@jaypie/constructs 1.2.59 → 1.2.61

package/dist/esm/helpers/index.d.ts

@@ -19,3 +19,4 @@ export { resolveEnvironment, EnvironmentArrayItem, EnvironmentInput, } from "./r
 export { resolveHostedZone } from "./resolveHostedZone";
 export { resolveParamsAndSecrets } from "./resolveParamsAndSecrets";
 export { resolveSecrets, SecretsArrayItem, clearSecretsCache, clearAllSecretsCaches, } from "./resolveSecrets";
+export { assertValidWafRuleNames, AWS_MANAGED_RULE_GROUPS, } from "./wafManagedRuleNames";

package/dist/esm/helpers/jaypieLambdaEnv.d.ts

@@ -2,6 +2,7 @@ export interface JaypieLambdaEnvOptions {
     initialEnvironment?: {
         [key: string]: string;
     };
+    serviceTag?: string;
 }
 export declare function jaypieLambdaEnv(options?: JaypieLambdaEnvOptions): {
     [key: string]: string;

package/dist/esm/helpers/wafManagedRuleNames.d.ts

@@ -0,0 +1,33 @@
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+export declare const AWS_MANAGED_RULE_GROUPS: Record<string, readonly string[]>;
+/** One entry in a `waf.allow` list. Mirrors JaypieWafAllowEntry structurally. */
+interface WafAllowEntryLike {
+    path: string | string[];
+    [ruleGroupKey: string]: string | string[] | undefined;
+}
+interface AssertValidWafRuleNamesOptions {
+    allow?: WafAllowEntryLike | WafAllowEntryLike[];
+    managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+}
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+export declare function assertValidWafRuleNames({ allow, managedRuleOverrides, }?: AssertValidWafRuleNamesOptions): void;
+export {};

package/dist/esm/index.js

@@ -702,7 +702,7 @@ function isValidSubdomain(subdomain) {
 }
 
 function jaypieLambdaEnv(options = {}) {
-    const { initialEnvironment = {} } = options;
+    const { initialEnvironment = {}, serviceTag } = options;
     // Start with empty environment - we'll only add valid values
     let environment = {};
     // First, add all valid string values from initialEnvironment
@@ -731,6 +731,11 @@ function jaypieLambdaEnv(options = {}) {
             environment[key] = defaultValue;
         }
     });
+    // Apply serviceTag as PROJECT_SERVICE unless explicitly overridden.
+    // Precedence: explicit environment > serviceTag > process.env.PROJECT_SERVICE
+    if (serviceTag && !environment.PROJECT_SERVICE) {
+        environment.PROJECT_SERVICE = serviceTag;
+    }
     // Default environment variables from process.env if present
     const defaultEnvVars = [
         "DATADOG_API_KEY_ARN",
@@ -1267,6 +1272,148 @@ function clearAllSecretsCaches() {
     // between test runs. For testing, use clearSecretsCache(scope) instead.
 }
 
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+const AWS_MANAGED_RULE_GROUPS = {
+    AWSManagedRulesAdminProtectionRuleSet: ["AdminProtection_URIPATH"],
+    AWSManagedRulesAmazonIpReputationList: [
+        "AWSManagedIPDDoSList",
+        "AWSManagedIPReputationList",
+        "AWSManagedReconnaissanceList",
+    ],
+    AWSManagedRulesAnonymousIpList: ["AnonymousIPList", "HostingProviderIPList"],
+    AWSManagedRulesCommonRuleSet: [
+        "CrossSiteScripting_BODY",
+        "CrossSiteScripting_COOKIE",
+        "CrossSiteScripting_QUERYARGUMENTS",
+        "CrossSiteScripting_URIPATH",
+        "EC2MetaDataSSRF_BODY",
+        "EC2MetaDataSSRF_COOKIE",
+        "EC2MetaDataSSRF_QUERYARGUMENTS",
+        "EC2MetaDataSSRF_URIPATH",
+        "GenericLFI_BODY",
+        "GenericLFI_QUERYARGUMENTS",
+        "GenericLFI_URIPATH",
+        "GenericRFI_BODY",
+        "GenericRFI_QUERYARGUMENTS",
+        "GenericRFI_URIPATH",
+        "NoUserAgent_HEADER",
+        "RestrictedExtensions_QUERYARGUMENTS",
+        "RestrictedExtensions_URIPATH",
+        "SizeRestrictions_BODY",
+        "SizeRestrictions_Cookie_HEADER",
+        "SizeRestrictions_QUERYSTRING",
+        "SizeRestrictions_URIPATH",
+        "UserAgent_BadBots_HEADER",
+    ],
+    AWSManagedRulesKnownBadInputsRuleSet: [
+        "ExploitablePaths_URIPATH",
+        "Host_localhost_HEADER",
+        "JavaDeserializationRCE_BODY",
+        "JavaDeserializationRCE_HEADER",
+        "JavaDeserializationRCE_QUERYSTRING",
+        "JavaDeserializationRCE_URIPATH",
+        "Log4JRCE_BODY",
+        "Log4JRCE_HEADER",
+        "Log4JRCE_QUERYSTRING",
+        "Log4JRCE_URIPATH",
+        "PROPFIND_METHOD",
+        "ReactJSRCE_BODY",
+    ],
+    AWSManagedRulesLinuxRuleSet: ["LFI_HEADER", "LFI_QUERYSTRING", "LFI_URIPATH"],
+    AWSManagedRulesPHPRuleSet: [
+        "PHPHighRiskMethodsVariables_BODY",
+        "PHPHighRiskMethodsVariables_HEADER",
+        "PHPHighRiskMethodsVariables_QUERYSTRING",
+        "PHPHighRiskMethodsVariables_URIPATH",
+    ],
+    AWSManagedRulesSQLiRuleSet: [
+        "SQLiExtendedPatterns_BODY",
+        "SQLiExtendedPatterns_HEADER",
+        "SQLiExtendedPatterns_QUERYARGUMENTS",
+        "SQLiExtendedPatterns_URIPATH",
+        "SQLi_BODY",
+        "SQLi_COOKIE",
+        "SQLi_QUERYARGUMENTS",
+        "SQLi_URIPATH",
+    ],
+    AWSManagedRulesUnixRuleSet: [
+        "UNIXShellCommandsVariables_BODY",
+        "UNIXShellCommandsVariables_HEADER",
+        "UNIXShellCommandsVariables_QUERYSTRING",
+    ],
+    AWSManagedRulesWindowsRuleSet: [
+        "PowerShellCommands_BODY",
+        "PowerShellCommands_COOKIE",
+        "PowerShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_BODY",
+        "WindowsShellCommands_HEADER",
+        "WindowsShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_QUERYSTRING",
+        "WindowsShellCommands_URIPATH",
+    ],
+    AWSManagedRulesWordPressRuleSet: [
+        "WordPressExploitableCommands_QUERYSTRING",
+        "WordPressExploitablePaths_URIPATH",
+    ],
+};
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+function assertValidWafRuleNames({ allow, managedRuleOverrides, } = {}) {
+    // Collect (group → referenced rule name) pairs from both inputs.
+    const references = [];
+    if (managedRuleOverrides) {
+        for (const [group, overrides] of Object.entries(managedRuleOverrides)) {
+            for (const override of overrides ?? []) {
+                if (override?.name)
+                    references.push({ group, ruleName: override.name });
+            }
+        }
+    }
+    const allowEntries = allow ? (Array.isArray(allow) ? allow : [allow]) : [];
+    for (const entry of allowEntries) {
+        for (const key of Object.keys(entry)) {
+            if (key === "path")
+                continue;
+            const raw = entry[key];
+            if (raw == null)
+                continue;
+            const ruleNames = Array.isArray(raw) ? raw : [raw];
+            for (const ruleName of ruleNames) {
+                references.push({ group: key, ruleName });
+            }
+        }
+    }
+    for (const { group, ruleName } of references) {
+        const validNames = AWS_MANAGED_RULE_GROUPS[group];
+        if (!validNames)
+            continue; // Unknown/custom group — cannot validate
+        if (!validNames.includes(ruleName)) {
+            throw new ConfigurationError(`WAF rule "${ruleName}" is not a rule in ${group}. AWS WAF matches ` +
+                `RuleActionOverrides on the exact rule name and silently ignores ` +
+                `unmatched names (note the label/name casing trap, e.g. ` +
+                `"NoUserAgent_HEADER" not "NoUserAgent_Header"). Valid rule names: ` +
+                `${validNames.join(", ")}.`);
+        }
+    }
+}
+
 class JaypieApiGateway extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
@@ -1460,7 +1607,7 @@ class JaypieLambda extends Construct {
         // Resolve environment from array or object syntax
         const initialEnvironment = resolveEnvironment(environmentInput);
         // Get base environment with defaults
-        const environment = jaypieLambdaEnv({ initialEnvironment });
+        const environment = jaypieLambdaEnv({ initialEnvironment, serviceTag });
         // Resolve secrets from mixed array (strings and JaypieSecret instances)
         // Use Stack.of(this) to ensure secrets are shared at stack level across all constructs
         const secrets = resolveSecrets(Stack.of(this), secretsInput);
@@ -2760,6 +2907,8 @@ class JaypieDistribution extends Construct {
             else {
                 // Create new WebACL
                 const { allow, managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES$1, rateLimitPerIp = DEFAULT_RATE_LIMIT$1, } = wafConfig;
+                // Fail synth on rule names AWS WAF would silently ignore (#362)
+                assertValidWafRuleNames({ allow, managedRuleOverrides });
                 const allowEntries = allow
                     ? Array.isArray(allow)
                         ? allow
@@ -4746,6 +4895,8 @@ class JaypieWebDeploymentBucket extends Construct {
                 }
                 else {
                     const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                    // Fail synth on rule names AWS WAF would silently ignore (#362)
+                    assertValidWafRuleNames({ managedRuleOverrides });
                     let priority = 0;
                     const rules = [];
                     for (const ruleName of managedRules) {
@@ -5419,5 +5570,5 @@ class JaypieWebSocketTable extends Construct {
     }
 }
 
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSecret, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
+export { AWS_MANAGED_RULE_GROUPS, CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSecret, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, assertValidWafRuleNames, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
 //# sourceMappingURL=index.js.map