wafConfig throttle does not update BaseThrottle value in AWS console

[joebernard]

No matter what value I use for throttle the WAF rule always displays as 100 in the AWS WAF console. Changing the throttle value in my serverless config does not change the value displayed in the AWS console. If I change the BaseThrottle value in the console to something else then redeploy my serverless config, the value I set in the console remains (the serverless config does not update it). The wafConfig throttle setting seems to only enable/disable throttling but not control the throttle value effectively.

[bboure]

Hi,

Did you check the generated CloudFormation template (in the .serverless folder). Check the value and look if there is anything that looks incorrect.

[joebernard]

Yes, no matter what I set throttle in my yml, the generated .serverless/cloudformation-template-update-stack.json config will always set the BaseThrottle Limit parameter to 100. It doesn't seem to match the setting I'm passing in.

        {
            "Action": {
              "Block": {}
            },
            "Name": "BaseThrottle",
            "Priority": 100,
            "Statement": {
              "RateBasedStatement": {
                "AggregateKeyType": "IP",
                "Limit": 100
              }
            },
            "VisibilityConfig": {
              "CloudWatchMetricsEnabled": true,
              "MetricName": "BaseThrottle",
              "SampledRequestsEnabled": true
            }
          }

I am using version 1.14.0.

[joebernard]

I see in the source that a throttle limit of 100 is being imposed by default. Could this be overwriting the limit being set in my config? Is there a way to overcome this limit?

https://github.com/sid88in/serverless-appsync-plugin/blob/master/src/index.js#L1673

[bboure]

thanks for checking @joebernard That is meant to be a default. on lines 1673 and 1683, it is supposed to pass a custom value.

what does your yml look like?

[joebernard]

Here is my yml:

wafConfig:
  enabled: true
  name: AppSyncUnauthWaf
  description: "AppSync WAF for the unauthenticated API"
  rules:
    - throttle: 1000, # request per 5 minutes
    - disableIntrospection # disallow untrusted consumers to discover the structure of the API
    - name: IPRules
      overrideAction:
        none: {}
      statement:
        managedRuleGroupStatement:
          vendorName: AWS
          name: AWSManagedRulesAmazonIpReputationList

Here is the generated CloudFormation json for BaseThrottle:

{
            "Action": {
              "Block": {}
            },
            "Name": "BaseThrottle",
            "Priority": 100,
            "Statement": {
              "RateBasedStatement": {
                "AggregateKeyType": "IP",
                "Limit": 100
              }
            },
            "VisibilityConfig": {
              "CloudWatchMetricsEnabled": true,
              "MetricName": "BaseThrottle",
              "SampledRequestsEnabled": true
            }
          }

Limit is set to 100 instead of the value of 1000 that I set in the yml config, and this value of 100 is reflected in the AWS web console for WAF. This happens for any value I use for throttle, even values less than 100. It always sets Limit to 100.

[bboure]

Would you be able to add some debug log around here?

I'm wondering if for some reason the type of config might be string when coming from yml, instead of number.

[joebernard]

@bboure This was my mistake. I had a comma after the throttle value. It is working as expected. Thanks for your help. Closing.