@jaypie/constructs 1.2.46 → 1.2.48
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -42,6 +42,30 @@ export interface JaypieWafConfig {
|
|
|
42
42
|
* }
|
|
43
43
|
*/
|
|
44
44
|
managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
|
|
45
|
+
/**
|
|
46
|
+
* Optional scope-down statements per managed rule group. When supplied,
|
|
47
|
+
* the managed rule group only evaluates requests that match the
|
|
48
|
+
* scope-down statement. Key is the managed rule group name; value is a
|
|
49
|
+
* `CfnWebACL.StatementProperty`.
|
|
50
|
+
*
|
|
51
|
+
* @example
|
|
52
|
+
* // Only run AWSManagedRulesCommonRuleSet for non-/chat paths
|
|
53
|
+
* managedRuleScopeDowns: {
|
|
54
|
+
* AWSManagedRulesCommonRuleSet: {
|
|
55
|
+
* notStatement: {
|
|
56
|
+
* statement: {
|
|
57
|
+
* byteMatchStatement: {
|
|
58
|
+
* fieldToMatch: { uriPath: {} },
|
|
59
|
+
* positionalConstraint: "STARTS_WITH",
|
|
60
|
+
* searchString: "/chat",
|
|
61
|
+
* textTransformations: [{ priority: 0, type: "NONE" }],
|
|
62
|
+
* },
|
|
63
|
+
* },
|
|
64
|
+
* },
|
|
65
|
+
* },
|
|
66
|
+
* }
|
|
67
|
+
*/
|
|
68
|
+
managedRuleScopeDowns?: Record<string, wafv2.CfnWebACL.StatementProperty>;
|
|
45
69
|
/**
|
|
46
70
|
* Managed rule group names to apply
|
|
47
71
|
* @default ["AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet"]
|
package/dist/cjs/index.cjs
CHANGED
|
@@ -2655,12 +2655,13 @@ class JaypieDistribution extends constructs.Construct {
|
|
|
2655
2655
|
}
|
|
2656
2656
|
else {
|
|
2657
2657
|
// Create new WebACL
|
|
2658
|
-
const { managedRuleOverrides, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
|
|
2658
|
+
const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
|
|
2659
2659
|
let priority = 0;
|
|
2660
2660
|
const rules = [];
|
|
2661
2661
|
// Add managed rule groups
|
|
2662
2662
|
for (const ruleName of managedRules) {
|
|
2663
2663
|
const ruleActionOverrides = managedRuleOverrides?.[ruleName];
|
|
2664
|
+
const scopeDownStatement = managedRuleScopeDowns?.[ruleName];
|
|
2664
2665
|
rules.push({
|
|
2665
2666
|
name: ruleName,
|
|
2666
2667
|
priority: priority++,
|
|
@@ -2670,6 +2671,7 @@ class JaypieDistribution extends constructs.Construct {
|
|
|
2670
2671
|
name: ruleName,
|
|
2671
2672
|
vendorName: "AWS",
|
|
2672
2673
|
...(ruleActionOverrides && { ruleActionOverrides }),
|
|
2674
|
+
...(scopeDownStatement && { scopeDownStatement }),
|
|
2673
2675
|
},
|
|
2674
2676
|
},
|
|
2675
2677
|
visibilityConfig: {
|
|
@@ -2682,7 +2684,7 @@ class JaypieDistribution extends constructs.Construct {
|
|
|
2682
2684
|
// Add rate-based rule
|
|
2683
2685
|
rules.push({
|
|
2684
2686
|
name: "RateLimitPerIp",
|
|
2685
|
-
priority
|
|
2687
|
+
priority,
|
|
2686
2688
|
action: { block: {} },
|
|
2687
2689
|
statement: {
|
|
2688
2690
|
rateBasedStatement: {
|