Merge pull request #4 from ZDF-OSS/feature/add_aws_managed_rules

feat(aws-managed): add_aws_managed_rules

Author: AyoubUmoru

.gitignore

@@ -2,7 +2,7 @@ import { awscdk } from 'projen';
 
 const PROJECT_NAME = 'cdk-aws-wafv2-geofence-lib';
 const PROJECT_DESCRIPTION =
-  'The cdk-aws-wafv2-geofence-lib is an AWS CDK construct library that adds a AWS WAFv2 with GeoBlocking enabled for an AppSync, API Gateway or an ALB.';
+  'The cdk-aws-wafv2-geofence-lib is an AWS CDK construct library that adds a AWS WAFv2 with GeoBlocking and AWS Managed Rules for AppSync, API Gateway or an ALB.';
 
 const project = new awscdk.AwsCdkConstructLibrary({
   author: 'ZeroDotFive',
@@ -17,6 +17,9 @@ const project = new awscdk.AwsCdkConstructLibrary({
   homepage: 'https://zerodotfive.com',
   description: PROJECT_DESCRIPTION,
   keywords: ['aws', 'cdk', 'awscdk', 'aws-cdk', 'wafv2', 'aws-waf', 'aws-wafv2', 'geoblock'],
+  gitignore: [
+    'cdk.out/',
+  ],
 });
 
 project.addBundledDeps('@types/aws-lambda');

.projenrc.ts

@@ -1,20 +1,32 @@
-# AWS WAFv2 GeoBlocking CDK construct for Cloud Development Kit (AWS CDK)
+# AWS WAFv2 cdk construct for Cloud Development Kit (AWS CDK)
 
 
 
-The WAFv2 GeoBlocking construct is free for everyone to use. It supports blocking of requests to AWS ressources based on IP orign (Country).
+The WAFv2 construct is free for everyone to use and it leverages the massive improvements made by AWS compared to V1. 
 
-It offers a high-level abstraction and integrates neatly with your existing AWS CDK project. It encapsulates AWS best practices in your
-infrastructure definition and hides boilerplate logic for your.
+**Add an extra layer of security to protect your services from common attacks**
+
+It offers a high-level abstraction and integrates neatly with your existing AWS CDK project. It brings AWS best practices into your infrastructure and hides boilerplate logic in your project.
 
 The Construct is available in the following languages:
 
 * JavaScript, TypeScript ([Node.js ≥ 14.15.0](https://nodejs.org/download/release/latest-v14.x/))
   * We recommend using a version in [Active LTS](https://nodejs.org/en/about/releases/)
 
-
 Third-party Language Deprecation: language version is only supported until its EOL (End Of Life) shared by the vendor or community and is subject to change with prior notice.
 
+**Features**
+* Blocking of requests to your AWS ressources based on IP orign (Country) - If you application is national, restrict the web traffic to the county.
+
+* AWS Managed Rules for AWS WAF is a managed service that provides protection against common application vulnerabilities or other unwanted traffic (https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)
+
+
+***AWS Managed Rules***
+AWS Managed Rules for AWS WAF is a managed service that provides protection against common application vulnerabilities or other unwanted traffic. You have the option of selecting one or more rule groups from AWS Managed Rules for each web ACL, up to the maximum web ACL capacity unit (WCU) limit.
+
+
+
+
 \
 Jump To:
 [Getting Started](#getting-started)
@@ -46,14 +58,18 @@ When you use a geo match statement just for the region and country labels that i
 ```ts
    // AWS WAFv2 GeoBlocking CDK Component
     const allowedCountiesToAccessService = ["DE"]
-    const geoblockingWaf = new CdkWafGeoLib(this, 'GeoblockingWaf',
-    {
-      allowedCountiesToAccessService: ['DE'],
+    new CdkWafGeoLib(this, 'Cdk-Waf-Geo-Lib', {
+      // Geo blocking
+      allowedCountiesToAccessService: allowedCountiesToAccessService,
+      enableGeoBlocking: false,
+      // AWS Default WAF Rules
+      enableAWSManagedRulesBlocking: true,
+      enableAWSManagedRuleCRS: true,
+
+      priority: 100,
       resourceArn: lb.loadBalancerArn,
-      block: true,
-      priority: 105,
-      enableCloudWatchLogs: true
-    })
+      enableCloudWatchLogs: true,
+    });
 ```
 
 #### Properties <a name="Properties" id="Properties"></a>
@@ -186,12 +202,17 @@ export class EcsBpMicroserviceWaf extends cdk.Stack {
       requestsPerTarget: 500,
       targetGroup: tg,
     });
+    
     new CdkWafGeoLib(this, 'Cdk-Waf-Geo-Lib', {
-      allowedCountiesToAccessService: ['US'],
+      // Geo blocking
+      allowedCountiesToAccessService: ['DE'],
+      enableGeoBlocking: false,
       resourceArn: lb.loadBalancerArn,
-      block: true,
-      priority: 105,
-      enableCloudWatchLogs: false,
+      priority: 233,
+      enableCloudWatchLogs: true,
+      // AWS Default WAF Rules
+      enableAWSManagedRulesBlocking: true,
+      enableAWSManagedRuleCRS: true,
     });
   }
 }

API.md

@@ -1,12 +1,9 @@
 import * as cdk from 'aws-cdk-lib';
 
 export interface IWafRuleProps {
-  /** If you define more than one Rule in a WebACL , AWS WAF evaluates each request against the Rules in order based on the value of Priority . AWS WAF processes rules with lower priority first. The priorities don’t need to be consecutive, but they must all be different. */
+  /** If you enable more than one Rule, AWS WAF evaluates each request against the Rules in order based on the value of Priority . AWS WAF processes rules with lower priority first. The priorities don’t need to be consecutive, but they must all be different. */
   priority: number;
 
-  /** Instructs AWS WAF to count the web request and then continue evaluating the request using the remaining rules in the web ACL. Link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html#cfn-wafv2-webacl-ruleaction-count */
-  count: boolean;
-
   /** Instructs AWS WAF to block the web request. Link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ruleaction.html#cfn-wafv2-webacl-ruleaction-block */
   block: boolean;
 
@@ -15,67 +12,46 @@ export interface IWafRuleProps {
   allowed_countries: Array<string>;
 }
 
-export class WafRuleGeoBlockGreenList
-implements cdk.aws_wafv2.CfnWebACL.RuleProperty, IWafRuleProps {
-  allowed_countries: string[];
-  count: boolean;
+export class WafRulesGeoBlock implements IWafRuleProps {
   block: boolean;
-  action?:
-  | cdk.aws_wafv2.CfnWebACL.RuleActionProperty
-  | cdk.IResolvable
-  | undefined;
-  captchaConfig?:
-  | cdk.IResolvable
-  | cdk.aws_wafv2.CfnWebACL.CaptchaConfigProperty
-  | undefined;
-  challengeConfig?:
-  | cdk.IResolvable
-  | cdk.aws_wafv2.CfnWebACL.ChallengeConfigProperty
-  | undefined;
-  name: string;
-  overrideAction?:
-  | cdk.IResolvable
-  | cdk.aws_wafv2.CfnWebACL.OverrideActionProperty
-  | undefined;
   priority: number;
-  ruleLabels?:
-  | cdk.IResolvable
-  | (cdk.IResolvable | cdk.aws_wafv2.CfnWebACL.LabelProperty)[]
-  | undefined;
-  statement: cdk.IResolvable | cdk.aws_wafv2.CfnWebACL.StatementProperty;
-  visibilityConfig:
-  | cdk.IResolvable
-  | cdk.aws_wafv2.CfnWebACL.VisibilityConfigProperty;
+
+  waf_rule: cdk.aws_wafv2.CfnWebACL.RuleProperty;
+
+  allowed_countries: string[];
 
   constructor(props: IWafRuleProps) {
-    this.name = 'WafGeoBlockGreenList';
-    if (props.block) {
-      this.block = true;
-      this.action = {
-        block: {},
-      };
-    } else {
-      this.action = {
-        count: {},
-      };
-    }
-    this.block = props.block;
-    this.allowed_countries = props.allowed_countries;
     this.priority = props.priority;
-    this.count = props.count;
-    this.visibilityConfig = {
-      sampledRequestsEnabled: true,
-      cloudWatchMetricsEnabled: true,
-      metricName: 'WafGeoBlockGreenList',
-    };
-    this.statement = {
-      notStatement: {
-        statement: {
-          geoMatchStatement: {
-            countryCodes: props.allowed_countries,
+    this.allowed_countries = props.allowed_countries;
+    this.block = props.block;
+
+    this.waf_rule = {
+      name: 'WafGeoBlockGreenList',
+      priority: this.priority,
+      action: {
+        ...(this.block ? {
+          block: {
+          },
+        } : { count: {} }),
+      },
+      statement: {
+        notStatement: {
+          statement: {
+            geoMatchStatement: {
+              countryCodes: props.allowed_countries,
+            },
           },
         },
       },
+      visibilityConfig: {
+        sampledRequestsEnabled: true,
+        cloudWatchMetricsEnabled: true,
+        metricName: 'WafGeoBlockGreenList',
+      },
     };
   }
+
+  public rule(): cdk.aws_wafv2.CfnWebACL.RuleProperty {
+    return this.waf_rule;
+  }
 }