millions-umbrella-34765
04/12/2022, 9:09 PMvictorious-church-57397
04/13/2022, 9:18 AMwafVariables.ts
which contains the config for the rulesets, which looks like this:
import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
/*
Define the rule statements and then attach them to the rule objects below.
Currently we just have a base set of managed rules from AWS.
*/
const commonRulesetStatement: wafv2.WebAclRuleStatement = {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesCommonRuleSet',
},
};
const SQLiRulesetStatement: wafv2.WebAclRuleStatement = {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesSQLiRuleSet',
},
};
const ipReputationRulesetStatement: wafv2.WebAclRuleStatement = {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesAmazonIpReputationList',
},
};
then those rule group statements need to be used to create rules to pass in to the webacl resource:
/*
Define rules here, this is to make the resource definitions as tidy as possible in waf.ts
*/
export const commonRuleSetRule = {
name: 'common-ruleset-rule',
priority: 1,
statement: commonRulesetStatement,
overrideAction: {
none: {},
},
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: 'AWS-AWSManagedRulesCommonRuleSet',
},
};
then in a file called waf.ts
we do something like this:
import * as aws from '@pulumi/aws';
import {
commonRuleSetRule,
} from './wafVariables';
export const regionalWebAcl = new aws.wafv2.WebAcl('regional-web-acl', {
defaultAction: {
allow: {},
},
description: 'A web acl containing a base set of rules',
scope: 'REGIONAL',
rules: [
commonRuleSetRule,
],
visibilityConfig: {
cloudwatchMetricsEnabled: true,
metricName: 'regional-web-acl',
sampledRequestsEnabled: true,
},
tags: {
...tags,
Name: 'regional-web-acl',
},
});
overrideAction
to count
in the rule group like this :
export const commonRuleSetRule = {
name: 'common-ruleset-rule',
priority: 5,
statement: commonRulesetStatement,
overrideAction: {
count: {},
},
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: 'AWS-AWSManagedRulesCommonRuleSet',
},
};
const botRulesetStatement: pulumi.Input<aws.types.input.wafv2.WebAclRuleStatement> = {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesBotControlRuleSet',
excludedRules: [
{
name: 'SignalNonBrowserUserAgent',
},
{
name: 'CategoryHttpLibrary',
},
{
name: 'SignalAutomatedBrowser',
},
],
},
};
millions-umbrella-34765
04/13/2022, 3:44 PMmanagedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesCommonRuleSet',
},
I'm not sure how to find the different names like AWSManagedRulesCommonRuleSet
and/or the different vendor rule sets.victorious-church-57397
04/13/2022, 3:45 PMmillions-umbrella-34765
04/13/2022, 3:49 PMvictorious-church-57397
04/13/2022, 3:52 PM