https://pulumi.com logo
#aws
Title
# aws
s

sticky-shoe-47337

06/12/2023, 9:59 AM
Hi all, I'm loving Pulumi so far but I have run into a stumbling block when trying to deploy an AWS CLassic wafv2 acl using Python. Specifically, I'm trying to deploy the AWS Managed Rule group called
AWSManagedRulesCommonRuleSet
but with one rule overridden to Allow:
SizeRestrictions_BODY
When I dig into the AWS Classic module it gets quite confusing. In Terraform you have a
rule_action_override
option but I cannot see how to use that in the Pulumi package. I can override a whole rule group using WebAclRuleOverrideActionArgs butI can't work out how to override just one rule in the rule group. The JSON export of the webacl rules should look like this manually created one when deployed:
Copy code
"Rules": [
    {
      "Name": "AWS-AWSManagedRulesCommonRuleSet",
      "Priority": 3,
      "Statement": {
        "ManagedRuleGroupStatement": {
          "VendorName": "AWS",
          "Name": "AWSManagedRulesCommonRuleSet",
          "RuleActionOverrides": [
            {
              "Name": "SizeRestrictions_BODY",
              "ActionToUse": {
                "Allow": {}
              }
            }
          ]
        }
      },
      "OverrideAction": {
        "None": {}
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "AWS-AWSManagedRulesCommonRuleSet"
      }
    }
  ]
How are you all deploying WAFv2? Am I missing a trick? Thanks for any help!
c

calm-queen-58154

06/13/2023, 8:55 AM
you could try to import it to see what the generated code looks like.
s

sticky-shoe-47337

06/13/2023, 8:57 AM
okay, thanks, I'll see if I can do that. I wasn't aware that an import would generate the pulumi code
c

calm-queen-58154

06/13/2023, 9:10 AM
I've only been using Pulumi for a few weeks but usually I will search their blog as sometimes there are buried articles that are great, run an import to see the generated code, and look at the source code which has helpful comments.
s

sticky-shoe-47337

06/13/2023, 9:13 AM
Yeah, I was under the impression that an import just imported the resource into the stack. I wasn't aware that it would spit out the code too, very handy! Thanks very much, it worked and there was no way I would have worked out the code on my own 😄
I deleted my previous findings on this because the import seemed to work and would deploy over the existing resource but the import was not translating everything to code. It seemed to be missing the default rule actions so if you copied the code to deploy a similar resource, it would fail. I eventually got it to work using aws-native package instead using
Copy code
pulumi import aws-native:wafv2:WebACL imported-sandbox3-wafv2 "sandbox3-test-native|f57sds2b-9770-493d-9d23-dcd76werf08f1|REGIONAL"
This correctly imported and translated it (I added a default block action and a count to one rule just to test):
Copy code
kv_web_acl = aws_native.wafv2.WebACL(env_name + "-waf-alb",
    default_action=aws_native.wafv2.WebACLDefaultActionArgs(
        block=aws_native.wafv2.WebACLBlockActionArgs(),
    ),
    description="waf for alb deployed via pulumi",
    name=f"{env_name}-waf-alb",
    rules=[aws_native.wafv2.WebACLRuleArgs(
        name="AWS-AWSManagedRulesCommonRuleSet",
        override_action=aws_native.wafv2.WebACLOverrideActionArgs(
            none={},
        ),
        priority=0,
        rule_labels=[],
        statement=aws_native.wafv2.WebACLStatementArgs(
            managed_rule_group_statement=aws_native.wafv2.WebACLManagedRuleGroupStatementArgs(
                excluded_rules=[],
                managed_rule_group_configs=[],
                name="AWSManagedRulesCommonRuleSet",
                rule_action_overrides=[aws_native.wafv2.WebACLRuleActionOverrideArgs(
                    action_to_use=aws_native.wafv2.WebACLRuleActionArgs(
                        count=aws_native.wafv2.WebACLCountActionArgs(),
                    ),
                    name="SizeRestrictions_BODY",
                )],
                vendor_name="AWS",
            ),
        ),
        visibility_config=aws_native.wafv2.WebACLVisibilityConfigArgs(
            cloud_watch_metrics_enabled=True,
            metric_name="AWS-AWSManagedRulesCommonRuleSet",
            sampled_requests_enabled=True,
        ),
    )],
    scope=aws_native.wafv2.WebACLScope.REGIONAL,
    visibility_config=aws_native.wafv2.WebACLVisibilityConfigArgs(
        cloud_watch_metrics_enabled=True,
        metric_name=f"{env_name}-waf-alb",
        sampled_requests_enabled=True,
    )
)
Becasue the web acl association to an alb takes longer than 5 minutes, I had to tweak the timeout to 15 mins. I used AWS Classic for this but I'm sure it would work with aws-native too:
Copy code
web_acl_assoc = wafv2.WebAclAssociation(
    env_name + "-web-acl-alb-assoc",
    resource_arn=<alb-arn>,
    web_acl_arn=kv_web_acl.arn,
    opts=pulumi.ResourceOptions(custom_timeouts=pulumi.CustomTimeouts(create='15m'))
)
48 Views