fix : support overrideAction for WAF (#582)

sid88in · Feb 11, 2024 · e99c51a · e99c51a
1 parent 0832428
commit e99c51a
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 1 deletion.
diff --git a/doc/WAF.md b/doc/WAF.md
@@ -119,6 +119,22 @@ waf:
             - US
 ```
 
+```yml
+waf:
+  enabled: true
+  defaultAction: Block
+  rules:
+    # using ManagedRuleGroup
+    - name: "AWSManagedRulesCommonRuleSet"
+      priority: 20
+      overrideAction:
+        None: {}
+      statement:
+        ManagedRuleGroupStatement:
+          VendorName: "AWS"
+          Name: "AWSManagedRulesCommonRuleSet"
+```
+
 ### Per API Key rules
 
 In some cases, you might want to enable a rule for a given API key only. You can specify `wafRules` under the `appSync.apiKeys` attribute. The rules will apply only to that API key.

diff --git a/src/__tests__/__snapshots__/waf.test.ts.snap b/src/__tests__/__snapshots__/waf.test.ts.snap
@@ -411,6 +411,27 @@ Object {
 }
 `;
 
+exports[`Waf Custom rules should generate a custom rule with ManagedRuleGroup 1`] = `
+Object {
+  "Name": "MyRule1",
+  "OverrideAction": Object {
+    "None": Object {},
+  },
+  "Priority": 200,
+  "Statement": Object {
+    "ManagedRuleGroupStatement": Object {
+      "Name": "AWSManagedRulesCommonRuleSet",
+      "VendorName": "AWS",
+    },
+  },
+  "VisibilityConfig": Object {
+    "CloudWatchMetricsEnabled": true,
+    "MetricName": "MyRule1",
+    "SampledRequestsEnabled": true,
+  },
+}
+`;
+
 exports[`Waf Disable introspection should generate a preset rule 1`] = `
 Object {
   "Action": Object {

diff --git a/src/__tests__/waf.test.ts b/src/__tests__/waf.test.ts
@@ -168,6 +168,27 @@ describe('Waf', () => {
         ),
       ).toMatchSnapshot();
     });
+
+    it('should generate a custom rule with ManagedRuleGroup', () => {
+      expect(
+        waf.buildWafRule(
+          {
+            name: 'MyRule1',
+            priority: 200,
+            overrideAction: {
+              None: {},
+            },
+            statement: {
+              ManagedRuleGroupStatement: {
+                Name: 'AWSManagedRulesCommonRuleSet',
+                VendorName: 'AWS',
+              },
+            },
+          },
+          'Base',
+        ),
+      ).toMatchSnapshot();
+    });
   });
 
   describe('ApiKey rules', () => {

diff --git a/src/resources/Waf.ts b/src/resources/Waf.ts
@@ -14,6 +14,7 @@ import {
   WafThrottleConfig,
 } from '../types/plugin';
 import { Api } from './Api';
+import { toCfnKeys } from '../utils';
 
 export class Waf {
   constructor(private api: Api, private config: WafConfig) {}
@@ -106,10 +107,10 @@ export class Waf {
     }
 
     const action: WafRuleAction = rule.action || 'Allow';
+    const overrideAction = rule.overrideAction;
 
     const result: CfnWafRule = {
       Name: rule.name,
-      Action: { [action]: {} },
       Priority: rule.priority,
       Statement: rule.statement,
       VisibilityConfig: this.getWafVisibilityConfig(
@@ -118,6 +119,12 @@ export class Waf {
       ),
     };
 
+    if (overrideAction) {
+      result.OverrideAction = toCfnKeys(overrideAction);
+    } else {
+      result.Action = { [action]: {} };
+    }
+
     return result;
   }