search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.59k stars 3.89k forks source link

(wafv2): wafv2.CfnWebACL.ExcludedRuleProperty name argument casing #27993

Open gebailey opened 11 months ago

gebailey commented 11 months ago

Describe the bug

Not sure if this is a documentation bug, or a bug within CDK, but we're trying to modify rule sets on a Web ACL, and it's unclear if the name argument to wafv2.CfnWebACL.ExcludedRuleProperty is supposed to be upper-cased or lower-cased. The documentation at https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_wafv2/CfnWebACL.html#excludedruleproperty specifies name (with a lower-case n).

But we see the following error (warning?) when running CDK:

Properties validation failed for resource cirrusscanwafacl with message:
#/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: required key [Name] not found
#/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: extraneous key [name] is not permitted

The modifications to the rule list seem to take effect, despite the error (warning?) displayed above.

Expected Behavior

I would not expect to see validation errors when using name.

Current Behavior

I see unexpected validation errors when using name:

#/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: required key [Name] not found
#/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: extraneous key [name] is not permitted

Reproduction Steps

Our CDK stack constructs a WAFv2 Web ACL, and specifies rules using:

                rules=[
                    # AWS Common Ruleset (with modifications)
                    wafv2.CfnWebACL.RuleProperty(
                        name="CirrusScan-AWSManagedRulesCommonRuleSet",
                        priority=0,
                        override_action=wafv2.CfnWebACL.OverrideActionProperty(
                            none={},
                        ),
                        visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                            sampled_requests_enabled=True,
                            cloud_watch_metrics_enabled=True,
                            metric_name="CirrusScan-MetricForAMRCommon",
                        ),
                        statement=wafv2.CfnWebACL.StatementProperty(
                            managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                                vendor_name="AWS",
                                name="AWSManagedRulesCommonRuleSet",
                                excluded_rules=[
                                    wafv2.CfnWebACL.ExcludedRuleProperty(
                                        name="SizeRestrictions_BODY"
                                    ),
                                    wafv2.CfnWebACL.ExcludedRuleProperty(
                                        name="GenericRFI_BODY"
                                    ),
                                    wafv2.CfnWebACL.ExcludedRuleProperty(
                                        name="EC2MetaDataSSRF_BODY"
                                    ),
                                ],
                            ),
                        ),
                    ),

Documentation for wafv2.CfnWebACL.ExcludedRuleProperty suggests that name (lowercase N) should be specified as the parameter, but errors/warnings emitted by CDK suggest it is expecting Name (uppercase N).

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.96.2

Framework Version

No response

Node.js Version

18

OS

Ubuntu Linux

Language

Python

Language Version

Python 3.11

Other information

No response

khushail commented 11 months ago

@gebailey , thanks for reporting this. Have you tried this with latest cdk version and still facing the issue ??

gebailey commented 11 months ago

I upgraded to CDK 2.108.1 and still see this. It's strange because it looks like Cloud Formation is emitting some kind of warning or notice but the CDK output itself appears to complete. If I look at Cloudformation, the "Status reason" for the UPDATE_IN_PROGRESS step shows:

Resource template validation failed for resource cirrusscanwafacl as the template has invalid properties. Please refer to the resource documentation to fix the template. Properties validation failed for resource cirrusscanwafacl with message: #/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: required key [Name] not found #/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: extraneous key [name] is not permitted

And I think the above warning shows up in our GitHub action output, which is what prompted the issue.

Recad commented 10 months ago

something similar here with GOLANG and SingleHeaderProperty https://github.com/aws/aws-cdk/issues/28074

khushail commented 10 months ago

Hi @gebailey , we have discussed similar issue (https://github.com/aws/aws-cdk/issues/28074) with the team and looking for a workaround. Thanks for reporting this.

pahud commented 4 months ago

related to https://github.com/aws/aws-cdk/issues/23679#issuecomment-1382594104