feat(wafv2): scaffold full 55-op JSON 1.1 control plane#798
Merged
vieiralucas merged 2 commits intomainfrom Apr 27, 2026
Merged
feat(wafv2): scaffold full 55-op JSON 1.1 control plane#798vieiralucas merged 2 commits intomainfrom
vieiralucas merged 2 commits intomainfrom
Conversation
Adds fakecloud-wafv2 with the complete control plane for AWS WAF v2: - WebACLs / RuleGroups / IPSets / RegexPatternSets — Create/Get/List/Update/ Delete with LockToken optimistic concurrency. Stale tokens get WAFOptimisticLockException; every successful mutation rotates the token. - REGIONAL + CLOUDFRONT scope segmentation. ARN reflects scope: `regional/webacl/...` vs `global/webacl/...`. - Web ACL <-> resource associations: AssociateWebACL, DisassociateWebACL, GetWebACLForResource, ListResourcesForWebACL. - WAFAssociatedItemException blocks delete-while-associated for WebACLs and delete-while-referenced for RuleGroups (scans every WebACL's RuleGroupReferenceStatement entries). - CheckCapacity computes WCU as the recursive count of statement leaves through AndStatement / OrStatement / NotStatement composition; CreateRuleGroup + UpdateRuleGroup enforce capacity with WAFLimitsExceeded. - API keys (CreateAPIKey / DeleteAPIKey / GetDecryptedAPIKey / ListAPIKeys) with deterministic base64 payload that round-trips TokenDomains. - Logging configurations (Put/Get/Delete/List) keyed by Web ACL ARN with scope filter on List. - Permission policies (Put/Get/Delete) for cross-account RuleGroup share. - Tags (TagResource/UntagResource/ListTagsForResource) keyed by ARN with WAFNonexistentItemException on unknown ARNs. - Managed rule catalog: AWSManagedRulesCommonRuleSet, AWSManagedRulesKnownBadInputsRuleSet, AWSManagedRulesSQLiRuleSet discoverable via ListAvailableManagedRuleGroups + Versions, DescribeManagedRuleGroup, DescribeAllManagedProducts, DescribeManagedProductsByVendor, GetManagedRuleSet. Vendor-publishing ops (PutManagedRuleSetVersions, UpdateManagedRuleSetVersionExpiryDate) accept the request and rotate the lock token but don't run a real publishing pipeline. - Mobile SDK release lookups + presigned URL synthesis. - DeleteFirewallManagerRuleGroups clears pre/post FM rule arrays + rotates the Web ACL lock token. - GetSampledRequests, GetTopPathStatisticsByTraffic, GetRateBasedStatementManagedKeys return shape-correct empty observability windows. Wires AWSWAF_* JSON 1.1 target prefix dispatch, registers the service in the server, adds reset endpoint (full + per-account), testkit SDK client, e2e + conformance harness, audit mapping. Adds the missing ACM audit mapping that wasn't picked up earlier. Tests: 15 e2e + 55 conformance, all green. Conformance baseline includes wafv2 at 2141/2141 (100%). Docs: README service table, website services index, dedicated wafv2 service page, scripts/update-aws-models.sh entry, aws-models/service-map.json entry, aws-models/wafv2.json copied from api-models-aws@2019-07-29. Service count: 31 -> 32. Total ops: 2,297 -> 2,352.
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 24 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="crates/fakecloud-core/src/protocol.rs">
<violation number="1" location="crates/fakecloud-core/src/protocol.rs:377">
P2: Match the WAFV2 target version exactly; this prefix also captures WAF Classic requests and routes them to the wrong service.</violation>
</file>
<file name="crates/fakecloud-wafv2/src/service.rs">
<violation number="1" location="crates/fakecloud-wafv2/src/service.rs:1763">
P2: CLOUDFRONT-scope ARNs are generated with an empty region field instead of `us-east-1`. Real AWS WAF v2 CLOUDFRONT ARNs always use `us-east-1` as the region segment (e.g., `arn:aws:wafv2:us-east-1:ACCOUNT:global/webacl/…`). Any client that parses the region out of these ARNs will get an empty string.</violation>
</file>
<file name="website/content/docs/services/wafv2.md">
<violation number="1" location="website/content/docs/services/wafv2.md:44">
P3: The `list-web-acls` command does not return the `Capacity` (WCU) field, making this comment inaccurate.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Three findings, all valid:
- P2 protocol.rs: WAFv2 target prefix used `starts_with("AWSWAF_")`, which
also captures legacy WAF Classic targets and would route them to the WAF
v2 service. Match `AWSWAF_20190729` exactly so Classic stays unrouted.
- P2 service.rs: CLOUDFRONT-scope ARNs were emitted with an empty region
segment (`arn:aws:wafv2::ACCOUNT:global/...`). Real AWS WAF v2 always
uses `us-east-1` for CLOUDFRONT-scope ARNs regardless of caller region.
Now hardcode `us-east-1` for CLOUDFRONT scope and add an e2e regression
asserting the prefix.
- P3 docs: smoke-test comment said `list-web-acls` returns the WCU
Capacity, but the list response only includes Id/Name/ARN/Description/
LockToken. Fixed the comment + added a `get-web-acl` step that actually
shows Capacity.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds AWS WAF v2 as fakecloud's 32nd service with the full 55-op JSON 1.1 control plane. 100% conformance.
LockTokenoptimistic concurrency that rotates on every mutation; stale tokens get `WAFOptimisticLockException`.Test plan
Summary by cubic
Add AWS WAF v2 as the 32nd service with the full 55-operation JSON 1.1 control plane. 100% conformance, with accurate target dispatch and CloudFront ARN formatting.
New Features
AWSWAF_20190729target dispatch; legacy WAF Classic targets are not routed here.Bug Fixes
AWSWAF_20190729exactly in target parsing to avoid capturing WAF Classic.us-east-1as the region segment to match AWS.Written for commit 31c195a. Summary will update on new commits.