aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard
verified publisher icon aws

aws-wafv2: support for managed rule group "AWSManagedRulesAntiDDoSRuleSet"

Open g4s9ob25 opened this issue 7 months ago • 1 comments

Describe the feature

please implement support for the managed rule group "AWSManagedRulesAntiDDoSRuleSet"

https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-anti-ddos.html

Use Case

it appears it is not possible to supply the required configuration to the managed rule group

even adding it like this (i.e. with casting)

      managedRuleGroupConfigs: [
        {
          awsManagedRulesAntiDDoSRuleSet: {
            clientSideActionConfig: {
              challenge: {
                usageOfAction: 'DISABLED',
                sensitivity: 'HIGH',
              },
            },
            sensitivityToBlock: 'LOW',
          },
        } as unknown as CfnWebACL.ManagedRuleGroupConfigProperty,
      ],

it is removed from the resulting output

        [+]     "Name": "AWSManagedRulesAntiDDoSRuleSet",
        [+]     "OverrideAction": {
        [+]       "None": {}
        [+]     },
        [+]     "Priority": 0,
        [+]     "Statement": {
        [+]       "ManagedRuleGroupStatement": {
        [+]         "ExcludedRules": [],
        [+]         "ManagedRuleGroupConfigs": [
        [+]           {}
        [+]         ],
        [+]         "Name": "AWSManagedRulesAntiDDoSRuleSet",
        [+]         "VendorName": "AWS"
        [+]       }
        [+]     },
        [+]     "VisibilityConfig": {
        [+]       "CloudWatchMetricsEnabled": true,
        [+]       "MetricName": "AWSAntiDDoSRules",
        [+]       "SampledRequestsEnabled": true
        [+]     }
        [+]   },

Proposed Solution

    interface ManagedRuleGroupConfigProperty {
        // ...
        awsManagedRulesAntiDDoSRuleSet?: CfnWebACL.AWSManagedRulesAntiDDoSRuleSetProperty | cdk.IResolvable;
        // ...
    }

Other Information

even though we are not yet using the latest aws-cdk-lib, I checked and the feature does not seem to be present in the latest version (v2.201.0) either

the error this causes

UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Error reason: REQUIRED_FIELD_MISSING, field: MANAGED_RULE_GROUP_CONFIG, parameter: ManagedRuleGroupStatement (Service: Wafv2, Status Code: 400, Request ID: 4b2f511d-0dc4-4a22-ae03-f67941c0f2ed) (SDK Attempt Count: 1)" (RequestToken: 91b8daf3-f5db-5ac6-9c96-e28ac09520d6, HandlerErrorCode: InvalidRequest)

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

[email protected]

AWS CDK CLI version

2.1005.0 (build be378de)

Environment details (OS name and version, etc.)

Ubuntu 24.04

g4s9ob25 avatar Jun 13 '25 14:06 g4s9ob25

Hey @g4s9ob25, thank you for reaching out. The ManagedRuleGroupConfigProperty is currently generated from AWS::WAFv2::WebACL ManagedRuleGroupConfig CloudFormation specification. Which does appear to currently only support AWSManagedRulesACFPRuleSet, AWSManagedRulesATPRuleSet and AWSManagedRulesBotControlRuleSet. The L1 construct should auto-update once CloudFormation provides support for this property. Marking as P3

ykethan avatar Jun 13 '25 18:06 ykethan

Closing this issue, as CFN has released support for this and CDK supports this on https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2.CfnWebACL.ManagedRuleGroupConfigProperty.html#awsmanagedrulesantiddosruleset

ykethan avatar Jun 27 '25 17:06 ykethan

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

github-actions[bot] avatar Jun 27 '25 17:06 github-actions[bot]