sticky-shoe-47337
06/12/2023, 9:59 AMAWSManagedRulesCommonRuleSet
but with one rule overridden to Allow: SizeRestrictions_BODY
When I dig into the AWS Classic module it gets quite confusing. In Terraform you have a rule_action_override
option but I cannot see how to use that in the Pulumi package. I can override a whole rule group using WebAclRuleOverrideActionArgs butI can't work out how to override just one rule in the rule group. The JSON export of the webacl rules should look like this manually created one when deployed:
"Rules": [
{
"Name": "AWS-AWSManagedRulesCommonRuleSet",
"Priority": 3,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet",
"RuleActionOverrides": [
{
"Name": "SizeRestrictions_BODY",
"ActionToUse": {
"Allow": {}
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesCommonRuleSet"
}
}
]
How are you all deploying WAFv2? Am I missing a trick? Thanks for any help!calm-queen-58154
06/13/2023, 8:55 AMsticky-shoe-47337
06/13/2023, 8:57 AMcalm-queen-58154
06/13/2023, 9:10 AMsticky-shoe-47337
06/13/2023, 9:13 AMsticky-shoe-47337
06/13/2023, 3:37 PMpulumi import aws-native:wafv2:WebACL imported-sandbox3-wafv2 "sandbox3-test-native|f57sds2b-9770-493d-9d23-dcd76werf08f1|REGIONAL"
sticky-shoe-47337
06/13/2023, 3:39 PMkv_web_acl = aws_native.wafv2.WebACL(env_name + "-waf-alb",
default_action=aws_native.wafv2.WebACLDefaultActionArgs(
block=aws_native.wafv2.WebACLBlockActionArgs(),
),
description="waf for alb deployed via pulumi",
name=f"{env_name}-waf-alb",
rules=[aws_native.wafv2.WebACLRuleArgs(
name="AWS-AWSManagedRulesCommonRuleSet",
override_action=aws_native.wafv2.WebACLOverrideActionArgs(
none={},
),
priority=0,
rule_labels=[],
statement=aws_native.wafv2.WebACLStatementArgs(
managed_rule_group_statement=aws_native.wafv2.WebACLManagedRuleGroupStatementArgs(
excluded_rules=[],
managed_rule_group_configs=[],
name="AWSManagedRulesCommonRuleSet",
rule_action_overrides=[aws_native.wafv2.WebACLRuleActionOverrideArgs(
action_to_use=aws_native.wafv2.WebACLRuleActionArgs(
count=aws_native.wafv2.WebACLCountActionArgs(),
),
name="SizeRestrictions_BODY",
)],
vendor_name="AWS",
),
),
visibility_config=aws_native.wafv2.WebACLVisibilityConfigArgs(
cloud_watch_metrics_enabled=True,
metric_name="AWS-AWSManagedRulesCommonRuleSet",
sampled_requests_enabled=True,
),
)],
scope=aws_native.wafv2.WebACLScope.REGIONAL,
visibility_config=aws_native.wafv2.WebACLVisibilityConfigArgs(
cloud_watch_metrics_enabled=True,
metric_name=f"{env_name}-waf-alb",
sampled_requests_enabled=True,
)
)
sticky-shoe-47337
06/13/2023, 3:42 PMweb_acl_assoc = wafv2.WebAclAssociation(
env_name + "-web-acl-alb-assoc",
resource_arn=<alb-arn>,
web_acl_arn=kv_web_acl.arn,
opts=pulumi.ResourceOptions(custom_timeouts=pulumi.CustomTimeouts(create='15m'))
)