Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scopeDownStatement error in yaml #2200

Open
a-hilaly opened this issue Oct 22, 2024 Discussed in #2197 · 0 comments
Open

scopeDownStatement error in yaml #2200

a-hilaly opened this issue Oct 22, 2024 Discussed in #2197 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. service/wafv2 Indicates issues or PRs that are related to wafv2-controller.

Comments

@a-hilaly
Copy link
Member

Discussed in #2197

Originally posted by vamsinm October 18, 2024
i am trying to create weacl with following role in it :

rule {
    name     = "AWS-AWSManagedRulesBotControlRuleSet1"
    priority = 50

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        vendor_name = "AWS"
        name        = "AWSManagedRulesBotControlRuleSet"

        scope_down_statement {
          and_statement {
            statement {
              byte_match_statement {
                search_string = "api/answer"
                field_to_match {
                  uri_path {}
                }
                text_transformation {
                  priority = 0
                  type     = "NONE"
                }
                positional_constraint = "CONTAINS"
              }
            }
            statement {
              not_statement {
                statement {
                  byte_match_statement {
                    search_string = "OPTIONS"
                    field_to_match {
                      method {}
                    }
                    text_transformation {
                      priority = 0
                      type     = "NONE"
                    }
                    positional_constraint = "CONTAINS_WORD"
                  }
                }
              }
            }
          }
        }

        managed_rule_group_configs {
          aws_managed_rules_bot_control_rule_set {
            inspection_level = "TARGETED"
          }
        }

        rule_action_override {
          name = "TGT_VolumetricSession"
          action_to_use {
            count {}
          }
        }
        rule_action_override {
          name = "TGT_VolumetricIpTokenAbsent"
          action_to_use {
            count {}
          }
        }
        rule_action_override {
          name = "TGT_SignalAutomatedBrowser"
          action_to_use {
            count {}
          }
        }
        rule_action_override {
          name = "TGT_SignalBrowserInconsistency"
          action_to_use {
            count {}
          }
        }

        # This is for testing only. It should be removed before production.
        rule_action_override {
          name = "SignalNonBrowserUserAgent"
          action_to_use {
            count {}
          }
        }
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWS-AWSManagedRulesBotControlRuleSet"
      sampled_requests_enabled   = true
    }
  }

i have tried

 apiVersion: wafv2.services.k8s.aws/v1alpha1
kind: WebACL
metadata:
  creationTimestamp: '2024-10-18T15:30:53Z'
  name: webacl-operator-example
  namespace: dev
spec:
  defaultAction:
    allow: {}
  description: created with operator
  name: webacl-operator-example
  rules:
    - action:
        block: {}
      name: AWS-AWSManagedRulesBotControlRuleSet-operator
      priority: 50
      statement:
        managedRuleGroupStatement:
          managedRuleGroupConfigs:
            - awsManagedRulesBotControlRuleSet:
                inspectionLevel: TARGETED
          name: AWSManagedRulesBotControlRuleSet
          ruleActionOverrides:
            - actionToUse:
                count: {}
              name: TGT_VolumetricSession
            - actionToUse:
                count: {}
              name: TGT_VolumetricIpTokenAbsent
            - actionToUse:
                count: {}
              name: TGT_SignalAutomatedBrowser
            - actionToUse:
                count: {}
              name: TGT_SignalBrowserInconsistency
            - actionToUse:
                count: {}
              name: SignalNonBrowserUserAgent
          scopeDownStatement: |
            andStatement: |
              statements:
                - byteMatchStatement:
                    fieldToMatch:
                      uri_path: {}
                    textTransformations:
                      - type: NONE
                        priority: 0
                    positionalConstraint: CONTAINS
                - notStatement:
                    statement:
                      byteMatchStatement:
                        fieldToMatch:
                          method: {}
                        positionalConstraint: CONTAINS_WORD
                        searchString: OPTIONS
                        textTransformations:
                          - type: NONE
                            priority: 0
          vendorName: AWS
      visibilityConfig:
        cloudWatchMetricsEnabled: true
        metricName: AWS-AWSManagedRulesBotControlRuleSet
        sampledRequestsEnabled: true
  scope: REGIONAL
  visibilityConfig:
    cloudWatchMetricsEnabled: false
    metricName: my-metric
    sampledRequestsEnabled: false
status:
  ackResourceMetadata:
    ownerAccountID: 065028161476
    region: us-east-1
  conditions:
    - message: 'error unmarshaling JSON: json: cannot unmarshal string into Go struct field Statement.AndStatement of type wafv2.AndStatement'
      status: 'True'
      type: ACK.Recoverable
    - lastTransitionTime: '2024-10-18T17:16:04Z'
      message: Unable to determine if desired resource state matches latest observed state
      reason: 'error unmarshaling JSON: json: cannot unmarshal string into Go struct field Statement.AndStatement of type wafv2.AndStatement'
      status: Unknown
      type: ACK.ResourceSynced

seeing the following error - message: 'error unmarshaling JSON: json: cannot unmarshal string into Go struct field Statement.AndStatement of type wafv2.AndStatement'

Any suggestions on how to use scopeDownStatement?
@a-hilaly a-hilaly added kind/bug Categorizes issue or PR as related to a bug. service/wafv2 Indicates issues or PRs that are related to wafv2-controller. labels Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. service/wafv2 Indicates issues or PRs that are related to wafv2-controller.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@a-hilaly