(wafv2): add WebACL L2 Construct
See original GitHub issueDescription
Now, @aws-cdk/aws-wafv2 has no L2 Construct. I will implements L2 Constructs.
Use Case
When users create WebACL, this Cunstruct will support it.
Proposed Solution
We can create L2 constructs for aws-wafv2.
Other information
No response
Acknowledge
- I may be able to implement this feature request
- This feature might incur a breaking change
Design
ref: cloudformation
Usage
Define WebACL
import * as wafv2 from 'aws-cdk-lib/aws-wafv2'
import * as wafv2Statement from 'aws-cdk-lib/aws-wafv2-statement'
const webAcl = new wafv2.WebACL(this, "WebACL", {
scope: wafv2.Scope.REGIONAL,
defaultAction: wafv2.DefaultAction.block(),
rules: [
{
name: "IPSetAllow",
action: wafv2.RuleAction.allow(),
statement: new wafv2Statement.IPSetReferenceStatement(ipSet),
},
{
name: "OWASP",
overrideAction: wafv2.OverrideAction.count(),
statement: wafv2Statement.ManagedRuleGroupStatement.awsCommon(),
},
],
});
Note:
visibilityConfig
have default value. IfWebACLProps.visibilityConfig
is set, Rules inherit it.
Note:
wafv2Statement.ManagedRuleGroupStatement.awsCommon()
will be Enum like pattern.
Associate to other resources
webAcl.attachTo(target);
and if associate to CloudFront as following:
new cloudfront.Distribution(this, 'distribution', {
webAcl: webAcl,
})
class diagram
WebACL
classDiagram
WebACL ..> WebACLProps
WebACLProps o.. CustomResponseBody
WebACLProps o.. Scope
WebACLProps o.. DefaultAction
WebACLProps o.. Rule
DefaultAction ..> DefaultActionConfig
WebACLProps o.. VisibilityConfig
Rule o.. VisibilityConfig
class WebACL {
+constructor(props: WebACLProps)
+attachTo(target: ITarget)
}
class WebACLProps {
name?: string;
description?: string;
scope: Scope;
customResponseBodies?: Record<string, CustomResponseBody>;
defaultAction: DefaultAction;
rules?: Rule[];
visibilityConfig?: VisibilityConfig;
}
<<Interface>> WebACLProps
class CustomResponseBody {
content: string;
contentType: string;
}
<<Interface>> CustomResponseBody
class Scope {
REGIONAL
CLOUDFRONT
}
<<enumerate>> Scope
class DefaultAction {
allow()$ DefaultAction
block()$ DefaultAction
bind()* DefaultActionConfig
}
<<abstract>> DefaultAction
class DefaultActionConfig {
configuration: CfnWebACL.DefaultActionProperty;
}
<<Interface>> DefaultActionConfig
class Rule {
name: string;
action: RuleAction;
overrideAction: OverrideAction;
priority: number;
statement: Statement;
visibilityConfig?: VisibilityConfig;
ruleLabels?: Label[];
}
<<Interface>> Rule
class VisibilityConfig {
cloudWatchMetricsEnabled: boolean;
metricName: string;
sampledRequestsEnabled: boolean;
}
<<Interface>> VisibilityConfig
Rule
classDiagram
Rule o.. RuleAction
RuleAction ..> RuleActionConfig
Rule o.. OverrideAction
OverrideAction ..> OverrideActionConfig
Rule o.. IStatement
IStatement ..> StatementConfig
class Rule {
name: string;
action: RuleAction;
overrideAction: OverrideAction;
priority?: number;
statement: Statement;
visibilityConfig: VisibilityConfig;
ruleLabels?: string[];
}
<<Interface>> Rule
class RuleAction {
allow()$ RuleAction
block()$ RuleAction
count()$ RuleAction
bind()* RuleActionConfig
}
<<abstract>> RuleAction
class RuleActionConfig {
configuration: CfnRuleGroup.RuleActionProperty
}
<<Interface>> RuleActionConfig
class OverrideAction {
count()$ OverrideAction
none()$ OverrideAction
bind()* OverrideActionConfig
}
<<abstract>> OverrideAction
class OverrideActionConfig {
count?: Json;
none?: Json;
}
class IStatement {
bind() StatementConfig
}
<<Interface>> IStatement
class StatementConfig {
configuration: CfnRuleGroup.StatementProperty;
}
<<Interface>> StatementConfig
Roadmap
- implement
WebACL
with only required properties- It will not be able to use Rules
- implement
Rule
with oneStatement
(LabelMatchStatement) - implement other remaining properties
- implement Statements
Issue Analytics
- State:
- Created 2 years ago
- Reactions:15
- Comments:5 (5 by maintainers)
Top Results From Across the Web
class CfnWebACL (construct) · AWS CDK
A CloudFormation AWS::WAFv2::WebACL . This is the latest version of AWS WAF , named AWS WAF V2, released in November, 2019. For information,...
Read more >woodonggyu/wafv2/aws - Terraform Registry
Associating WAFv2 WebACL with AWS resources (API Gateway, ALB, AWS AppSync); Enabling Logging Configuration; Create IP sets ...
Read more >AWS WAF V2 Rule Group - Examples and best practices
Shisho Cloud, our free checker to make sure your Terraform configuration follows ... You use a rule group in an AWS::WAFv2::WebACL by providing...
Read more >create-web-acl — AWS CLI 2.9.7 Command Reference
Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic...
Read more >@aws-cdk/aws-wafv2 - npm
The CDK Construct Library for AWS::WAFv2. ... There are no official hand-written (L2) constructs for this service yet.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@skinny85
Yeah! 😍
I’ll think and brash up the description of this issue. It is better to describe more usage example and this API can be more smart I think. In addition, the way to associate the ACL to other AWS resouces should be described.
I’ll mention to you after that!
@skinny85 OK! I’ve fixed this issue’s description. Can I have some feedback about this issue description. And I would like to get review of #17878. It just include minimum implementation of WAFv2 so maybe the review is not effected by the feedbacks of this issue I think.