community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon aws-controllers-k8s

Support logical rule statements in wafv2-controller

Open takeshi-hatamoto opened this issue 6 months ago • 2 comments

Is your feature request related to a problem?

The following code deploys a rule in labelMatchStatement.

  rules:
   - name: Allowbot
      priority: 12
      action:
        allow: {}
      visibilityConfig:
        metricName: Allowbot
        sampledRequestsEnabled: true
        cloudWatchMetricsEnabled: true
      statement:
        labelMatchStatement: 
          scope: LABEL
          key: "awswaf:managed:aws:bot-control:bot:name:googlebot"

However, when I use “orStatement” to apply the or condition of labelMatchStatement, I get the following error, which I would like to improve.

strict decoding error: unknown field “spec.rules[12].statement.orStatement.statements”

    - name: Allowbot
      priority: 13
      action:
        allow: {}
      visibilityConfig:
        metricName: Allowbot
        sampledRequestsEnabled: true
        cloudWatchMetricsEnabled: true
      statement:
        orStatement: 
          statements:
            - labelMatchStatement:
                scope: LABEL
                key: "awswaf:managed:aws:bot-control:bot:user_triggered:verified"
            - labelMatchStatement:
              scope: LABEL
              key: "awswaf:managed:aws:bot-control:bot:name:googlebot"

Describe the solution you'd like

Please let me know if you have already implemented this and if there is a way to solve this problem with orStatement. I would like to eventually be able to use not only orStatement but also andStatement and NotStatement. Using logical rule statements in AWS WAF

takeshi-hatamoto avatar Jun 20 '25 04:06 takeshi-hatamoto

Hello @takeshi-hatamoto 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

github-actions[bot] avatar Jun 20 '25 04:06 github-actions[bot]

Hi @takeshi-hatamoto, Thanks for reporting this issue! The Statement fiels are implemented.

The logical statements (orStatement, andStatement, notStatement) are string fields that contain YAML content, rather than structured objects like your snippet. You need to use the YAML pipe | operator to provide the logical statement as a multi-line string.

Here's the corrected version of your configuration:

- name: Allowbot
  priority: 13
  action:
    allow: {}
  visibilityConfig:
    metricName: Allowbot
    sampledRequestsEnabled: true
    cloudWatchMetricsEnabled: true
  statement:
    orStatement: |
      statements:
        - labelMatchStatement:
            scope: LABEL
            key: "awswaf:managed:aws:bot-control:bot:user_triggered:verified"
        - labelMatchStatement:
            scope: LABEL
            key: "awswaf:managed:aws:bot-control:bot:name:googlebot"

another example: https://github.com/aws-controllers-k8s/wafv2-controller/blob/main/test/e2e/resources/rule_group_nested_statements.yaml

This should resolve your issue. Let me know if you need any clarification or continue to face the issue!

rushmash91 avatar Jun 23 '25 22:06 rushmash91

Thank you very much. Resolved.

takeshi-hatamoto avatar Jun 25 '25 02:06 takeshi-hatamoto

/close

rushmash91 avatar Jun 25 '25 18:06 rushmash91

@rushmash91: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ack-prow[bot] avatar Jun 25 '25 18:06 ack-prow[bot]