Skip to content

Commit

Permalink
feat(client-wafv2): For web ACLs that protect CloudFront protections,…
Browse files Browse the repository at this point in the history 
… the default request body inspection size is now 16 KB, and you can use the new association configuration to increase the inspection size further, up to 64 KB. Sizes over 16 KB can incur additional costs.
  • Loading branch information
awstools committed Apr 3, 2023
1 parent 11ea352 commit e11d2f9
Show file tree
Hide file tree
Showing 14 changed files with 744 additions and 879 deletions.
2 changes: 1 addition & 1 deletion clients/client-wafv2/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ Guide</a>.</p>
<ul>
<li>
<p>For regional applications, you can use any of the endpoints in the list.
A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service. </p>
A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
</li>
<li>
<p>For Amazon CloudFront applications, you must use the API endpoint listed for
Expand Down
24 changes: 13 additions & 11 deletions clients/client-wafv2/src/WAFV2.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,7 +242,7 @@ import { WAFV2Client } from "./WAFV2Client";
* <ul>
* <li>
* <p>For regional applications, you can use any of the endpoints in the list.
* A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service. </p>
* A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
* </li>
* <li>
* <p>For Amazon CloudFront applications, you must use the API endpoint listed for
Expand Down Expand Up @@ -276,10 +276,10 @@ export class WAFV2 extends WAFV2Client {
/**
* @public
* <p>Associates a web ACL with a regional application resource, to protect the resource.
* A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service. </p>
* A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
* <p>For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
* associate a web ACL, in the CloudFront call <code>UpdateDistribution</code>, set the web ACL ID
* to the Amazon Resource Name (ARN) of the web ACL. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
* to the Amazon Resource Name (ARN) of the web ACL. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a> in the <i>Amazon CloudFront Developer Guide</i>. </p>
* <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
*/
public associateWebACL(
Expand Down Expand Up @@ -323,8 +323,8 @@ export class WAFV2 extends WAFV2Client {
* Simple rules that cost little to run use fewer WCUs than more complex rules
* that use more processing power.
* Rule group capacity is fixed at creation, which helps users plan their
* web ACL WCU usage when they use a rule group.
* The WCU limit for web ACLs is 1,500. </p>
* web ACL WCU usage when they use a rule group. For more information, see <a href="https://docs.aws.amazon.com/waf/latest/developerguide/aws-waf-capacity-units.html">WAF web ACL capacity units (WCU)</a>
* in the <i>WAF Developer Guide</i>. </p>
*/
public checkCapacity(
args: CheckCapacityCommandInput,
Expand Down Expand Up @@ -456,7 +456,7 @@ export class WAFV2 extends WAFV2Client {
/**
* @public
* <p>Creates a <a>WebACL</a> per the specifications provided.</p>
* <p> A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types <a>Rule</a>, <a>RuleGroup</a>, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service. </p>
* <p> A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types <a>Rule</a>, <a>RuleGroup</a>, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
*/
public createWebACL(
args: CreateWebACLCommandInput,
Expand Down Expand Up @@ -696,7 +696,8 @@ export class WAFV2 extends WAFV2Client {
* </li>
* <li>
* <p>For Amazon CloudFront distributions, use the CloudFront call
* <code>ListDistributionsByWebACLId</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByWebACLId.html">ListDistributionsByWebACLId</a>.</p>
* <code>ListDistributionsByWebACLId</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByWebACLId.html">ListDistributionsByWebACLId</a>
* in the <i>Amazon CloudFront API Reference</i>. </p>
* </li>
* </ul>
* </li>
Expand All @@ -708,7 +709,8 @@ export class WAFV2 extends WAFV2Client {
* </li>
* <li>
* <p>For Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call
* <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
* <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>
* in the <i>Amazon CloudFront API Reference</i>. </p>
* </li>
* </ul>
* </li>
Expand Down Expand Up @@ -778,10 +780,10 @@ export class WAFV2 extends WAFV2Client {
/**
* @public
* <p>Disassociates the specified regional application resource from any existing web ACL
* association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service. </p>
* association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
* <p>For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
* disassociate a web ACL, provide an empty web ACL ID in the CloudFront call
* <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
* <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a> in the <i>Amazon CloudFront API Reference</i>. </p>
*/
public disassociateWebACL(
args: DisassociateWebACLCommandInput,
Expand Down Expand Up @@ -2045,7 +2047,7 @@ export class WAFV2 extends WAFV2Client {
* </ol>
* </note>
* <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
* <p> A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types <a>Rule</a>, <a>RuleGroup</a>, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service. </p>
* <p> A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types <a>Rule</a>, <a>RuleGroup</a>, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
*/
public updateWebACL(
args: UpdateWebACLCommandInput,
Expand Down
2 changes: 1 addition & 1 deletion clients/client-wafv2/src/WAFV2Client.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -479,7 +479,7 @@ export interface WAFV2ClientResolvedConfig extends WAFV2ClientResolvedConfigType
* <ul>
* <li>
* <p>For regional applications, you can use any of the endpoints in the list.
* A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service. </p>
* A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
* </li>
* <li>
* <p>For Amazon CloudFront applications, you must use the API endpoint listed for
Expand Down
4 changes: 2 additions & 2 deletions clients/client-wafv2/src/commands/AssociateWebACLCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ export interface AssociateWebACLCommandOutput extends AssociateWebACLResponse, _
/**
* @public
* <p>Associates a web ACL with a regional application resource, to protect the resource.
* A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service. </p>
* A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
* <p>For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
* associate a web ACL, in the CloudFront call <code>UpdateDistribution</code>, set the web ACL ID
* to the Amazon Resource Name (ARN) of the web ACL. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
* to the Amazon Resource Name (ARN) of the web ACL. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a> in the <i>Amazon CloudFront Developer Guide</i>. </p>
* <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
* @example
* Use a bare-bones client and the command you need to make an API call.
Expand Down
4 changes: 2 additions & 2 deletions clients/client-wafv2/src/commands/CheckCapacityCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,8 @@ export interface CheckCapacityCommandOutput extends CheckCapacityResponse, __Met
* Simple rules that cost little to run use fewer WCUs than more complex rules
* that use more processing power.
* Rule group capacity is fixed at creation, which helps users plan their
* web ACL WCU usage when they use a rule group.
* The WCU limit for web ACLs is 1,500. </p>
* web ACL WCU usage when they use a rule group. For more information, see <a href="https://docs.aws.amazon.com/waf/latest/developerguide/aws-waf-capacity-units.html">WAF web ACL capacity units (WCU)</a>
* in the <i>WAF Developer Guide</i>. </p>
* @example
* Use a bare-bones client and the command you need to make an API call.
* ```javascript
Expand Down
9 changes: 8 additions & 1 deletion clients/client-wafv2/src/commands/CreateWebACLCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad
/**
* @public
* <p>Creates a <a>WebACL</a> per the specifications provided.</p>
* <p> A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types <a>Rule</a>, <a>RuleGroup</a>, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service. </p>
* <p> A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types <a>Rule</a>, <a>RuleGroup</a>, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. </p>
* @example
* Use a bare-bones client and the command you need to make an API call.
* ```javascript
Expand Down Expand Up @@ -802,6 +802,13 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad
* TokenDomains: [ // TokenDomains
* "STRING_VALUE",
* ],
* AssociationConfig: { // AssociationConfig
* RequestBody: { // RequestBody
* "<keys>": { // RequestBodyAssociatedResourceTypeConfig
* DefaultSizeInspectionLimit: "KB_16" || "KB_32" || "KB_48" || "KB_64", // required
* },
* },
* },
* };
* const command = new CreateWebACLCommand(input);
* const response = await client.send(command);
Expand Down
6 changes: 4 additions & 2 deletions clients/client-wafv2/src/commands/DeleteWebACLCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ export interface DeleteWebACLCommandOutput extends DeleteWebACLResponse, __Metad
* </li>
* <li>
* <p>For Amazon CloudFront distributions, use the CloudFront call
* <code>ListDistributionsByWebACLId</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByWebACLId.html">ListDistributionsByWebACLId</a>.</p>
* <code>ListDistributionsByWebACLId</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByWebACLId.html">ListDistributionsByWebACLId</a>
* in the <i>Amazon CloudFront API Reference</i>. </p>
* </li>
* </ul>
* </li>
Expand All @@ -62,7 +63,8 @@ export interface DeleteWebACLCommandOutput extends DeleteWebACLResponse, __Metad
* </li>
* <li>
* <p>For Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call
* <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
* <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>
* in the <i>Amazon CloudFront API Reference</i>. </p>
* </li>
* </ul>
* </li>
Expand Down
Loading

0 comments on commit e11d2f9

Please sign in to comment.