search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.93k forks source link

aws_wafv2: UNABLE to go lower than value 100 for "RateBasedStatementProperty" #31742

Open urda opened 1 month ago

urda commented 1 month ago

Describe the bug

I am unable to set my limit for a RateBasedStatementProperty below 100. Attempting to do so results in a stack error:

Resource handler returned message: "Model validation failed (#/Rules/0/Statement/RateBasedStatement/Limit: failed validation constraint for keyword [minimum])" (RequestToken: TOKEN, HandlerErrorCode: InvalidRequest)

Regression Issue

Last Known Working CDK Version

No response

Expected Behavior

I am able to set a rate below 100.

Current Behavior

Unable to set a rate below 100, must be done via web console in AWS.

Reproduction Steps

waf_acl = aws_wafv2.CfnWebACL(
            scope_=self,
            id='RootWAF',
            default_action=aws_wafv2.CfnWebACL.DefaultActionProperty(allow={}),
            scope='CLOUDFRONT',
            visibility_config=aws_wafv2.CfnWebACL.VisibilityConfigProperty(
                cloud_watch_metrics_enabled=True,
                metric_name="WAF",
                sampled_requests_enabled=True,
            ),
            rules=[
                aws_wafv2.CfnWebACL.RuleProperty(
                    name='Rate-Limit-Requests',
                    priority=0,
                    action=aws_wafv2.CfnWebACL.RuleActionProperty(block={}),
                    visibility_config=aws_wafv2.CfnWebACL
                    .VisibilityConfigProperty(
                        cloud_watch_metrics_enabled=True,
                        metric_name="Rate-Limit-Requests",
                        sampled_requests_enabled=True,
                    ),
                    statement=aws_wafv2.CfnWebACL.StatementProperty(
                        rate_based_statement=aws_wafv2.CfnWebACL
                        .RateBasedStatementProperty(
                            aggregate_key_type='IP',
                            limit=60,  # FAILS HERE !!!!
                            evaluation_window_sec=60,
                        ),
                    ),
                ),
            ],
        )

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.162.1 (build 10aa526)

Framework Version

No response

Node.js Version

v18.16.0

OS

macOS

Language

Python

Language Version

Python 3.12.0

Other information

No response

ashishdhingra commented 1 month ago

Although the issue is reproducible using below CDK code:

import * as cdk from 'aws-cdk-lib';
import * as wafv2 from 'aws-cdk-lib/aws-wafv2';

export class CdktestStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const wafAcl = new wafv2.CfnWebACL(this, 'RootWAF', {
      defaultAction: {
        allow: {}
      },
      scope: 'CLOUDFRONT',
      visibilityConfig: {
        cloudWatchMetricsEnabled: true,
        metricName: 'WAF',
        sampledRequestsEnabled: true
      },
      rules: [
        {
          name: 'Rate-Limit-Requests',
          priority: 0,
          action: {
            block: {}
          },
          visibilityConfig: {
            cloudWatchMetricsEnabled: true,
            metricName: 'Rate-Limit-Requests',
            sampledRequestsEnabled: true,
          },
          statement: {
            rateBasedStatement: {
              aggregateKeyType: 'IP',
              limit: 60,
              evaluationWindowSec: 60
            },
          }
        }
      ]
    });
  }
}

where it gives error during deployment:

Resource handler returned message: "Model validation failed (#/Rules/0/Statement/RateBasedStatement/Limit: failed validation constraint for keyword [minimum])" (RequestToken: a7a06ec4-7689-59cb-38bd-8ec048ec006e, HandlerErrorCode: InvalidRequest)

If we check the documentation for Limit property at AWS::WAFv2::WebACL RateBasedStatement, it specifies the minimum value for Limit as 100. Hence the error.

@urda The above error is thrown by CloudFormation, not the CDK code. Per CloudFormation documentation, the minimum value for Limit is 100. Hence, the error.

Thanks, Ashish

urda commented 1 month ago

It's out of date from what AWS says the service supports: https://aws.amazon.com/about-aws/whats-new/2024/08/aws-waf-rate-based-rules-lower-rate-limits/#:~:text=AWS%20WAF%20now%20supports%20setting,previous%20minimum%20of%20100%20requests.

ashishdhingra commented 1 month ago

It's out of date from what AWS says the service supports: https://aws.amazon.com/about-aws/whats-new/2024/08/aws-waf-rate-based-rules-lower-rate-limits/#:~:text=AWS%20WAF%20now%20supports%20setting,previous%20minimum%20of%20100%20requests.

@urda Thanks for your response. I could also see that in WAFv2 API reference at RateBasedStatement. Looks like CloudFormation doesn't support the lower limit yet. Request you to open an issue at https://github.com/aws-cloudformation/cloudformation-coverage-roadmap since the support needs to be added on CloudFormation side (also link this issue) and you get update on it whenever it's fixed.

Thanks, Ashish

urda commented 1 month ago

@ashishdhingra opened aws-cloudformation/cloudformation-coverage-roadmap#2160