Reputation: 12423
Making the WAF rule by CDK
I want to make the WAF as IP whitelist with wafv2
Currently My code is here
import { aws_wafv2 as wafv2 } from 'aws-cdk-lib';
const wafacl = new wafv2.CfnWebACL(this, "MyCfnWebAll",{
name: `ee-${targetEnv}-waf`,
scope: "REGIONAL",
defaultAction: {
allow:{
customRequestHandling: {
insertHeaders: [{
name: 'my_allow_name',
value: 'my_allow_value',
}],
},
}
},
visibilityConfig:{
cloudWatchMetricsEnabled: false,
metricName: 'metricName',
sampledRequestsEnabled: false
}
});
new wafv2.CfnWebACLAssociation(this, 'WebACLAssociation', {
webAclArn: wafacl.attrArn,
resourceArn: lb.loadBalancerArn
})
const cfnIPSet = new wafv2.CfnIPSet(this, 'MyCfnIPSet', {
addresses: ['23.186.72.133/32','143.32.1.45/32'],
ipAddressVersion: 'IPV4',
scope: 'REGIONAL',
description: 'description',
name: `ss-${targetEnv}-ipset`,
});
It can make the WAF ,association with the LoadBalancer and ipSet
However it lacks rules
I am searching the samples to code rule , however I could't find the good clue.
What I want to do is equivalent to this,
Add my own rules and rule groupschoose doesn't match the statement(NOT)set IPset
Any help is appreciated.
For now, my reference is these.
https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-wafv2.CfnWebACL.RuleProperty.html
https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-wafv2.CfnWebACL.html
I made the code like this below.
making the rule and try to set this in rules of wafv2.CfnWebACL
const ruleProperty: wafv2.CfnWebACL.RuleProperty = {
name: 'name',
priority: 123,
statement: {
ipSetReferenceStatement: {
arn: cfnIPSet.attrArn
}
},
visibilityConfig: {
cloudWatchMetricsEnabled: false,
metricName: 'metricName',
sampledRequestsEnabled: false,
}
}
const wafacl = new wafv2.CfnWebACL(this, "MyCfnWebAll",{
name: `ss-${targetEnv}-waf`,
scope: "REGIONAL",
rules:[ruleProperty], ## add here
There comes the error like this
Resource handler returned message: "Error reason: You have used none or multiple values for a field that requi
res exactly one value., field: RULE, parameter: Rule (Service: Wafv2, Status Code: 400, Request ID: ce79fc3b-c
b96-4856-9d9f-12ea39407091, Extended Request ID: null)" (RequestToken: f2ef3c98-382f-1b21-2351-e3861e418623, H
andlerErrorCode: InvalidRequest)
Upvotes: 1
Views: 3272
Answers (1)
Reputation: 129
Please use this as a reference to write the rules.
https://github.com/aws/aws-cdk/issues/6056#issuecomment-581583976
IPSet is written like this.
{
name: "CustomAllowIpSetRule",
priority: 1,
statement: {
ipSetReferenceStatement: {
arn: "xxxxxxx"
},
},
action: { allow: {} },
visibilityConfig: {
sampledRequestsEnabled: true,
cloudWatchMetricsEnabled: true,
metricName: "CustomAllowIpSetRule",
},
},
Upvotes: 4
Related Questions
- Allowing traffic to a certain path in AWS WAF
- Enabling Logs for AWS WAF WebAcl does not work in CDK
- AWS WAF: How to make custom response code with managed rules for block actions
- How can we use different WAF rule over ALB target group?
- AWS WAF CDK Python How to change rule action
- AWS CDK - Existing Application Load Balancer Listener - How To Insert Rule
- AWS WAF with IP restriction
- AWS WafV2 OR Statement / IPSetReference
- How to create listener rule in AWS CDK?
- Creation of CfnWebACL for rate based rule fails (AWS CDK WAF Regional)