From 1a58298a2fb0e2f595b3b9053ee1354405926ab0 Mon Sep 17 00:00:00 2001 From: Yasuto Nishii <45926314+yasuto-nishii@users.noreply.github.com> Date: Sun, 11 Feb 2024 18:42:48 +0900 Subject: [PATCH] fix : support overrideAction for WAF (#582) --- doc/WAF.md | 16 +++++++++++++++ src/__tests__/__snapshots__/waf.test.ts.snap | 21 ++++++++++++++++++++ src/__tests__/waf.test.ts | 21 ++++++++++++++++++++ src/resources/Waf.ts | 9 ++++++++- 4 files changed, 66 insertions(+), 1 deletion(-) diff --git a/doc/WAF.md b/doc/WAF.md index 40d636f0..13916f40 100644 --- a/doc/WAF.md +++ b/doc/WAF.md @@ -119,6 +119,22 @@ waf: - US ``` +```yml +waf: + enabled: true + defaultAction: Block + rules: + # using ManagedRuleGroup + - name: "AWSManagedRulesCommonRuleSet" + priority: 20 + overrideAction: + None: {} + statement: + ManagedRuleGroupStatement: + VendorName: "AWS" + Name: "AWSManagedRulesCommonRuleSet" +``` + ### Per API Key rules In some cases, you might want to enable a rule for a given API key only. You can specify `wafRules` under the `appSync.apiKeys` attribute. The rules will apply only to that API key. diff --git a/src/__tests__/__snapshots__/waf.test.ts.snap b/src/__tests__/__snapshots__/waf.test.ts.snap index 4101842f..5d48bbc9 100644 --- a/src/__tests__/__snapshots__/waf.test.ts.snap +++ b/src/__tests__/__snapshots__/waf.test.ts.snap @@ -411,6 +411,27 @@ Object { } `; +exports[`Waf Custom rules should generate a custom rule with ManagedRuleGroup 1`] = ` +Object { + "Name": "MyRule1", + "OverrideAction": Object { + "None": Object {}, + }, + "Priority": 200, + "Statement": Object { + "ManagedRuleGroupStatement": Object { + "Name": "AWSManagedRulesCommonRuleSet", + "VendorName": "AWS", + }, + }, + "VisibilityConfig": Object { + "CloudWatchMetricsEnabled": true, + "MetricName": "MyRule1", + "SampledRequestsEnabled": true, + }, +} +`; + exports[`Waf Disable introspection should generate a preset rule 1`] = ` Object { "Action": Object { diff --git a/src/__tests__/waf.test.ts b/src/__tests__/waf.test.ts index 9575f66b..9cdc83c9 100644 --- a/src/__tests__/waf.test.ts +++ b/src/__tests__/waf.test.ts @@ -168,6 +168,27 @@ describe('Waf', () => { ), ).toMatchSnapshot(); }); + + it('should generate a custom rule with ManagedRuleGroup', () => { + expect( + waf.buildWafRule( + { + name: 'MyRule1', + priority: 200, + overrideAction: { + None: {}, + }, + statement: { + ManagedRuleGroupStatement: { + Name: 'AWSManagedRulesCommonRuleSet', + VendorName: 'AWS', + }, + }, + }, + 'Base', + ), + ).toMatchSnapshot(); + }); }); describe('ApiKey rules', () => { diff --git a/src/resources/Waf.ts b/src/resources/Waf.ts index b9a6dfa5..2d2e0bc7 100644 --- a/src/resources/Waf.ts +++ b/src/resources/Waf.ts @@ -14,6 +14,7 @@ import { WafThrottleConfig, } from '../types/plugin'; import { Api } from './Api'; +import { toCfnKeys } from '../utils'; export class Waf { constructor(private api: Api, private config: WafConfig) {} @@ -106,10 +107,10 @@ export class Waf { } const action: WafRuleAction = rule.action || 'Allow'; + const overrideAction = rule.overrideAction; const result: CfnWafRule = { Name: rule.name, - Action: { [action]: {} }, Priority: rule.priority, Statement: rule.statement, VisibilityConfig: this.getWafVisibilityConfig( @@ -118,6 +119,12 @@ export class Waf { ), }; + if (overrideAction) { + result.OverrideAction = toCfnKeys(overrideAction); + } else { + result.Action = { [action]: {} }; + } + return result; }