Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(wafv2): wafv2.CfnWebACL.ExcludedRuleProperty name argument casing #27993

Open
gebailey opened this issue Nov 14, 2023 · 5 comments
Open

(wafv2): wafv2.CfnWebACL.ExcludedRuleProperty name argument casing #27993

gebailey opened this issue Nov 14, 2023 · 5 comments
Labels
@aws-cdk/aws-wafv2 bug This issue is a bug. effort/small Small work item – less than a day of effort p3

Comments

@gebailey
Copy link

Describe the bug

Not sure if this is a documentation bug, or a bug within CDK, but we're trying to modify rule sets on a Web ACL, and it's unclear if the name argument to wafv2.CfnWebACL.ExcludedRuleProperty is supposed to be upper-cased or lower-cased. The documentation at https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_wafv2/CfnWebACL.html#excludedruleproperty specifies name (with a lower-case n).

But we see the following error (warning?) when running CDK:

Properties validation failed for resource cirrusscanwafacl with message:
#/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: required key [Name] not found
#/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: extraneous key [name] is not permitted

The modifications to the rule list seem to take effect, despite the error (warning?) displayed above.

Expected Behavior

I would not expect to see validation errors when using name.

Current Behavior

I see unexpected validation errors when using name:

#/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: required key [Name] not found
#/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: extraneous key [name] is not permitted

Reproduction Steps

Our CDK stack constructs a WAFv2 Web ACL, and specifies rules using:

                rules=[
                    # AWS Common Ruleset (with modifications)
                    wafv2.CfnWebACL.RuleProperty(
                        name="CirrusScan-AWSManagedRulesCommonRuleSet",
                        priority=0,
                        override_action=wafv2.CfnWebACL.OverrideActionProperty(
                            none={},
                        ),
                        visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                            sampled_requests_enabled=True,
                            cloud_watch_metrics_enabled=True,
                            metric_name="CirrusScan-MetricForAMRCommon",
                        ),
                        statement=wafv2.CfnWebACL.StatementProperty(
                            managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                                vendor_name="AWS",
                                name="AWSManagedRulesCommonRuleSet",
                                excluded_rules=[
                                    wafv2.CfnWebACL.ExcludedRuleProperty(
                                        name="SizeRestrictions_BODY"
                                    ),
                                    wafv2.CfnWebACL.ExcludedRuleProperty(
                                        name="GenericRFI_BODY"
                                    ),
                                    wafv2.CfnWebACL.ExcludedRuleProperty(
                                        name="EC2MetaDataSSRF_BODY"
                                    ),
                                ],
                            ),
                        ),
                    ),

Documentation for wafv2.CfnWebACL.ExcludedRuleProperty suggests that name (lowercase N) should be specified as the parameter, but errors/warnings emitted by CDK suggest it is expecting Name (uppercase N).

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.96.2

Framework Version

No response

Node.js Version

18

OS

Ubuntu Linux

Language

Python

Language Version

Python 3.11

Other information

No response
@gebailey gebailey added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 14, 2023
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 14, 2023
@khushail
Copy link
Contributor

@gebailey , thanks for reporting this. Have you tried this with latest cdk version and still facing the issue ??

@gebailey
Copy link
Author

I upgraded to CDK 2.108.1 and still see this. It's strange because it looks like Cloud Formation is emitting some kind of warning or notice but the CDK output itself appears to complete. If I look at Cloudformation, the "Status reason" for the UPDATE_IN_PROGRESS step shows:

Resource template validation failed for resource cirrusscanwafacl as the template has invalid properties. Please refer to the resource documentation to fix the template. Properties validation failed for resource cirrusscanwafacl with message: #/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: required key [Name] not found #/Rules/3/Statement/RateBasedStatement/ScopeDownStatement/NotStatement/Statement/SizeConstraintStatement/FieldToMatch/SingleHeader: extraneous key [name] is not permitted

And I think the above warning shows up in our GitHub action output, which is what prompted the issue.

@Recad
Copy link

Recad commented Nov 20, 2023

something similar here with GOLANG and SingleHeaderProperty #28074

@khushail
Copy link
Contributor

Hi @gebailey , we have discussed similar issue (#28074) with the team and looking for a workaround. Thanks for reporting this.

@khushail khushail added p2 needs-review and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Nov 22, 2023
@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
@khushail khushail added effort/small Small work item – less than a day of effort and removed needs-review labels Dec 5, 2023
@pahud
Copy link
Contributor

pahud commented Jun 4, 2024

related to #23679 (comment)

@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-wafv2 bug This issue is a bug. effort/small Small work item – less than a day of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pahud @gebailey @Recad @khushail