Create conditional rule in AWS::WAFv2::WebACL

1

I'm struggling to conditionally create a rule in a AWS::WAFv2::WebACL resource. I only want the specific rule to be created in the production environment, based on parameter input.

Here's my Condition statement.

Conditions:                                                                        
  inProduction:                                                                    
    !Equals                                                                        
      - !Ref ACLEnvironment                                                        
      - production

And here's an attempt to add the rule. Other rules snipped for brevity.

Resources:                                                                         
  # WAF ACL                                                                        
  ourACL:                                                                          
    Type: AWS::WAFv2::WebACL                                                       
    Properties:                                                                    
      Name: !Ref ACLName                                                           
      DefaultAction:                                                               
        Allow: {}                                                                  
      Description: !Sub "WAFv2 ACL - ${ACLName}"                                   
      Scope: CLOUDFRONT                                                            
      VisibilityConfig:                                                            
        CloudWatchMetricsEnabled: false                                            
        MetricName: !Ref ACLName                                                   
        SampledRequestsEnabled: false                                              
      Rules:                                                                       
        !If                                                                        
          - inProduction                                                           
          - Name: publicRateLimit                                                  
            Condition: inProduction                                                
            Action:                                                                
              Block: {}                                                            
            Priority: 7                                                            
            Statement:                                                             
              RateBasedStatement:                                                  
                AggregateKeyType: IP                                               
                Limit: !Ref RateLimit                                              
                ScopeDownStatement:                                                
                  NotStatement:                                                    
                    Statement:                                                     
                      ByteMatchStatement:                                       
                        FieldToMatch:                                           
                          UriPath: {}                                           
                        PositionalConstraint: STARTS_WITH                       
                        SearchString:                                           
                          '/exemptedpath'                                                
                        TextTransformations:                                    
                          - Priority: 0                                         
                            Type: LOWERCASE                                     
            VisibilityConfig:                                                   
              SampledRequestsEnabled: false                                     
              CloudWatchMetricsEnabled: false                                   
              MetricName: publicRateLimit                                       
          - !Ref AWS::NoValue                                                   
        - Name: NextRule
        [SNIP]                                            

I also tried this, per this SO thread: https://stackoverflow.com/questions/56970457/how-to-use-fnif-with-array-values-in-cloud-formation-templates

Rules:                                                                       
    !If                                                                        
      - inProduction                                                           
      - - Name: publicRateLimit                                                
          Action:                                                              
            Block: {}                                                          
          Priority: 7                                                          
          Statement:                                                           
            RateBasedStatement:                                                
              AggregateKeyType: IP                                             
              Limit: !Ref RateLimit                                            
              ScopeDownStatement:                                              
                NotStatement:                                                  
                  Statement:                                                   
                    ByteMatchStatement:                                        
                      FieldToMatch:                                         
                        UriPath: {}                                         
                      PositionalConstraint: STARTS_WITH                     
                      SearchString:                                         
                        '/exemptedpath'                                              
                      TextTransformations:                                  
                        - Priority: 0                                       
                          Type: LOWERCASE                                   
          VisibilityConfig:                                                 
            SampledRequestsEnabled: false                                   
            CloudWatchMetricsEnabled: false                                 
            MetricName: publicRateLimit                                     
      - - !Ref AWS::NoValue                                         

Both efforts return this from cfn-lint at line 69, which is the "- NextRule" line.

E0000 expected <block end>, but found '<block sequence start>'

Any suggestions greatly appreciated!

  • Michele

Edited by: mstuart2 on Sep 18, 2020 12:00 PM Adding the error message

asked 3 years ago1017 views
1 Answer
1

Here's the magic. I wasn't setting up the "!If" within the list.

       - !If
          - inProduction
          - Name: publicRateLimit
            Action:
              Block: {}
            Priority: 7
            Statement:
              RateBasedStatement:
                AggregateKeyType: IP
                Limit: !Ref RateLimit
                ScopeDownStatement:
                  NotStatement:
                    Statement:
                      ByteMatchStatement:
                        FieldToMatch:
                          UriPath: {}
                        PositionalConstraint: STARTS_WITH
                        SearchString:
                          '/exemptedpath'
                        TextTransformations:
                          - Priority: 0
                            Type: LOWERCASE
            VisibilityConfig:
              SampledRequestsEnabled: false
              CloudWatchMetricsEnabled: false
              MetricName: publicRateLimit
          - !Ref AWS::NoValue
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions