feat(WAF): support associating WAF without creating (#504)

Co-authored-by: bboure <[email protected]>
sid88in · Mar 7, 2023 · 69a110a · 69a110a
1 parent a57e18c
commit 69a110a
Show file tree

Hide file tree

Showing 8 changed files with 103 additions and 18 deletions.
diff --git a/doc/WAF.md b/doc/WAF.md
@@ -8,6 +8,8 @@ You can configure WAF rules under the `appSync.waf` attribute.
 
 ## Quick start
 
+You can define a collection of rules for your web ACL and associate it:
+
 ```yaml
 appSync:
   name: my-api
@@ -19,17 +21,28 @@ appSync:
       - disableIntrospection
 ```
 
+Or directly associate an existing web ACL:
+
+```yaml
+appSync:
+  name: my-api
+  waf:
+    enabled: true
+    arn: 'arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-Waf/d7b694d2-4f7d-4dd6-a9a9-843dd1931330'
+```
+
 ## Configuration
 
 - `enabled`: Boolean. Enable or disable WAF. Defaults to `true` when `appSync.waf` is defined.
+- `arn`: Optional. The WAF's ARN to associate with your AppSync resource.
 - `name`: Optional. The name of this WAF instance. Defaults to the name of your API.
 - `defaultAction`: Optional. The default action if a request does not match a rule. `Allow` or `Block`. Defaults to `Allow`.
-- `description`: A description for this WAF instance.
+- `description`: Optional. A description for this WAF instance.
 - `visibilityConfig`: Optional. A [visibility config](https://docs.aws.amazon.com/waf/latest/APIReference/API_VisibilityConfig.html) for this WAF
   - `name`: Metric name
   - `cloudWatchMetricsEnabled`: A boolean indicating whether the associated resource sends metrics to Amazon CloudWatch
   - `sampledRequestsEnabled`: A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rule
-- `rules`: An array of [rules](#rules).
+- `rules`: Required. An array of [rules](#rules). Optional when `arn` is present
 
 ## Rules
 

diff --git a/src/__tests__/__snapshots__/waf.test.ts.snap b/src/__tests__/__snapshots__/waf.test.ts.snap
@@ -287,6 +287,23 @@ Array [
 ]
 `;
 
+exports[`Waf Base Resources should generate only the waf association 1`] = `
+Object {
+  "GraphQlWafAssoc": Object {
+    "Properties": Object {
+      "ResourceArn": Object {
+        "Fn::GetAtt": Array [
+          "GraphQlApi",
+          "Arn",
+        ],
+      },
+      "WebACLArn": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-Waf/d7b694d2-4f7d-4dd6-a9a9-843dd1931330",
+    },
+    "Type": "AWS::WAFv2::WebACLAssociation",
+  },
+}
+`;
+
 exports[`Waf Base Resources should generate waf Resources 1`] = `
 Object {
   "GraphQlWaf": Object {

diff --git a/src/__tests__/validation/__snapshots__/base.test.ts.snap b/src/__tests__/validation/__snapshots__/base.test.ts.snap
@@ -36,14 +36,16 @@ exports[`Valdiation Log Invalid should validate a Invalid 1`] = `
 `;
 
 exports[`Valdiation Waf Invalid should validate a Invalid 1`] = `
-"/waf/enabled: must be boolean
-/waf/name: must be string
+"/waf/name: must be string
 /waf/defaultAction: must be 'Allow' or 'Block'
 /waf/rules/0: must be a valid WAF rule
 /waf/rules/1: must be a valid WAF rule
-/waf/rules/2: must be a valid WAF rule"
+/waf/rules/2: must be a valid WAF rule
+/waf/enabled: must be boolean"
 `;
 
+exports[`Valdiation Waf Invalid should validate a Invalid arn 1`] = `"/waf/arn: must be a string or a CloudFormation intrinsic function"`;
+
 exports[`Valdiation Waf Invalid should validate a Throttle limit 1`] = `
 "/waf/rules/0: must be a valid WAF rule
 /waf/rules/1: must be a valid WAF rule"

diff --git a/src/__tests__/validation/base.test.ts b/src/__tests__/validation/base.test.ts
@@ -152,6 +152,16 @@ describe('Valdiation', () => {
             },
           } as AppSyncConfigInput,
         },
+        {
+          name: 'Using arn',
+          config: {
+            ...basicConfig,
+            waf: {
+              enabled: true,
+              arn: 'arn:aws:',
+            },
+          },
+        },
       ];
 
       assertions.forEach((config) => {
@@ -187,6 +197,15 @@ describe('Valdiation', () => {
             },
           },
         },
+        {
+          name: 'Invalid arn',
+          config: {
+            ...basicConfig,
+            waf: {
+              arn: 123,
+            },
+          },
+        },
         {
           name: 'Throttle limit',
           config: {

diff --git a/src/__tests__/waf.test.ts b/src/__tests__/waf.test.ts
@@ -60,6 +60,15 @@ describe('Waf', () => {
       );
       expect(api.compileWafRules()).toEqual({});
     });
+
+    it('should generate only the waf association', () => {
+      const api = new Api(given.appSyncConfig(), plugin);
+      const waf = new Waf(api, {
+        enabled: true,
+        arn: 'arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-Waf/d7b694d2-4f7d-4dd6-a9a9-843dd1931330',
+      });
+      expect(waf.compile()).toMatchSnapshot();
+    });
   });
 
   describe('Throttle rules', () => {

diff --git a/src/resources/Waf.ts b/src/resources/Waf.ts
@@ -23,11 +23,23 @@ export class Waf {
     if (wafConfig.enabled === false) {
       return {};
     }
+    const apiLogicalId = this.api.naming.getApiLogicalId();
+    const wafAssocLogicalId = this.api.naming.getWafAssociationLogicalId();
+
+    if (wafConfig.arn) {
+      return {
+        [wafAssocLogicalId]: {
+          Type: 'AWS::WAFv2::WebACLAssociation',
+          Properties: {
+            ResourceArn: { 'Fn::GetAtt': [apiLogicalId, 'Arn'] },
+            WebACLArn: wafConfig.arn,
+          },
+        },
+      };
+    }
 
     const name = wafConfig.name || `${this.api.config.name}Waf`;
-    const apiLogicalId = this.api.naming.getApiLogicalId();
     const wafLogicalId = this.api.naming.getWafLogicalId();
-    const wafAssocLogicalId = this.api.naming.getWafAssociationLogicalId();
     const defaultActionSource = wafConfig.defaultAction || 'Allow';
     const defaultAction: CfnWafAction =
       typeof defaultActionSource === 'string'

diff --git a/src/types/plugin.ts b/src/types/plugin.ts
@@ -26,11 +26,12 @@ export type IamStatement = {
 
 export type WafConfig = {
   enabled?: boolean;
+  arn?: string;
   name?: string;
   defaultAction?: WafAction;
   description?: string;
   visibilityConfig?: VisibilityConfig;
-  rules: WafRule[];
+  rules?: WafRule[];
 };
 
 export type WafThrottleConfig =

diff --git a/src/validation.ts b/src/validation.ts
@@ -664,19 +664,31 @@ export const appSyncSchema = {
       type: 'object',
       properties: {
         enabled: { type: 'boolean' },
-        name: { type: 'string' },
-        defaultAction: {
-          type: 'string',
-          enum: ['Allow', 'Block'],
-          errorMessage: "must be 'Allow' or 'Block'",
+      },
+      if: {
+        required: ['arn'],
+      },
+      then: {
+        properties: {
+          arn: { $ref: '#/definitions/stringOrIntrinsicFunction' },
         },
-        description: { type: 'string' },
-        rules: {
-          type: 'array',
-          items: { $ref: '#/definitions/wafRule' },
+      },
+      else: {
+        properties: {
+          name: { type: 'string' },
+          defaultAction: {
+            type: 'string',
+            enum: ['Allow', 'Block'],
+            errorMessage: "must be 'Allow' or 'Block'",
+          },
+          description: { type: 'string' },
+          rules: {
+            type: 'array',
+            items: { $ref: '#/definitions/wafRule' },
+          },
         },
+        required: ['rules'],
       },
-      required: ['rules'],
     },
     tags: {
       type: 'object',