https://pulumi.com logo
Join Slack
Powered by
I'm looking at provisioning a WAF/Web ACL, I'm not...
# aws
m
I'm looking at provisioning a WAF/Web ACL, I'm not clear how you can refer to managed rule groups like "Core rule set" to add to the web acl. Any examples?
v
Hi Phil, I’ve done this semi recently in my place, let me get you some examples
so i have a file called 
wafVariables.ts
which contains the config for the rulesets, which looks like this:
Copy code
import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';

/*
Define the rule statements and then attach them to the rule objects below.

Currently we just have a base set of managed rules from AWS.
 */
const commonRulesetStatement: wafv2.WebAclRuleStatement = {
  managedRuleGroupStatement: {
    vendorName: 'AWS',
    name: 'AWSManagedRulesCommonRuleSet',
  },
};

const SQLiRulesetStatement: wafv2.WebAclRuleStatement = {
  managedRuleGroupStatement: {
    vendorName: 'AWS',
    name: 'AWSManagedRulesSQLiRuleSet',
  },
};

const ipReputationRulesetStatement: wafv2.WebAclRuleStatement = {
  managedRuleGroupStatement: {
    vendorName: 'AWS',
    name: 'AWSManagedRulesAmazonIpReputationList',
  },
};
then those rule group statements need to be used to create rules to pass in to the webacl resource:
Copy code
/*
Define rules here, this is to make the resource definitions as tidy as possible in waf.ts
 */
export const commonRuleSetRule = {
  name: 'common-ruleset-rule',
  priority: 1,
  statement: commonRulesetStatement,
  overrideAction: {
    none: {},
  },
  visibilityConfig: {
    sampledRequestsEnabled: true,
    cloudwatchMetricsEnabled: true,
    metricName: 'AWS-AWSManagedRulesCommonRuleSet',
  },
};
then in a file called 
waf.ts
we do something like this:
Copy code
import * as aws from '@pulumi/aws';
import {
  commonRuleSetRule,
} from './wafVariables';

export const regionalWebAcl = new aws.wafv2.WebAcl('regional-web-acl', {
  defaultAction: {
    allow: {},
  },
  description: 'A web acl containing a base set of rules',
  scope: 'REGIONAL',
  rules: [
    commonRuleSetRule,
  ],
  visibilityConfig: {
    cloudwatchMetricsEnabled: true,
    metricName: 'regional-web-acl',
    sampledRequestsEnabled: true,
  },
  tags: {
    ...tags,
    Name: 'regional-web-acl',
  },
});
if you want to see if the rules would be triggered without actioning the request, set the 
overrideAction
to 
count
in the rule group like this :
Copy code
export const commonRuleSetRule = {
  name: 'common-ruleset-rule',
  priority: 5,
  statement: commonRulesetStatement,
  overrideAction: {
    count: {},
  },
  visibilityConfig: {
    sampledRequestsEnabled: true,
    cloudwatchMetricsEnabled: true,
    metricName: 'AWS-AWSManagedRulesCommonRuleSet',
  },
};
and if you need to exclude any rules from the rulegroups, you can do so like this:
Copy code
const botRulesetStatement: pulumi.Input<aws.types.input.wafv2.WebAclRuleStatement> = {
  managedRuleGroupStatement: {
    vendorName: 'AWS',
    name: 'AWSManagedRulesBotControlRuleSet',
    excludedRules: [
      {
        name: 'SignalNonBrowserUserAgent',
      },
      {
        name: 'CategoryHttpLibrary',
      },
      {
        name: 'SignalAutomatedBrowser',
      },
    ],
  },
};
hope this helps! drop me a message if you need anything else
m
@victorious-church-57397 Thanks! This is very helpful. My first question is where are the different rule sets defined/documented?
Copy code
managedRuleGroupStatement: {
    vendorName: 'AWS',
    name: 'AWSManagedRulesCommonRuleSet',
  },
I'm not sure how to find the different names like 
AWSManagedRulesCommonRuleSet
and/or the different vendor rule sets.
v
hey @millions-umbrella-34765, I just found them on the AWS docs https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
m
Ah, I see.
v
yeah, thats the one 🙂
be mindful of the WCU count of the rule sets, as there is a maximum of 1500 WCU per webacl
9 Views
Open in Slack
PreviousNext
Powered by