@jaypie/constructs 1.2.59 → 1.2.60

package/dist/esm/helpers/index.d.ts

@@ -19,3 +19,4 @@ export { resolveEnvironment, EnvironmentArrayItem, EnvironmentInput, } from "./r
 export { resolveHostedZone } from "./resolveHostedZone";
 export { resolveParamsAndSecrets } from "./resolveParamsAndSecrets";
 export { resolveSecrets, SecretsArrayItem, clearSecretsCache, clearAllSecretsCaches, } from "./resolveSecrets";
+export { assertValidWafRuleNames, AWS_MANAGED_RULE_GROUPS, } from "./wafManagedRuleNames";

package/dist/esm/helpers/wafManagedRuleNames.d.ts

@@ -0,0 +1,33 @@
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+export declare const AWS_MANAGED_RULE_GROUPS: Record<string, readonly string[]>;
+/** One entry in a `waf.allow` list. Mirrors JaypieWafAllowEntry structurally. */
+interface WafAllowEntryLike {
+    path: string | string[];
+    [ruleGroupKey: string]: string | string[] | undefined;
+}
+interface AssertValidWafRuleNamesOptions {
+    allow?: WafAllowEntryLike | WafAllowEntryLike[];
+    managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+}
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+export declare function assertValidWafRuleNames({ allow, managedRuleOverrides, }?: AssertValidWafRuleNamesOptions): void;
+export {};

package/dist/esm/index.js

@@ -1267,6 +1267,148 @@ function clearAllSecretsCaches() {
     // between test runs. For testing, use clearSecretsCache(scope) instead.
 }
 
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+const AWS_MANAGED_RULE_GROUPS = {
+    AWSManagedRulesAdminProtectionRuleSet: ["AdminProtection_URIPATH"],
+    AWSManagedRulesAmazonIpReputationList: [
+        "AWSManagedIPDDoSList",
+        "AWSManagedIPReputationList",
+        "AWSManagedReconnaissanceList",
+    ],
+    AWSManagedRulesAnonymousIpList: ["AnonymousIPList", "HostingProviderIPList"],
+    AWSManagedRulesCommonRuleSet: [
+        "CrossSiteScripting_BODY",
+        "CrossSiteScripting_COOKIE",
+        "CrossSiteScripting_QUERYARGUMENTS",
+        "CrossSiteScripting_URIPATH",
+        "EC2MetaDataSSRF_BODY",
+        "EC2MetaDataSSRF_COOKIE",
+        "EC2MetaDataSSRF_QUERYARGUMENTS",
+        "EC2MetaDataSSRF_URIPATH",
+        "GenericLFI_BODY",
+        "GenericLFI_QUERYARGUMENTS",
+        "GenericLFI_URIPATH",
+        "GenericRFI_BODY",
+        "GenericRFI_QUERYARGUMENTS",
+        "GenericRFI_URIPATH",
+        "NoUserAgent_HEADER",
+        "RestrictedExtensions_QUERYARGUMENTS",
+        "RestrictedExtensions_URIPATH",
+        "SizeRestrictions_BODY",
+        "SizeRestrictions_Cookie_HEADER",
+        "SizeRestrictions_QUERYSTRING",
+        "SizeRestrictions_URIPATH",
+        "UserAgent_BadBots_HEADER",
+    ],
+    AWSManagedRulesKnownBadInputsRuleSet: [
+        "ExploitablePaths_URIPATH",
+        "Host_localhost_HEADER",
+        "JavaDeserializationRCE_BODY",
+        "JavaDeserializationRCE_HEADER",
+        "JavaDeserializationRCE_QUERYSTRING",
+        "JavaDeserializationRCE_URIPATH",
+        "Log4JRCE_BODY",
+        "Log4JRCE_HEADER",
+        "Log4JRCE_QUERYSTRING",
+        "Log4JRCE_URIPATH",
+        "PROPFIND_METHOD",
+        "ReactJSRCE_BODY",
+    ],
+    AWSManagedRulesLinuxRuleSet: ["LFI_HEADER", "LFI_QUERYSTRING", "LFI_URIPATH"],
+    AWSManagedRulesPHPRuleSet: [
+        "PHPHighRiskMethodsVariables_BODY",
+        "PHPHighRiskMethodsVariables_HEADER",
+        "PHPHighRiskMethodsVariables_QUERYSTRING",
+        "PHPHighRiskMethodsVariables_URIPATH",
+    ],
+    AWSManagedRulesSQLiRuleSet: [
+        "SQLiExtendedPatterns_BODY",
+        "SQLiExtendedPatterns_HEADER",
+        "SQLiExtendedPatterns_QUERYARGUMENTS",
+        "SQLiExtendedPatterns_URIPATH",
+        "SQLi_BODY",
+        "SQLi_COOKIE",
+        "SQLi_QUERYARGUMENTS",
+        "SQLi_URIPATH",
+    ],
+    AWSManagedRulesUnixRuleSet: [
+        "UNIXShellCommandsVariables_BODY",
+        "UNIXShellCommandsVariables_HEADER",
+        "UNIXShellCommandsVariables_QUERYSTRING",
+    ],
+    AWSManagedRulesWindowsRuleSet: [
+        "PowerShellCommands_BODY",
+        "PowerShellCommands_COOKIE",
+        "PowerShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_BODY",
+        "WindowsShellCommands_HEADER",
+        "WindowsShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_QUERYSTRING",
+        "WindowsShellCommands_URIPATH",
+    ],
+    AWSManagedRulesWordPressRuleSet: [
+        "WordPressExploitableCommands_QUERYSTRING",
+        "WordPressExploitablePaths_URIPATH",
+    ],
+};
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+function assertValidWafRuleNames({ allow, managedRuleOverrides, } = {}) {
+    // Collect (group → referenced rule name) pairs from both inputs.
+    const references = [];
+    if (managedRuleOverrides) {
+        for (const [group, overrides] of Object.entries(managedRuleOverrides)) {
+            for (const override of overrides ?? []) {
+                if (override?.name)
+                    references.push({ group, ruleName: override.name });
+            }
+        }
+    }
+    const allowEntries = allow ? (Array.isArray(allow) ? allow : [allow]) : [];
+    for (const entry of allowEntries) {
+        for (const key of Object.keys(entry)) {
+            if (key === "path")
+                continue;
+            const raw = entry[key];
+            if (raw == null)
+                continue;
+            const ruleNames = Array.isArray(raw) ? raw : [raw];
+            for (const ruleName of ruleNames) {
+                references.push({ group: key, ruleName });
+            }
+        }
+    }
+    for (const { group, ruleName } of references) {
+        const validNames = AWS_MANAGED_RULE_GROUPS[group];
+        if (!validNames)
+            continue; // Unknown/custom group — cannot validate
+        if (!validNames.includes(ruleName)) {
+            throw new ConfigurationError(`WAF rule "${ruleName}" is not a rule in ${group}. AWS WAF matches ` +
+                `RuleActionOverrides on the exact rule name and silently ignores ` +
+                `unmatched names (note the label/name casing trap, e.g. ` +
+                `"NoUserAgent_HEADER" not "NoUserAgent_Header"). Valid rule names: ` +
+                `${validNames.join(", ")}.`);
+        }
+    }
+}
+
 class JaypieApiGateway extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
@@ -2760,6 +2902,8 @@ class JaypieDistribution extends Construct {
             else {
                 // Create new WebACL
                 const { allow, managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES$1, rateLimitPerIp = DEFAULT_RATE_LIMIT$1, } = wafConfig;
+                // Fail synth on rule names AWS WAF would silently ignore (#362)
+                assertValidWafRuleNames({ allow, managedRuleOverrides });
                 const allowEntries = allow
                     ? Array.isArray(allow)
                         ? allow
@@ -4746,6 +4890,8 @@ class JaypieWebDeploymentBucket extends Construct {
                 }
                 else {
                     const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                    // Fail synth on rule names AWS WAF would silently ignore (#362)
+                    assertValidWafRuleNames({ managedRuleOverrides });
                     let priority = 0;
                     const rules = [];
                     for (const ruleName of managedRules) {
@@ -5419,5 +5565,5 @@ class JaypieWebSocketTable extends Construct {
     }
 }
 
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSecret, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
+export { AWS_MANAGED_RULE_GROUPS, CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSecret, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, assertValidWafRuleNames, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
 //# sourceMappingURL=index.js.map