Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws - rest-stage - add regex match support for wafv2-enabled filter and set-wafv2 action #7946

Merged
merged 43 commits into from
Dec 14, 2022
Merged

aws - rest-stage - add regex match support for wafv2-enabled filter and set-wafv2 action #7946

merged 43 commits into from
Dec 14, 2022

Conversation

kk1532
Copy link
Contributor

@kk1532 kk1532 commented Oct 27, 2022
edited

Added regex feature to wafv2-enabled filter of rest-stage.

policies:
  - name: filter-wafv2-apigw
    resource: rest-stage
    filters:
      - type: wafv2-enabled
        state: true
        web-acl: .*FMManagedWebACLV2-?FMS-.*

This fix supports local WAF and FMS based WAF.

Also Added set-wafv2 filter to support regex format.

kk1532 and others added 30 commits April 5, 2022 06:17
@kk1532
Changes to ignore config support checks...
ac6a60f
@kk1532
Changes to ignore config support checks ...
38fccf4
@kk1532
Changes to ignore config support checks...
6f77ff9
@kk1532
Merge pull request #2 from kk1532/cfgperiodic
534b6d4 
Cfgperiodic
@kk1532
mu - changes on LambdaRetry max_attempts
984c4e4
@kk1532
Merge pull request #3 from kk1532/cfgperiodic
706066f 
mu - changes on LambdaRetry max_attempts
@kk1532
Merge branch 'master' into master
9154b66
@ajkerrigan
Merge branch 'master' into kk1532/master
bd19ac3
@ajkerrigan
Add validation tests and example policy
5af0950 
Also rename/shorten the ignore parameter for readability.
@ajkerrigan
Merge branch 'master' into master
dca7f73
@kk1532
Merge branch 'cloud-custodian:master' into master
123fcb8
@kk1532
Merge branch 'cloud-custodian:master' into master
d9ac956
@kk1532
Merge branch 'cloud-custodian:master' into master
0bdd999
@kk1532
Merge branch 'cloud-custodian:master' into master
2d10cad
@kk1532
Merge branch 'cloud-custodian:master' into master
ba317f2
@kk1532
Merge branch 'cloud-custodian:master' into master
ec003bc
@kk1532
Merge branch 'cloud-custodian:master' into master
ec6afe8
@kk1532
Merge branch 'cloud-custodian:master' into master
d35d6ca
@kk1532
Merge branch 'cloud-custodian:master' into master
79da095
@kk1532
Merge branch 'cloud-custodian:master' into master
ff4a237
@kk1532
Merge branch 'cloud-custodian:master' into master
c7720fb
@kk1532
Merge branch 'cloud-custodian:master' into master
31ad0a7
@kk1532
Merge branch 'cloud-custodian:master' into master
8073a4f
@kk1532
Merge branch 'cloud-custodian:master' into master
90c5c10
@kk1532
Merge branch 'cloud-custodian:master' into master
a68d0a1
@kk1532
Merge branch 'cloud-custodian:master' into master
d689fc3
@kk1532
Merge branch 'cloud-custodian:master' into master
1f73ce5
@kk1532
Merge branch 'cloud-custodian:master' into master
fab4998
@kk1532
Added regex support to wafv2-enabled filter on rest-stage
928cdf4
@kk1532
Merge branch 'cloud-custodian:master' into master
7bf8039
@kk1532 kk1532 requested a review from kapilt as a code owner October 31, 2022 08:22
kapilt
kapilt reviewed Oct 31, 2022
View reviewed changes
c7n/resources/apigw.py
re.match(target_acl, k)]
if len(target_acl_ids) != 1 or \
('arn' not in target_acl_ids[0]):
raise ValueError(f'{target_acl} matching to none or the '
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the can be omitted.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change has been taken care.

cahn1
cahn1 reviewed Nov 4, 2022
View reviewed changes
c7n/resources/apigw.py
wafs = self.manager.get_resource_manager('wafv2').resources(augment=False)
waf_name_arn_map = {w['Name']: w['ARN'] for w in wafs}
target_acl_id = waf_name_arn_map.get(target_acl, target_acl)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kk1532 ,
Since wafv2-enabled and set-wafv2 are common for cloudfront, appsync, can we make same logic? You can refer to pr/7706 for cloudfront wafv2-enabled as well.

Copy link
Contributor Author

@kk1532 kk1532 Nov 11, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cahn1 wafv2-enabled filter has been updated with cloudfront logic.

@StevenGunn
Copy link
Contributor

@kapilt can you please check out the updated code when you get a chance?

CC: @kk1532 @darrendao @cahn1

@kapilt
Copy link
Collaborator

kapilt commented Nov 21, 2022 via email

@darrendao darrendao changed the title Apigwwaf aws - rest-stage - wafv2 Nov 22, 2022
thisisshi
thisisshi approved these changes Dec 8, 2022
View reviewed changes
Copy link
Member

@thisisshi thisisshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, lgtm

@thisisshi thisisshi changed the title aws - rest-stage - wafv2 aws - rest-stage - add regex match support for wafv2-enabled filter and set-wafv2 action Dec 8, 2022
@ajkerrigan ajkerrigan merged commit 1540bdf into cloud-custodian:master Dec 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kapilt kapilt kapilt left review comments

@cahn1 cahn1 cahn1 left review comments

@thisisshi thisisshi thisisshi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@kk1532 @StevenGunn @kapilt @thisisshi @cahn1 @ajkerrigan