search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.56k stars 3.87k forks source link

(wafv2): add WebACL L2 Construct #17749

Open yamatatsu opened 2 years ago

yamatatsu commented 2 years ago

Description

Now, @aws-cdk/aws-wafv2 has no L2 Construct. I will implements L2 Constructs.

Use Case

When users create WebACL, this Cunstruct will support it.

Proposed Solution

We can create L2 constructs for aws-wafv2.

Other information

No response

Acknowledge

Design

ref: cloudformation

Usage

Define WebACL
import * as wafv2 from 'aws-cdk-lib/aws-wafv2'
import * as wafv2Statement from 'aws-cdk-lib/aws-wafv2-statement'

const webAcl = new wafv2.WebACL(this, "WebACL", {
  scope: wafv2.Scope.REGIONAL,
  defaultAction: wafv2.DefaultAction.block(),
  rules: [
    {
      name: "IPSetAllow",
      action: wafv2.RuleAction.allow(),
      statement: new wafv2Statement.IPSetReferenceStatement(ipSet),
    },
    {
      name: "OWASP",
      overrideAction: wafv2.OverrideAction.count(),
      statement: wafv2Statement.ManagedRuleGroupStatement.awsCommon(),
    },
  ],
});

Note: visibilityConfig have default value. If WebACLProps.visibilityConfig is set, Rules inherit it.

Note: wafv2Statement.ManagedRuleGroupStatement.awsCommon() will be Enum like pattern.

Associate to other resources
webAcl.attachTo(target);

and if associate to CloudFront as following:

new cloudfront.Distribution(this, 'distribution', {
  webAcl: webAcl,
})

class diagram

WebACL
classDiagram
  WebACL ..> WebACLProps
  WebACLProps o.. CustomResponseBody
  WebACLProps o.. Scope
  WebACLProps o.. DefaultAction
  WebACLProps o.. Rule
  DefaultAction ..> DefaultActionConfig
  WebACLProps o.. VisibilityConfig
  Rule o.. VisibilityConfig

  class WebACL {
    +constructor(props: WebACLProps)
    +attachTo(target: ITarget)
  }
  class WebACLProps {
    name?: string;
    description?: string;
    scope: Scope;
    customResponseBodies?: Record<string, CustomResponseBody>;
    defaultAction: DefaultAction;
    rules?: Rule[];
    visibilityConfig?: VisibilityConfig;
  }
  <<Interface>> WebACLProps

  class CustomResponseBody {
    content: string;
    contentType: string;
  }
  <<Interface>> CustomResponseBody

  class Scope {
    REGIONAL
    CLOUDFRONT
  }
  <<enumerate>> Scope

  class DefaultAction {
    allow()$ DefaultAction
    block()$ DefaultAction
    bind()* DefaultActionConfig
  }
  <<abstract>> DefaultAction
  class DefaultActionConfig {
    configuration: CfnWebACL.DefaultActionProperty;
  }
  <<Interface>> DefaultActionConfig

  class Rule {
    name: string;
    action: RuleAction;
    overrideAction: OverrideAction;
    priority: number;
    statement: Statement;
    visibilityConfig?: VisibilityConfig;
    ruleLabels?: Label[];
  }
  <<Interface>> Rule
  class VisibilityConfig {
    cloudWatchMetricsEnabled: boolean;
    metricName: string;
    sampledRequestsEnabled: boolean;
  }
  <<Interface>> VisibilityConfig
Rule
classDiagram
  Rule o.. RuleAction
  RuleAction ..> RuleActionConfig
  Rule o.. OverrideAction
  OverrideAction ..> OverrideActionConfig
  Rule o.. IStatement
  IStatement ..> StatementConfig

  class Rule {
    name: string;
    action: RuleAction;
    overrideAction: OverrideAction;
    priority?: number;
    statement: Statement;
    visibilityConfig: VisibilityConfig;
    ruleLabels?: string[];
  }
  <<Interface>> Rule

  class RuleAction {
    allow()$ RuleAction
    block()$ RuleAction
    count()$ RuleAction
    bind()* RuleActionConfig
  }
  <<abstract>> RuleAction
  class RuleActionConfig {
    configuration: CfnRuleGroup.RuleActionProperty
  }
  <<Interface>> RuleActionConfig

  class OverrideAction {
    count()$ OverrideAction
    none()$ OverrideAction
    bind()* OverrideActionConfig
  }
  <<abstract>> OverrideAction
  class OverrideActionConfig {
    count?: Json;
    none?: Json;
  }

  class IStatement {
    bind() StatementConfig
  }
  <<Interface>> IStatement
  class StatementConfig {
    configuration: CfnRuleGroup.StatementProperty;
  }
  <<Interface>> StatementConfig

Roadmap

  1. implement WebACL with only required properties
    • It will not be able to use Rules
  2. implement Rule with one Statement(LabelMatchStatement)
  3. implement other remaining properties
  4. implement Statements
njlynch commented 2 years ago

Thanks for the feature request, the example and diagrams!

To help us prioritize new L2s, we look for interest and engagement from the community (as well as internal metrics on how much usage the underlying L1s receive). I'm going to initially assign this as a p2, meaning we aren't able to work on this immediately.

We use 👍 s to help prioritize our work; you can reach out to the cdk.dev community on Slack to solicit support for prioritization.

Once we have a good number of people voting to prioritize this, we can dive in. The first step(s) would be to review the API via either an issue in our RFCs repo or as a PR against this issue with just the module's README, showing the API off and how a user would interact with it. I see you've already posted this PR; I would suggest expanding the README content quite a bit to highlight the different areas of the API.

yamatatsu commented 2 years ago

@NukaCody So sorry that I have rob to chance of the contribution🙇🏻. I almost wasted your RFC mistakenly. Your API described in RFC is seemed smart than mine. And It is expected to write enough README instead of diagrams of design. May I disscuss with you in the RFC issue?

@njlynch (or @skinny85 now?) I think there is enough votes in this PR and the tracking issue, so I think we can work on this feature. WDYT?

skinny85 commented 2 years ago

@yamatatsu yes, looks like we should pick this up.

What do you want me to do? Do you want me to comment on the PR (https://github.com/aws/aws-cdk/pull/17878), or do you want to discuss the design a little bit more?

yamatatsu commented 2 years ago

@skinny85

yes, looks like we should pick this up.

Yeah! 😍

I'll think and brash up the description of this issue. It is better to describe more usage example and this API can be more smart I think. In addition, the way to associate the ACL to other AWS resouces should be described.

I'll mention to you after that!

yamatatsu commented 2 years ago

@skinny85 OK! I've fixed this issue’s description. Can I have some feedback about this issue description. And I would like to get review of #17878. It just include minimum implementation of WAFv2 so maybe the review is not effected by the feedbacks of this issue I think.

github-actions[bot] commented 3 months ago

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.