troposphere icon indicating copy to clipboard operation
troposphere copied to clipboard

Published 20 hours ago verified publisher icon cloudtools

wafv2.py - Issue with WebACL Rules attribute and ManagedRuleGroupStatement

Open johnsarg opened this issue 5 years ago • 6 comments

  1. When using the WebACL, the only way I could get it to work was by changing the 'Rules' attribute from '(Rules, False)' to '([Rule], False)'.

  2. When adding a rule to WebACL.Rules[], and adding a statement of type ManagedRuleGroupStatement, Cloudformation seems to require an OverrideAction; though, an Action is optional. I attempted to assign an OverrideAction of None=wafv2.NoneAction(), but without success. I modified the 'None' prop of OverrideAction to 'none', and Cloudformation was happy. Is there a better way to handle a prop which has the same name as a Python reserved word? Thanks for your help. JS

Modified wafv2.py

class OverrideAction(AWSProperty):
    props = {
        'Count': (CountAction, False),
        'none': (NoneAction, False),
    }

Example

                    OverrideAction=wafv2.OverrideAction(
                        none=wafv2.NoneAction(),
                    ),

johnsarg avatar Feb 24 '20 16:02 johnsarg

Hi @johnsarg

  1. the current implementation follows the spec https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html#cfn-wafv2-webacl-rules, but the example contradicts it, and matches your finding https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html#aws-resource-wafv2-webacl--examples . I'm pushing a PR changing troposphere's implementation. Can you open a bug with cloudformation ?

axelpavageau avatar Feb 24 '20 19:02 axelpavageau

regarding 2), I see that we have an issue as AWS::WAFv2::WebACL Rule and AWS::WAFv2::RuleGroup Rule have different properties. However currently they're the same troposphere object. I'll update the PR tomorrow to create different objects. Unfortunately we'll have to diverge from cloudformation's naming.

Finally regarding your actual issue with None / none, @markpeek , any suggestion ?

axelpavageau avatar Feb 24 '20 19:02 axelpavageau

@axelpavageau - Yes; I've opened a support ticket with AWS re: the documentation discrepancy. Thanks for your help.

johnsarg avatar Feb 24 '20 22:02 johnsarg

Merged #1599. Regarding None...my usual comment "Ugh". :-) Perhaps the "None" should be NoneAction? Also, likely CountAction and NoneAction should be removed with the props turned into "dict" since these are Json payloads?

markpeek avatar Mar 15 '20 23:03 markpeek

As a workaround for the None problem, you can do this:

...
OverrideAction=OverrideAction(**{"None":NoneAction()})
...

nkrumm avatar May 29 '20 06:05 nkrumm

This appears fixed in the latest update of Troposphere as I no longer have to use this workaround.

tnielsen2 avatar Jan 11 '22 21:01 tnielsen2