultAction.block(),
  rules: [
    {
      name: "IPSetAllow",
      action: wafv2.RuleAction.allow(),
      statement: new wafv2Statement.IPSetReferenceStatement(ipSet),
    },
    {
      name: "OWASP",
      overrideAction: wafv2.OverrideAction.count(),
      statement: wafv2Statement.ManagedRuleGroupStatement.awsCommon(),
    },
  ],
});

Note: visibilityConfig have default value. If WebACLProps.visibilityConfig is set, Rules inherit it.

Note: wafv2Statement.ManagedRuleGroupStatement.awsCommon() will be Enum like pattern.

Associate to other resources

webAcl.attachTo(target);

and if associate to CloudFront as following:

new cloudfront.Distribution(this, 'distribution', {
  webAcl: webAcl,
})

class diagram

WebACL

classDiagram
  WebACL ..> WebACLProps
  WebACLProps o.. CustomResponseBody
  WebACLProps o.. Scope
  WebACLProps o.. DefaultAction
  WebACLProps o.. Rule
  DefaultAction ..> DefaultActionConfig
  WebACLProps o.. VisibilityConfig
  Rule o.. VisibilityConfig

  class WebACL {
    +constructor(props: WebACLProps)
    +attachTo(target: ITarget)
  }
  class WebACLProps {
    name?: string;
    description?: string;
    scope: Scope;
    customResponseBodies?: Record<string, CustomResponseBody>;
    defaultAction: DefaultAction;
    rules?: Rule[];
    visibilityConfig?: VisibilityConfig;
  }
  <<Interface>> WebACLProps

  class CustomResponseBody {
    content: string;
    contentType: string;
  }
  <<Interface>> CustomResponseBody

  class Scope {
    REGIONAL
    CLOUDFRONT
  }
  <<enumerate>> Scope

  class DefaultAction {
    allow()$ DefaultAction
    block()$ DefaultAction
    bind()* DefaultActionConfig
  }
  <<abstract>> DefaultAction
  class DefaultActionConfig {
    configuration: CfnWebACL.DefaultActionProperty;
  }
  <<Interface>> DefaultActionConfig

  class Rule {
    name: string;
    action: RuleAction;
    overrideAction: OverrideAction;
    priority: number;
    statement: Statement;
    visibilityConfig?: VisibilityConfig;
    ruleLabels?: Label[];
  }
  <<Interface>> Rule
  class VisibilityConfig {
    cloudWatchMetricsEnabled: boolean;
    metricName: string;
    sampledRequestsEnabled: boolean;
  }
  <<Interface>> VisibilityConfig

Rule

classDiagram
  Rule o.. RuleAction
  RuleAction ..> RuleActionConfig
  Rule o.. OverrideAction
  OverrideAction ..> OverrideActionConfig
  Rule o.. IStatement
  IStatement ..> StatementConfig

  class Rule {
    name: string;
    action: RuleAction;
    overrideAction: OverrideAction;
    priority?: number;
    statement: Statement;
    visibilityConfig: VisibilityConfig;
    ruleLabels?: string[];
  }
  <<Interface>> Rule

  class RuleAction {
    allow()$ RuleAction
    block()$ RuleAction
    count()$ RuleAction
    bind()* RuleActionConfig
  }
  <<abstract>> RuleAction
  class RuleActionConfig {
    configuration: CfnRuleGroup.RuleActionProperty
  }
  <<Interface>> RuleActionConfig

  class OverrideAction {
    count()$ OverrideAction
    none()$ OverrideAction
    bind()* OverrideActionConfig
  }
  <<abstract>> OverrideAction
  class OverrideActionConfig {
    count?: Json;
    none?: Json;
  }

  class IStatement {
    bind() StatementConfig
  }
  <<Interface>> IStatement
  class StatementConfig {
    configuration: CfnRuleGroup.StatementProperty;
  }
  <<Interface>> StatementConfig

Roadmap

implement WebACL with only required properties
- It will not be able to use Rules
implement Rule with one Statement(LabelMatchStatement)
implement other remaining properties
implement Statements

Issue Analytics

State:
Created 2 years ago
Reactions:15
Comments:5 (5 by maintainers)

Top GitHub Comments

1reaction

yamatatsucommented, Apr 1, 2022

@skinny85

yes, looks like we should pick this up.

Yeah! 😍

I’ll think and brash up the description of this issue. It is better to describe more usage example and this API can be more smart I think. In addition, the way to associate the ACL to other AWS resouces should be described.

I’ll mention to you after that!

0reactions

yamatatsucommented, Apr 6, 2022

@skinny85 OK! I’ve fixed this issue’s description. Can I have some feedback about this issue description. And I would like to get review of #17878. It just include minimum implementation of WAFv2 so maybe the review is not effected by the feedbacks of this issue I think.