wafv2: Ability to add rules to an existing WebACL

[reply2srij]

Describe the feature

Add additional rules to the existing WebAcl in our accounts. I am able to do this via the console, but unable to find a way to do it via CDK. This feature is something I would to request to be added.

Use Case

In our enterprise, we have a cloud admin team provided BASE WebAcl.. they have mandated certain rules via this WebACL. Cloud teams are supposed to use this Web ACL and add additional rules to the existing WebAcl in their account. I am able to do this via the console, but unable to find a way to do it via CDK. This feature is something I would to request to be added.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• [ ] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

CDK version used

2.74.0

Environment details (OS name and version, etc.)

AWS CDK V2, CloudFront, APIGW, ALB, Java

[khushail]

Thanks @reply2srij for reaching out with this feature request. As of now, there is officially no L2 Construct for WAFv2. However you could use the L1 Construct for your usecase.

Implementing this feature would require having L2 construct as well which is in the progress and requires attention too. So I would be marking this as P2 , which would mean our team won't be able to immediately work on it.

If you would like to make contribution , here is the contributing guide to get started.

[reply2srij]

Thanks @reply2srij for reaching out with this feature request. As of now, there is officially no L2 Construct for WAFv2. However you could use the L1 Construct for your usecase.

Implementing this feature would require having L2 construct as well which is in the progress and requires attention too. So I would be marking this as P2 , which would mean our team won't be able to immediately work on it.

If you would like to make contribution , here is the contributing guide to get started.

Thanks for your response. Since the original feature request for L2 seems to have enough interest, is there a possibility that it may be picked up in the near future?

[khushail]

Unfortunately, I can not comment on that. But we will be glad to review any PRs from the community to get it implemented.

[pahud]

Hi @reply2srij

Looking at the CFN resource AWS::WAFv2::WebACL, the Rules is the property of this resource as a List of Rule, which means you should be able to create a new WebACL with CfnWebAcl and attach your rules to it. This will require you create a new WebACL with CDK. If you already have an existing WebACL out of CDK, I believe it's not possible to attach additional rules to that with CDK.

If you are really interested, you can try the CfnWebAcl L1 resource for now.

[reply2srij]

Hi @reply2srij

Looking at the CFN resource AWS::WAFv2::WebACL, the Rules is the property of this resource as a List of Rule, which means you should be able to create a new WebACL with CfnWebAcl and attach your rules to it. This will require you create a new WebACL with CDK. If you already have an existing WebACL out of CDK, I believe it's not possible to attach additional rules to that with CDK.

If you are really interested, you can try the CfnWebAcl L1 resource for now.

Our requirement is to use an existing Web ACL (configured outside of CDK) and add additional rules to it. As the L2 construct is not yet available, we will be doing this from the console. In an ideal world, we would like to do it from CDK.

[metola]

Do we have news about this? I want fromLookup an WebAcl and attach new RuleGroup. But is impossible

[catdkny]

I am looking forward to that feature. Currently, I need to read existing rules and append new ones as updated rules using the add_override() feature. This process is a bit confusing for me because it is easy to perform this operation in the Console, but it seems challenging with the CDK.