Skip to content

Commit

Permalink
fix : support overrideAction for WAF (#582)
Browse files Browse the repository at this point in the history
  • Loading branch information
yasuto-nishii authored Feb 11, 2024
1 parent 0832428 commit e99c51a
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 1 deletion.
16 changes: 16 additions & 0 deletions doc/WAF.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,22 @@ waf:
- US
```

```yml
waf:
enabled: true
defaultAction: Block
rules:
# using ManagedRuleGroup
- name: "AWSManagedRulesCommonRuleSet"
priority: 20
overrideAction:
None: {}
statement:
ManagedRuleGroupStatement:
VendorName: "AWS"
Name: "AWSManagedRulesCommonRuleSet"
```

### Per API Key rules

In some cases, you might want to enable a rule for a given API key only. You can specify `wafRules` under the `appSync.apiKeys` attribute. The rules will apply only to that API key.
Expand Down
21 changes: 21 additions & 0 deletions src/__tests__/__snapshots__/waf.test.ts.snap
Original file line number Diff line number Diff line change
Expand Up @@ -411,6 +411,27 @@ Object {
}
`;

exports[`Waf Custom rules should generate a custom rule with ManagedRuleGroup 1`] = `
Object {
"Name": "MyRule1",
"OverrideAction": Object {
"None": Object {},
},
"Priority": 200,
"Statement": Object {
"ManagedRuleGroupStatement": Object {
"Name": "AWSManagedRulesCommonRuleSet",
"VendorName": "AWS",
},
},
"VisibilityConfig": Object {
"CloudWatchMetricsEnabled": true,
"MetricName": "MyRule1",
"SampledRequestsEnabled": true,
},
}
`;

exports[`Waf Disable introspection should generate a preset rule 1`] = `
Object {
"Action": Object {
Expand Down
21 changes: 21 additions & 0 deletions src/__tests__/waf.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,27 @@ describe('Waf', () => {
),
).toMatchSnapshot();
});

it('should generate a custom rule with ManagedRuleGroup', () => {
expect(
waf.buildWafRule(
{
name: 'MyRule1',
priority: 200,
overrideAction: {
None: {},
},
statement: {
ManagedRuleGroupStatement: {
Name: 'AWSManagedRulesCommonRuleSet',
VendorName: 'AWS',
},
},
},
'Base',
),
).toMatchSnapshot();
});
});

describe('ApiKey rules', () => {
Expand Down
9 changes: 8 additions & 1 deletion src/resources/Waf.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import {
WafThrottleConfig,
} from '../types/plugin';
import { Api } from './Api';
import { toCfnKeys } from '../utils';

export class Waf {
constructor(private api: Api, private config: WafConfig) {}
Expand Down Expand Up @@ -106,10 +107,10 @@ export class Waf {
}

const action: WafRuleAction = rule.action || 'Allow';
const overrideAction = rule.overrideAction;

Check failure on line 110 in src/resources/Waf.ts

View workflow job for this annotation

GitHub Actions / Release

Property 'overrideAction' does not exist on type 'WafRuleCustom'.

Check failure on line 110 in src/resources/Waf.ts

View workflow job for this annotation

GitHub Actions / tests (16)

Property 'overrideAction' does not exist on type 'WafRuleCustom'.

Check failure on line 110 in src/resources/Waf.ts

View workflow job for this annotation

GitHub Actions / tests (18)

Property 'overrideAction' does not exist on type 'WafRuleCustom'.

const result: CfnWafRule = {
Name: rule.name,
Action: { [action]: {} },
Priority: rule.priority,
Statement: rule.statement,
VisibilityConfig: this.getWafVisibilityConfig(
Expand All @@ -118,6 +119,12 @@ export class Waf {
),
};

if (overrideAction) {
result.OverrideAction = toCfnKeys(overrideAction);
} else {
result.Action = { [action]: {} };
}

return result;
}

Expand Down

0 comments on commit e99c51a

Please sign in to comment.