Home > Software design >  AWS WAF CDK Python How to change rule action
AWS WAF CDK Python How to change rule action

Time:09-23

Here is my python cdk code which create 2 rules "AWS-AWSManagedRulesCommonRuleSet" and "AWS-AWS-ManagedRulesAmazonIpReputationList". In each rule there are child rules that i can change their Rule Actions to Count, the question is how can i add this to my code, i didn't find any good explanation for those child rules.

Added some changes but still doesn't work, i get this error:

Resource handler returned message: "Error reason: You have used none or multiple values for a field that requires exactly one value., field: RULE, parameter: Rule (Service: Wafv2, Status Code: 400, Request ID: 248d9235-bd01-49f4-963b-109bac2776c5, Extended Request ID: null)" (RequestToken: 8bb5****-****-3e95-****- 
8e336ae3eed4, HandlerErrorCode: InvalidRequest)

the code:

class PyCdkStack(core.Stack):

def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None:
    super().__init__(scope, construct_id, **kwargs)

    web_acl = wafv2.CfnWebACL(
        scope_=self, id='WebAcl',
        default_action=wafv2.CfnWebACL.DefaultActionProperty(allow={}),
        scope='REGIONAL',
        visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
            cloud_watch_metrics_enabled=True,
            sampled_requests_enabled=True,
            metric_name='testwafmetric',
        ),
        name='Test-Test-WebACL',
        rules=[
            {
                'name': 'AWS-AWSManagedRulesCommonRuleSet',
                'priority': 1,
                'statement': {
                    'RuleGroupReferenceStatement': {
                        'vendorName': 'AWS',
                        'name': 'AWSManagedRulesCommonRuleSet',
                        'ARN': 'string',
                        "ExcludedRules": [
                            {
                                "Name": "CrossSiteScripting_QUERYARGUMENTS"
                            },
                            {
                                "Name": "GenericLFI_QUERYARGUMENTS"
                            },
                            {
                                "Name": "GenericRFI_QUERYARGUMENTS"
                            },
                            {
                                "Name": "NoUserAgent_HEADER"
                            },
                            {
                                "Name": "SizeRestrictions_QUERYSTRING"
                            }
                        ]
                    }
                },
                'overrideAction': {
                    'none': {}
                },
                'visibilityConfig': {
                    'sampledRequestsEnabled': True,
                    'cloudWatchMetricsEnabled': True,
                    'metricName': "AWS-AWSManagedRulesCommonRuleSet"
                }
            },
        ]
    )

CodePudding user response:

The Cfn- constructs are a one to one mapping to the cloudformation resources. You can simply check the docs for aws::wafv2::webacl.

For an example on how to exclude in cloudformation, see below. Note that object keys need to start with lowercase in order for CDK to process them.

{
    "name": "AWS-AWSBotControl-Example",
   "priority": 5, 
   "statement": {
    "managedRuleGroupStatement": {
        "vendorName": "AWS",
        "name": "AWSManagedRulesBotControlRuleSet",
        "excludedRules": [
            {
                "name": "CategoryVerifiedSearchEngine"
            },
            {
                "name": "CategoryVerifiedSocialMedia"
            }
        ]
    },
   "visibilityConfig": {
       "sampledRequestsEnabled": true,
       "cloudWatchMetricsEnabled": true,
       "metricName": "AWS-AWSBotControl-Example"
   }
}

This actually sets the two mentioned rules to Count mode. See https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rule-group-settings.html#web-acl-rule-group-rule-to-count. Note it sais:

Rules that you alter like this are described as being excluded rules in the rule group. If you have metrics enabled, you receive COUNT metrics for each excluded rule. This change alters how the rules in the rule group are evaluated.

  • Related