Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_wafv2: UNABLE to go lower than value 100 for "RateBasedStatementProperty" #31742

Open
1 task
urda opened this issue Oct 13, 2024 · 4 comments
Open
1 task

aws_wafv2: UNABLE to go lower than value 100 for "RateBasedStatementProperty" #31742

urda opened this issue Oct 13, 2024 · 4 comments
Labels
@aws-cdk/aws-wafv2 bug This issue is a bug. effort/small Small work item – less than a day of effort needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2

Comments

@urda
Copy link

urda commented Oct 13, 2024

Describe the bug

I am unable to set my limit for a RateBasedStatementProperty below 100. Attempting to do so results in a stack error:

Resource handler returned message: "Model validation failed (#/Rules/0/Statement/RateBasedStatement/Limit: failed validation constraint for keyword [minimum])" (RequestToken: TOKEN, HandlerErrorCode: InvalidRequest)

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

I am able to set a rate below 100.

Current Behavior

Unable to set a rate below 100, must be done via web console in AWS.

Reproduction Steps

waf_acl = aws_wafv2.CfnWebACL(
            scope_=self,
            id='RootWAF',
            default_action=aws_wafv2.CfnWebACL.DefaultActionProperty(allow={}),
            scope='CLOUDFRONT',
            visibility_config=aws_wafv2.CfnWebACL.VisibilityConfigProperty(
                cloud_watch_metrics_enabled=True,
                metric_name="WAF",
                sampled_requests_enabled=True,
            ),
            rules=[
                aws_wafv2.CfnWebACL.RuleProperty(
                    name='Rate-Limit-Requests',
                    priority=0,
                    action=aws_wafv2.CfnWebACL.RuleActionProperty(block={}),
                    visibility_config=aws_wafv2.CfnWebACL
                    .VisibilityConfigProperty(
                        cloud_watch_metrics_enabled=True,
                        metric_name="Rate-Limit-Requests",
                        sampled_requests_enabled=True,
                    ),
                    statement=aws_wafv2.CfnWebACL.StatementProperty(
                        rate_based_statement=aws_wafv2.CfnWebACL
                        .RateBasedStatementProperty(
                            aggregate_key_type='IP',
                            limit=60,  # FAILS HERE !!!!
                            evaluation_window_sec=60,
                        ),
                    ),
                ),
            ],
        )

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.162.1 (build 10aa526)

Framework Version

No response

Node.js Version

v18.16.0

OS

macOS

Language

Python

Language Version

Python 3.12.0

Other information

No response
@urda urda added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 13, 2024
@ashishdhingra ashishdhingra self-assigned this Oct 14, 2024
@ashishdhingra ashishdhingra added p2 needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 14, 2024
@ashishdhingra
Copy link
Contributor

Although the issue is reproducible using below CDK code:

import * as cdk from 'aws-cdk-lib';
import * as wafv2 from 'aws-cdk-lib/aws-wafv2';

export class CdktestStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const wafAcl = new wafv2.CfnWebACL(this, 'RootWAF', {
      defaultAction: {
        allow: {}
      },
      scope: 'CLOUDFRONT',
      visibilityConfig: {
        cloudWatchMetricsEnabled: true,
        metricName: 'WAF',
        sampledRequestsEnabled: true
      },
      rules: [
        {
          name: 'Rate-Limit-Requests',
          priority: 0,
          action: {
            block: {}
          },
          visibilityConfig: {
            cloudWatchMetricsEnabled: true,
            metricName: 'Rate-Limit-Requests',
            sampledRequestsEnabled: true,
          },
          statement: {
            rateBasedStatement: {
              aggregateKeyType: 'IP',
              limit: 60,
              evaluationWindowSec: 60
            },
          }
        }
      ]
    });
  }
}

where it gives error during deployment:

Resource handler returned message: "Model validation failed (#/Rules/0/Statement/RateBasedStatement/Limit: failed validation constraint for keyword [minimum])" (RequestToken: a7a06ec4-7689-59cb-38bd-8ec048ec006e, HandlerErrorCode: InvalidRequest)

If we check the documentation for Limit property at AWS::WAFv2::WebACL RateBasedStatement, it specifies the minimum value for Limit as 100. Hence the error.

@urda The above error is thrown by CloudFormation, not the CDK code. Per CloudFormation documentation, the minimum value for Limit is 100. Hence, the error.

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 and removed p2 needs-reproduction This issue needs reproduction. labels Oct 14, 2024
@urda
Copy link
Author

urda commented Oct 14, 2024

It's out of date from what AWS says the service supports: https://aws.amazon.com/about-aws/whats-new/2024/08/aws-waf-rate-based-rules-lower-rate-limits/#:~:text=AWS%20WAF%20now%20supports%20setting,previous%20minimum%20of%20100%20requests.

@ashishdhingra
Copy link
Contributor

It's out of date from what AWS says the service supports: https://aws.amazon.com/about-aws/whats-new/2024/08/aws-waf-rate-based-rules-lower-rate-limits/#:~:text=AWS%20WAF%20now%20supports%20setting,previous%20minimum%20of%20100%20requests.

@urda Thanks for your response. I could also see that in WAFv2 API reference at RateBasedStatement. Looks like CloudFormation doesn't support the lower limit yet. Request you to open an issue at https://github.com/aws-cloudformation/cloudformation-coverage-roadmap since the support needs to be added on CloudFormation side (also link this issue) and you get update on it whenever it's fixed.

Thanks,
Ashish

@ashishdhingra ashishdhingra added p2 effort/small Small work item – less than a day of effort needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 labels Oct 14, 2024
@urda urda mentioned this issue Oct 14, 2024
Open
@urda
Copy link
Author

urda commented Oct 14, 2024

@ashishdhingra opened aws-cloudformation/cloudformation-coverage-roadmap#2160

@github-actions github-actions bot mentioned this issue Nov 1, 2024
Closed
@ashishdhingra ashishdhingra removed their assignment Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-wafv2 bug This issue is a bug. effort/small Small work item – less than a day of effort needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@urda @ashishdhingra