Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WafwebaclToApiGateway merges DefaultAction to Allow and Block #830

Open
tbelmega opened this issue Oct 19, 2022 · 1 comment
Open

WafwebaclToApiGateway merges DefaultAction to Allow and Block #830

tbelmega opened this issue Oct 19, 2022 · 1 comment
Labels
bug Something isn't working needs-triage The issue or PR still needs to be triaged

Comments

@tbelmega
Copy link
Contributor

Hi,
I am trying to use WafwebaclToApiGateway construct and pass webaclProps with defaultAction: {block: {}}.
The synthesized CloudFormation template results in

    "DefaultAction": {
     "Allow": {},
     "Block": {}
    },

and deployment of that fails of course:

"Error reason: You have used none or multiple values for a field that requires exactly one value., field: DEFAULT_ACTION, parameter: DefaultAction

Reproduction Steps

    const api = new RestApi(this, 'Api', {
      restApiName: 'Api',
      deployOptions: {
        stageName: 'prod',
        accessLogDestination: new LogGroupLogDestination(prodLogGroup),
        accessLogFormat: AccessLogFormat.jsonWithStandardFields()
      },
    });

    new WafwebaclToApiGateway(this, 'WafWebACL', {
      existingApiGatewayInterface: api,
      webaclProps: {
        defaultAction: {block: {}},
        scope: 'REGIONAL',
        visibilityConfig: {
          cloudWatchMetricsEnabled: true,
          metricName: "WebAclMetrics",
          sampledRequestsEnabled: true,
        },
      }
    });

Error Log

Stack Deployments Failed: Error: The stack named AccountAssessment failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Error reason: You have used none or multiple values for a field that requires exactly one value., field: DEFAULT_ACTION, parameter: DefaultAction (Service: Wafv2, Status Code: 400, Request ID: a3235953-337b-44dd-96ea-45c8b0c02e0d, Extended Request ID: null)"

Environment

  • CDK CLI Version : 2.46.0
  • CDK Framework Version: "aws-cdk-lib": "^2.31.2",
  • AWS Solutions Constructs Version : "@aws-solutions-constructs/aws-wafwebacl-apigateway": "^2.26.0",
  • OS : MacOS Monterey 12.6
  • Language : TypeScript

Other

From looking at the construct code, I learned that it's trying to merge my custom webaclProps with the default props.
I do not claim I understood in detail wich path through the code this merge takes, but I think it relies on usually correct merge logic for javascript objects and merges

defaultAction: {
allow: {}
},

and

defaultAction: {
block: {}
},

into

defaultAction: {
allow: {}
block: {}
},

This causes a problem, because in this case allow and block are modeled as different properties; the merge would work correctly if it were one property with two possible values instead.
It seems to me that the fix would require to handle allow/block as a special case, because the desired outcome in this case contradicts regular merge logic for javascript objects.

This is 🐛 Bug Report
@tbelmega tbelmega added bug Something isn't working needs-triage The issue or PR still needs to be triaged labels Oct 19, 2022
@biffgaut
Copy link
Contributor

Thanks - we'll take a look. (sorry it lingered before we saw this)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-triage The issue or PR still needs to be triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tbelmega @biffgaut