📖

@aws-cdk/aws-wafv2 の L2 の設計を考えてみる

2021/11/28に公開約4,500字

考え中の公開ノート。

WebACL

CFn

webacl

CloudFormation はこんな感じ。

Statementはめんどいやつ。別パッケージ切るパターンか。

Design

WebACL

Rule

Statements

  • Logical
    • AndStatement
    • NotStatement
    • OrStatement
  • Depends on other resources
    • IPSetReferenceStatement
    • RegexPatternSetReferenceStatement
    • RuleGroupReferenceStatement
  • Others
    • ByteMatchStatement
    • GeoMatchStatement
    • LabelMatchStatement
    • ManagedRuleGroupStatement
    • RateBasedStatement
    • SizeConstraintStatement
    • SqliMatchStatement
    • XssMatchStatement

Usage

new wafv2.WebACL(this, "WebACL", {
  scope: wafv2.Scope.REGIONAL,
  defaultAction: wafv2.DefaultAction.block(),
  rules: [
    {
      name: "IPSetAllow",
      action: wafv2.RuleAction.allow(),
      statement: new wafv2Statement.IPSetReferenceStatement(ipSet),
    },
    {
      name: "OWASP",
      overrideAction: wafv2.OverrideAction.count(),
      statement: new wafv2Statement.ManagedRuleGroupStatement({
        vendorName: "AWS",
        name: "AWSManagedRulesCommonRuleSet",
      }),
    },
  ],
});

Note: priority of the rules is automatically numbered according to the order of the rules.
If priority is set specifically, all rules must be set priority.

Note: visibilityConfig have default value.
If WebACLProps.visibilityConfig is set, Rules inherit it.

Roadmap

  1. implement WebACL with only required properties
    • It will not be able to use Rules
  2. implement Rule with one Statement(LabelMatchStatement)
  3. implement other remaining properties
  4. implement Statements
GitHubで編集を提案

Discussion

ログインするとコメントできます