Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS::WAFv2::WebACL RateBasedStatement Limit Validation #1446

Closed
andrewdieken opened this issue Mar 27, 2020 · 2 comments · Fixed by #1507
Closed

AWS::WAFv2::WebACL RateBasedStatement Limit Validation #1446

andrewdieken opened this issue Mar 27, 2020 · 2 comments · Fixed by #1507
Labels
good first issue Good for newcomers

Comments

@andrewdieken
Copy link

cfn-lint version: 0.29.2

Description of issue.
When creating a WAF rule that includes a RateBasedStatement there is no validation done on the value set for the Limit. It wasn't until deploying the CloudFormation template that I received an error:
Model validation failed (#/Rules: 3 schema violations found) #/Rules/4/Statement/RateBasedStatement/Limit: failed validation constraint for keyword [minimum] (#/Rules/4/Statement/RateBasedStatement/Limit) #/Rules/5/Statement/RateBasedStatement/Limit: failed validation constraint for keyword [minimum] (#/Rules/5/Statement/RateBasedStatement/Limit) #/Rules/6/Statement/RateBasedStatement/Limit: failed validation constraint for keyword [minimum] (#/Rules/6/Statement/RateBasedStatement/Limit)

The error is due to my Limit value being set below the minimum value allowed. I was able to find this info after attempting to create my rule through the AWS console where I noticed they had a note:
Screen Shot 2020-03-12 at 7 40 14 PM

A note about it can also be found here: https://aws.amazon.com/about-aws/whats-new/2019/08/lower-threshold-for-aws-waf-rate-based-rules/

Note that there is nothing mentioned about the minimum / maximum limit anywhere in the CloudFormation documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratebasedstatementone.html

Feature request.
I'm suggesting that validation be added to ensure the Limit value is set between the minimum, 100, and maximum, 20000000, limit. This small feature will be extremely valuable for users due to the lack of CloudFormation documentation, and hopefully save people quite a bit of time!
@PatMyron PatMyron added the good first issue Good for newcomers label Mar 27, 2020
@PatMyron
Copy link
Contributor

PatMyron commented Mar 27, 2020
edited
Loading

As described here, this would need something like:

https://github.com/aws-cloudformation/cfn-python-lint/blob/df8d065380e49e53dad9513dab41c2438e105f43/src/cfnlint/data/ExtendedSpecs/all/03_value_types/aws_sqs.json#L17-L24

https://github.com/aws-cloudformation/cfn-python-lint/blob/90657f9aa0f797499460de21c849fc3ca64240ce/src/cfnlint/data/ExtendedSpecs/all/04_property_values/aws_sqs.json#L16-L22

and the rest of the necessary changes should be auto-generatable by running:

cfn-python-lint $ pip3 install -e . --user
cfn-python-lint $ cfn-lint --update-specs

Assuming this probably applies to more properties like AWS::WAFv2::RuleGroup.RateBasedStatementOne and AWS::WAFv2::RuleGroup.RateBasedStatementTwo

@andrewdieken
Copy link
Author

andrewdieken commented Mar 30, 2020
edited
Loading

@PatMyron correct, this applies to both AWS::WAFv2::RuleGroup.RateBasedStatementOne and AWS::WAFv2::RuleGroup.RateBasedStatementTwo

What should next steps be? Should I open a PR?

@kddejong kddejong mentioned this issue May 1, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add rate based number limits kddejong/cfn-python-lint
2 participants
@PatMyron @andrewdieken