Unmaintained and overly complex

[ghost]

It seems to me that this project is not a good choice at all for anybody to use aside from as an example and PoC. There are multiple reasons I say this:

• JSON Cloudformation, with over 2,000 lines meaning a maintenance nightmare if things go wrong or wish to be updated.
• Overly complex design - lambdas triggering rules etc.
• Lambdas are in more than one language (Python and NodeJS).
• Lambdas are huge for small tasks (600+ lines for something to get IP lists?!)
• A growing backlog of PRs and Issues.
• Very few commits and commitors since it's original push in 2016.

It is a good example of what could be done with AWS WAF, however I have found myself on more than one occasional dealing with clients who believe that this repo is the best choice for them to roll out AWS WAF simply based off AWS blog promoting it. I believe that this is creating a maintenance risk in these organisations, who also end up spending significant time patching in their own changes to this repo instead of starting from a clean slate.

The point of submitting this Issue is to see if AWS will alter their Blog and/or README to clearly state this this is an example only and to recommend that customers use something a bit more fit for purpose based on their actual needs.

[hvital]

Hi d-j-c,

Thanks for your comment. Based on the previous feedbacks, we're working on an update .. the main focus is to clean up all repo's contributions. This includes:

• https://github.com/awslabs/aws-waf-security-automations/pull/64
• https://github.com/awslabs/aws-waf-security-automations/issues/57
• https://github.com/awslabs/aws-waf-security-automations/issues/62
• https://github.com/awslabs/aws-waf-security-automations/issues/63
• https://github.com/awslabs/aws-waf-security-automations/issues/44
• https://github.com/awslabs/aws-waf-security-automations/issues/60

As for the template complexity, cfn-lint might help to remove implicit dependencies and I'm still considering translate it o YAML.

Please, feel free to open as many issues you consider that it's important to be included ... we will answer them all (and try to address as many as possible in this upcoming version).

Many thanks!

[simplycloud]

do you have a timeframe in mind for when we can expect the update? that would be very helpful in deciding if we should wait to see that work vs use what is currently here. also, is that work being done publicly? i don't see it avail in the repo; but if possible, please do this in the open so we can follow along and offer proactive feedback on the new direction. in particular, with these sort of security related features, transparency is super helpful. thank you for all the work here.

[hvital]

Hi @simplycloud

We just pushed a new version. I'm adding a comment to all impacted contributions.

Many thanks.

[jbabe]

Hi @simplycloud

We just pushed a new version. I'm adding a comment to all impacted contributions.

Many thanks.

Hi @hvital, was about to open a new issue with a few questions but found this thread...

We had implemented WAFs in our organization's accounts using the template provided in the docs to get started. There are a couple things we've done that I'm wondering if they'd be merged into this repo if I opened a PR:

1. Using pipenv to install the awscli and cfn-lint lint packages
2. Used cfn-lint on the Cloudformation templates
3. Added a Cloudformation Export so we could use Fn::ImportValue in our Cloudfront stacks
4. Added IPSets via the CLI for Whitelists and Blacklists, but it would be nice to pass this in as a parameter to the stack

Please let me know and I can open PRs in the next couple weeks.

[hvital]

Hi @jbabe

Thanks for your contact!!

We review all PR before pushing new updates. Actually, I'm currently working one and it might cover most of the already opened Issues/PR.

If you want to take a look at this new version before sending the PR, we can share a pre-beta version. Please open a Support Case referring this repo so I can get the ticket with your contact.

Regards,

Heitor

[jbabe]

Hi @jbabe

Thanks for your contact!!

We review all PR before pushing new updates. Actually, I'm currently working one and it might cover most of the already opened Issues/PR.

If you want to take a look at this new version before sending the PR, we can share a pre-beta version. Please open a Support Case referring this repo so I can get the ticket with your contact.

Regards,

Heitor

Hi Heitor, I just opened a support case requesting access. Thanks Again! Jordan

[jbabe]

hi @hvital, support has provided me with access. I haven't had a chance to test it out but will before opening any PRs here. Thanks!

[hvital]

Great. Thanks for all your help!