📖

@aws-cdk/aws-wafv2 の L2 の設計を考えてみる

commits5 min read

考え中の公開ノート。

WebACL

CFn

webacl

CloudFormation はこんな感じ。

Statementはめんどいやつ。別パッケージ切るパターンか。

Design

WebACL

classDiagram
  WebACL ..> WebACLProps
  WebACLProps o.. CustomResponseBody
  WebACLProps o.. Scope
  WebACLProps o.. DefaultAction
  WebACLProps o.. Rule
  DefaultAction ..> DefaultActionConfig
  WebACLProps o.. VisibilityConfig
  Rule o.. VisibilityConfig

  class WebACL {
    +constructor(props: WebACLProps)
  }
  class WebACLProps {
    name?: string;
    description?: string;
    scope: Scope;
    customResponseBodies?: Record<string, CustomResponseBody>;
    defaultAction: DefaultAction;
    rules?: Rule[];
    visibilityConfig?: VisibilityConfig;
  }
  <<Interface>> WebACLProps

  class CustomResponseBody {
    content: string;
    contentType: string;
  }
  <<Interface>> CustomResponseBody

  class Scope {
    REGIONAL
    CLOUDFRONT
  }
  <<enumerate>> Scope

  class DefaultAction {
    allow()$ DefaultAction
    block()$ DefaultAction
    bind()* DefaultActionConfig
  }
  <<abstract>> DefaultAction
  class DefaultActionConfig {
    configuration: CfnWebACL.DefaultActionProperty;
  }
  <<Interface>> DefaultActionConfig

  class Rule {
    name: string;
    action: RuleAction;
    overrideAction: OverrideAction;
    priority: number;
    statement: Statement;
    visibilityConfig?: VisibilityConfig;
    ruleLabels?: Label[];
  }
  <<Interface>> Rule
  class VisibilityConfig {
    cloudWatchMetricsEnabled: boolean;
    metricName: string;
    sampledRequestsEnabled: boolean;
  }
  <<Interface>> VisibilityConfig

Rule

classDiagram
  Rule o.. RuleAction
  RuleAction ..> RuleActionConfig
  Rule o.. OverrideAction
  OverrideAction ..> OverrideActionConfig
  Rule o.. IStatement
  IStatement ..> StatementConfig

  class Rule {
    name: string;
    action: RuleAction;
    overrideAction: OverrideAction;
    priority?: number;
    statement: Statement;
    visibilityConfig: VisibilityConfig;
    ruleLabels?: string[];
  }
  <<Interface>> Rule

  class RuleAction {
    allow()$ RuleAction
    block()$ RuleAction
    count()$ RuleAction
    bind()* RuleActionConfig
  }
  <<abstract>> RuleAction
  class RuleActionConfig {
    configuration: CfnRuleGroup.RuleActionProperty
  }
  <<Interface>> RuleActionConfig

  class OverrideAction {
    count()$ OverrideAction
    none()$ OverrideAction
    bind()* OverrideActionConfig
  }
  <<abstract>> OverrideAction
  class OverrideActionConfig {
    count?: Json;
    none?: Json;
  }

  class IStatement {
    bind() StatementConfig
  }
  <<Interface>> IStatement
  class StatementConfig {
    configuration: CfnRuleGroup.StatementProperty;
  }
  <<Interface>> StatementConfig

Statements

  • Logical
    • AndStatement
    • NotStatement
    • OrStatement
  • Depends on other resources
    • IPSetReferenceStatement
    • RegexPatternSetReferenceStatement
    • RuleGroupReferenceStatement
  • Others
    • ByteMatchStatement
    • GeoMatchStatement
    • LabelMatchStatement
    • ManagedRuleGroupStatement
    • RateBasedStatement
    • SizeConstraintStatement
    • SqliMatchStatement
    • XssMatchStatement

Usage

new wafv2.WebACL(this, "WebACL", {
  scope: wafv2.Scope.REGIONAL,
  defaultAction: wafv2.DefaultAction.block(),
  rules: [
    {
      name: "IPSetAllow",
      action: wafv2.RuleAction.allow(),
      statement: new wafv2Statement.IPSetReferenceStatement(ipSet),
    },
    {
      name: "OWASP",
      overrideAction: wafv2.OverrideAction.count(),
      statement: new wafv2Statement.ManagedRuleGroupStatement({
        vendorName: "AWS",
        name: "AWSManagedRulesCommonRuleSet",
      }),
    },
  ],
});

Note: priority of the rules is automatically numbered according to the order of the rules.
If priority is set specifically, all rules must be set priority.

Note: visibilityConfig have default value.
If WebACLProps.visibilityConfig is set, Rules inherit it.

Roadmap

  1. implement WebACL with only required properties
    • It will not be able to use Rules
  2. implement Rule with one Statement(LabelMatchStatement)
  3. implement other remaining properties
  4. implement Statements
GitHubで編集を提案

Discussion

ログインするとコメントできます