Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wafv2 rule-group - rule "statement" is not getting reflected in the cdk.tf.json #2469

Open
Abhishek-singhcoupa opened this issue Jan 10, 2023 · 3 comments
Labels
bug/has-workaround A bug with a workaround (may not be elegant) bug Something isn't working cdktf confirmed independently reproduced by an engineer on the team help wanted Community contributions welcome as the core team is unlikely to work on this soon priority/backlog Low priority (though possibly still important). Unlikely to be worked on within the next 6 months. provider/aws Issue shows up using AWS provider provider get / generation size/medium estimated < 1 week

Comments

@Abhishek-singhcoupa
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

cdktf & Language Versions

language: python
cdktf-cli: 0.13.3
node: v18.12.1
cdktf: 0.13.3
constructs: 10.1.188
jsii: 1.72.0
terraform: 1.1.9
arch: x64
os: darwin 22.2.0
python: Python 3.10.8
pip: pip 22.3.1 from /usr/local/lib/python3.10/site-packages/pip (python 3.10)
pipenv: pipenv, version 2022.9.24

Affected Resource(s)

wafv2 RuleGroup , Rules

Debug Output

deploy fails with error -


[ERROR] default - ╷
│ Error: creating WAFv2 RuleGroup (test-cdk): WAFInvalidParameterException: Error reason: EXACTLY_ONE_CONDITION_REQUIRED, field: STATEMENT, parameter: Statement
│ {
│ RespMetadata: {
│ StatusCode: 400,
│ RequestID: "7beaebeb-dc61-460d-9c47-10a9188b56eb"
│ },
│ Field: "STATEMENT",
│ Message_: "Error reason: EXACTLY_ONE_CONDITION_REQUIRED, field: STATEMENT, parameter: Statement",
│ Parameter: "Statement",
│ Reason: "You have used none or multiple values for a field that requires exactly one value."
│ }

│ with aws_wafv2_rule_group.test-rg-cdk,
│ on cdk.tf .json line 69, in resource.aws _wafv2_rule_group.test-rg-cdk:
│ 69: }


Expected Behavior

The rule statement should be present.

Actual Behavior

statement is blank, making the deploy fail.

Steps to Reproduce

Use cdktf python , main.py definition -


#!/usr/bin/env python
from pickle import NONE
import profile
from typing import Sequence
from constructs import Construct
from cdktf import App, TerraformStack, TerraformOutput, Token, Fn
from imports.aws.provider import AwsProvider
from imports.aws import fms_policy, wafv2_rule_group
import json


class MyStack(TerraformStack):
    def __init__(self, scope: Construct, id: str):
        super().__init__(scope, id)
        
        # Creating wafv2_rule_group
        AwsProvider(self, "AWS", region="xxx", profile='xxx')

        wrg=wafv2_rule_group.Wafv2RuleGroup(self, 
        id_='test-rg-cdk',
        visibility_config={
            "sampled_requests_enabled": True,
            "cloudwatch_metrics_enabled": True,
            "metric_name": "test-metric"
        },
        description="Test rg from cdk",
        capacity=80,
        name='test-cdk',
        scope='REGIONAL',
        rule=[
            {
                "name": "body_size_constraint",
                "priority": 0,
                "statement": {
                    "size_constraint_statement": {
                        "field_to_match": {
                            "body": {}
                        },
                        "comparison_operator": "GT",
                        "size": 8192,
                        "text_transformation": [
                            {
                            "priority": 0,
                            "type": "NONE"
                            }
                        ]
                    }
                },
                "action": {
                    "count": {}
                },
                "visibilityConfig": {
                    "sampledRequestsEnabled": True,
                    "cloudwatchMetricsEnabled": True,
                    "metricName": "body_size_constraint"
                }
            }
        ],
        tags={
            "name":"waf-fms-policy-cdk",
            "Managedby":"CDK Terraform"
        })




app = App()
MyStack(app, "coupa-waf-cdk")

app.synth()

Run cdktf deploy

Refer the below cdk.tf.json output file -- showing blank statement line-39-

{
  "//": {
    "metadata": {
      "backend": "local",
      "stackName": "waf-cdk",
      "version": "0.13.3"
    },
    "outputs": {
    }
  },
  "provider": {
    "aws": [
      {
        "profile": "xx",
        "region": "xxx"
      }
    ]
  },
  "resource": {
    "aws_wafv2_rule_group": {
      "test-rg-cdk": {
        "//": {
          "metadata": {
            "path": "waf-cdk/test-rg-cdk",
            "uniqueId": "test-rg-cdk"
          }
        },
        "capacity": 80,
        "description": "Test rg from cdk",
        "name": "test-cdk",
        "rule": [
          {
            "action": {
              "count": {
              }
            },
            "name": "body_size_constraint",
            "priority": 0,
            "statement": {
            },
            "visibility_config": {
              "cloudwatch_metrics_enabled": true,
              "metric_name": "body_size_constraint",
              "sampled_requests_enabled": true
            }
          }
        ],
        "scope": "REGIONAL",
        "tags": {
          "Managedby": "CDK Terraform",
          "name": "waf-fms-policy-cdk"
        },
        "visibility_config": {
          "cloudwatch_metrics_enabled": true,
          "metric_name": "test-metric",
          "sampled_requests_enabled": true
        }
      }
    }
  },
  "terraform": {
    "backend": {
      "local": {
        "path": "/xxxx/terraform.coupa-waf-cdk.tfstate"
      }
    },
    "required_providers": {
      "aws": {
        "source": "aws",
        "version": "4.46.0"
      }
    }
  }
}
@Abhishek-singhcoupa Abhishek-singhcoupa added bug Something isn't working new Un-triaged issue labels Jan 10, 2023
@DanielMSchmidt DanielMSchmidt added cdktf confirmed independently reproduced by an engineer on the team priority/important-soon High priority, to be worked on as part of our current release or the following one. provider get / generation size/medium estimated < 1 week bug/has-workaround A bug with a workaround (may not be elegant) and removed new Un-triaged issue labels Jan 18, 2023
@DanielMSchmidt
Copy link
Contributor

Thanks for reporting this bug! I could reproduce it in 0.15. I could get around it by using an escape hatch:

wrg.add_override('rule.0.statement', {
            "size_constraint_statement": {
                "field_to_match": {
                    "body": {}
                },
                "comparison_operator": "GT",
                "size": 8192,
                "text_transformation": [
                    {
                        "priority": 0,
                        "type": "NONE"
                    }
                ]
            }
        })

@xiehan xiehan added provider/aws Issue shows up using AWS provider help wanted Community contributions welcome as the core team is unlikely to work on this soon priority/backlog Low priority (though possibly still important). Unlikely to be worked on within the next 6 months. and removed priority/important-soon High priority, to be worked on as part of our current release or the following one. labels Jun 1, 2023
@sabinayakc
Copy link
Contributor

Same problem here. Cannot add multiple statements since typescript won't allow multiple properties of same key.

  statement: {
              or_statement: {
                statement: {
                  not_statement: {
                    statement: {
                      geo_match_statement: {
                        country_codes: ["US"],
                      },
                    },
                  },
                },

                statement: {
                 }
              },
            },

@tianweiliu
Copy link

tianweiliu commented Dec 25, 2024

Same problem here. Cannot add multiple statements since typescript won't allow multiple properties of same key.

  statement: {
              or_statement: {
                statement: {
                  not_statement: {
                    statement: {
                      geo_match_statement: {
                        country_codes: ["US"],
                      },
                    },
                  },
                },

                statement: {
                 }
              },
            },

Just found out the use should be:

  statement: {
              or_statement: {
                statement: [
                  {
                    not_statement: {
                      statement: {
                        geo_match_statement: {
                          country_codes: ["US"],
                        },
                      },
                    },
                  },
                  {
                     and_statement: {
                       statement: [
                         ...
                       ]
                   }
                ]
              },
            },

This is NOT documented anywhere.
Seriously, the entire WAFv2 rule documentation for typescript is a just a copy from native terraform without any needed modifications (with even the wrong modifications of statements still in camel case!).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug/has-workaround A bug with a workaround (may not be elegant) bug Something isn't working cdktf confirmed independently reproduced by an engineer on the team help wanted Community contributions welcome as the core team is unlikely to work on this soon priority/backlog Low priority (though possibly still important). Unlikely to be worked on within the next 6 months. provider/aws Issue shows up using AWS provider provider get / generation size/medium estimated < 1 week
Projects
None yet
Development

No branches or pull requests

5 participants