[v2] In WAF, Managed Rules are not correctly generated

[yasuto-nishii]

Hello, I'm migrating appsync plugin from v1 to v2. Thanks for great plugin and well described migration document.
Just one question, based on the migration document, I changed wafConfig to waf, but I'm still getting an error to configure managed rules in waf section.

I had checked the generated cloud formation then found overrideAction is ignored in v2.
"Action": { "Allow": {} }, is set to managed rule forcefully, it's invalid.

Is this bug or does v2 have another syntax to configure managed rule?

waf:
  enabled: true
  rules:
    - name: MyRule1 # this is your rule name
      overrideAction:
        none: {}
      statement:
        managedRuleGroupStatement:
          vendorName: AWS
          name: AWSManagedRulesCommonRuleSet # this is the name of the managed rule

https://github.com/sid88in/serverless-appsync-plugin/pull/476/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5L528

Generated cloud formation by v2 from above configuration

         {
            "Name": "MyRule1",
            "Action": {
              "Allow": {}
            },
            "Priority": 10,
            "Statement": {
              "ManagedRuleGroupStatement": {
                "VendorName": "AWS",
                "Name": "AWSManagedRulesCommonRuleSet"
              }
            },
            "VisibilityConfig": {
              "CloudWatchMetricsEnabled": true,
              "MetricName": "MyRule1",
              "SampledRequestsEnabled": true
            }
          },

[bboure]

Thanks for the report. This might be a bug or a implementation detail I missed when I migrated to v2.

I'm going to have to look into this when I have a moment.
I have not used WAF too much so I am not too familiar with it.

Could you share the Cfn code generated out of v1 as well, for comparison

[yasuto-nishii]

Alright, I'm using this configuration both for v1 and v2.
The difference seems to be Action and OverrideAction only.

FYI, the WAF configuration is working fine except for the managed rules.

        - name: "AWSManagedRulesCommonRuleSet"
          priority: 20
          overrideAction:
            none: {}
          statement:
            managedRuleGroupStatement:
              vendorName: "AWS"
              name: "AWSManagedRulesCommonRuleSet"

This is generated by v1.

          {
            "Name": "AWSManagedRulesCommonRuleSet",
            "Priority": 20,
            "Statement": {
              "ManagedRuleGroupStatement": {
                "VendorName": "AWS",
                "Name": "AWSManagedRulesCommonRuleSet"
              }
            },
            "VisibilityConfig": {
              "CloudWatchMetricsEnabled": true,
              "MetricName": "AWSManagedRulesCommonRuleSet",
              "SampledRequestsEnabled": true
            },
            "OverrideAction": {
              "None": {}
            }
          },

by v2

         {
            "Name": "AWSManagedRulesCommonRuleSet",
            "Action": {
              "Allow": {}
            },
            "Priority": 20,
            "Statement": {
              "ManagedRuleGroupStatement": {
                "VendorName": "AWS",
                "Name": "AWSManagedRulesCommonRuleSet"
              }
            },
            "VisibilityConfig": {
              "CloudWatchMetricsEnabled": true,
              "MetricName": "AWSManagedRulesCommonRuleSet",
              "SampledRequestsEnabled": true
            }
          },

[yasuto-nishii]

To address this issue, I'm posting my code change. Will test on my env with WAF in few days.
Generated cloud formations seems to be expected.
#582