python amazon-web-services aws-cdk web-application-firewall amazon-waf

CDK WAF Python Multiple Statement velues error

I have AWS WAF CDK that is working with rules, and now I'm trying to add a rule in WAF with multiple statements, but I'm getting this error:

Resource handler returned message: "Error reason: You have used none or multiple values for a field that requires exactly one value., field: STATEMENT, parameter: Statement (Service: Wafv2, Status Code: 400, Request ID: 6a36bfe2-543c-458a-9571-e929142f5df1, Extended Request ID: null)" (RequestToken: b751ae12-bb60-bb75-86c0-346926687ea4, HandlerErrorCode: InvalidRequest)

My Code:

                {
            'name': 'ruleName',
            'priority': 3,
            'statement': {
                'orStatement': {
                    'statements': [
                        {
                            'iPSetReferenceStatement': {
                                'arn': 'arn:myARN'
                                }
                        },
                                {
                            'iPSetReferenceStatement': {
                                'arn': 'arn:myARN'
                                }
                        }
                ]
                }
                },
                'action': {
                   'allow': {}
            },
              'visibilityConfig': {
                  'sampledRequestsEnabled': True,
                   'cloudWatchMetricsEnabled': True,
                  'metricName': 'ruleName'
               }
              },

Solution

There are two things going on there: Firstly, your capitalization is off. iPSetReferenceStatement cannot be parsed and creates an empty statement reference. The correct key is ipSetReferenceStatement.

However, as mentioned here, there is a jsii implementation bug causing some issues with the IPSetReferenceStatementProperty. This causes it not to be parsed properly resulting in a jsii error when synthesizing.

You can fix it by using the workaround mentioned in the post.

Add to your file containing the construct:

import jsii
from aws_cdk import aws_wafv2 as wafv2 # just for clarity, you might already have this imported


@jsii.implements(wafv2.CfnRuleGroup.IPSetReferenceStatementProperty)
class IPSetReferenceStatement:
    @property
    def arn(self):
        return self._arn

    @arn.setter
    def arn(self, value):
        self._arn = value

Then define your ip reference statement as follows:

ip_set_ref_stmnt = IPSetReferenceStatement()
ip_set_ref_stmnt.arn = "arn:aws:..."

ip_set_ref_stmnt_2 = IPSetReferenceStatement()
ip_set_ref_stmnt_2.arn = "arn:aws:..."

Then in the rules section of the webacl, you can use it as follows:

...
            rules=[
                {
                    'name': 'ruleName',
                    'priority': 3,
                    'statement': {
                        'orStatement': {
                            'statements': [
                                wafv2.CfnWebACL.StatementProperty(
                                    ip_set_reference_statement=ip_set_ref_stmnt
                                ),
                                wafv2.CfnWebACL.StatementProperty(
                                    ip_set_reference_statement=ip_set_ref_stmnt_2
                                ),
                            ]
                        }
                    },
                    'action': {
                        'allow': {}
                    },
                    'visibilityConfig': {
                        'sampledRequestsEnabled': True,
                        'cloudWatchMetricsEnabled': True,
                        'metricName': 'ruleName'
                    }
                }
            ]
...

This should synthesize your stack as expected.