Thread
#aws
    m

    millions-umbrella-34765

    5 months ago
    I'm looking at provisioning a WAF/Web ACL, I'm not clear how you can refer to managed rule groups like "Core rule set" to add to the web acl. Any examples?
    v

    victorious-church-57397

    5 months ago
    Hi Phil, I’ve done this semi recently in my place, let me get you some examples
    so i have a file called
    wafVariables.ts
    which contains the config for the rulesets, which looks like this:
    import * as pulumi from '@pulumi/pulumi';
    import * as aws from '@pulumi/aws';
    
    /*
    Define the rule statements and then attach them to the rule objects below.
    
    Currently we just have a base set of managed rules from AWS.
     */
    const commonRulesetStatement: wafv2.WebAclRuleStatement = {
      managedRuleGroupStatement: {
        vendorName: 'AWS',
        name: 'AWSManagedRulesCommonRuleSet',
      },
    };
    
    const SQLiRulesetStatement: wafv2.WebAclRuleStatement = {
      managedRuleGroupStatement: {
        vendorName: 'AWS',
        name: 'AWSManagedRulesSQLiRuleSet',
      },
    };
    
    const ipReputationRulesetStatement: wafv2.WebAclRuleStatement = {
      managedRuleGroupStatement: {
        vendorName: 'AWS',
        name: 'AWSManagedRulesAmazonIpReputationList',
      },
    };
    then those rule group statements need to be used to create rules to pass in to the webacl resource:
    /*
    Define rules here, this is to make the resource definitions as tidy as possible in waf.ts
     */
    export const commonRuleSetRule = {
      name: 'common-ruleset-rule',
      priority: 1,
      statement: commonRulesetStatement,
      overrideAction: {
        none: {},
      },
      visibilityConfig: {
        sampledRequestsEnabled: true,
        cloudwatchMetricsEnabled: true,
        metricName: 'AWS-AWSManagedRulesCommonRuleSet',
      },
    };
    then in a file called
    waf.ts
    we do something like this:
    import * as aws from '@pulumi/aws';
    import {
      commonRuleSetRule,
    } from './wafVariables';
    
    export const regionalWebAcl = new aws.wafv2.WebAcl('regional-web-acl', {
      defaultAction: {
        allow: {},
      },
      description: 'A web acl containing a base set of rules',
      scope: 'REGIONAL',
      rules: [
        commonRuleSetRule,
      ],
      visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: 'regional-web-acl',
        sampledRequestsEnabled: true,
      },
      tags: {
        ...tags,
        Name: 'regional-web-acl',
      },
    });
    if you want to see if the rules would be triggered without actioning the request, set the
    overrideAction
    to
    count
    in the rule group like this :
    export const commonRuleSetRule = {
      name: 'common-ruleset-rule',
      priority: 5,
      statement: commonRulesetStatement,
      overrideAction: {
        count: {},
      },
      visibilityConfig: {
        sampledRequestsEnabled: true,
        cloudwatchMetricsEnabled: true,
        metricName: 'AWS-AWSManagedRulesCommonRuleSet',
      },
    };
    and if you need to exclude any rules from the rulegroups, you can do so like this:
    const botRulesetStatement: pulumi.Input<aws.types.input.wafv2.WebAclRuleStatement> = {
      managedRuleGroupStatement: {
        vendorName: 'AWS',
        name: 'AWSManagedRulesBotControlRuleSet',
        excludedRules: [
          {
            name: 'SignalNonBrowserUserAgent',
          },
          {
            name: 'CategoryHttpLibrary',
          },
          {
            name: 'SignalAutomatedBrowser',
          },
        ],
      },
    };
    hope this helps! drop me a message if you need anything else
    m

    millions-umbrella-34765

    5 months ago
    @victorious-church-57397 Thanks! This is very helpful. My first question is where are the different rule sets defined/documented?
    managedRuleGroupStatement: {
        vendorName: 'AWS',
        name: 'AWSManagedRulesCommonRuleSet',
      },
    I'm not sure how to find the different names like
    AWSManagedRulesCommonRuleSet
    and/or the different vendor rule sets.
    v

    victorious-church-57397

    5 months ago
    hey @millions-umbrella-34765, I just found them on the AWS docs https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
    m

    millions-umbrella-34765

    5 months ago
    Ah, I see.
    v

    victorious-church-57397

    5 months ago
    yeah, thats the one 🙂
    be mindful of the WCU count of the rule sets, as there is a maximum of 1500 WCU per webacl