Add python example

Author: Jaap Haitsma

.eslintignore

@@ -67,6 +67,7 @@ new TextFile(project, ".eslintignore", {
     '# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen"',
     ...managedFiles,
     "example/",
+    "*.md",
   ],
 });
 

.projenrc.ts

@@ -1,10 +1,10 @@
 # WAF HTTP API
 
-
 A CDK construct that fronts an HTTP API with a CloudFront distribution and protects it with AWS WAF.
 
 [![npm version](https://badge.fury.io/js/waf-http-api.svg)](https://badge.fury.io/js/waf-http-api)
 [![PyPI version](https://badge.fury.io/py/waf-http-api.svg)](https://badge.fury.io/py/waf-http-api)
+
 ## Features
 
 - **Enhanced Security:** Protects your HTTP API with AWS WAF rules
@@ -29,6 +29,24 @@ npm install waf-http-api
 pip install waf-http-api
 ```
 
+## Examples
+
+Complete working examples demonstrating the usage of `waf-http-api` can be found in the [`example/`](./example/) directory:
+
+- **[TypeScript Example](./example/typescript/)**: Full CDK application with Node.js 22 Lambda, comprehensive tests, and deployment scripts
+- **[Python Example](./example/python/)**: Complete CDK application with Python 3.12 Lambda, pytest test suite, and development tools
+
+Both examples include:
+
+- ✅ Complete CDK stacks using the `WafHttpApi` construct
+- ✅ Lambda functions with origin verification
+- ✅ HTTP API Gateway with multiple routes
+- ✅ Comprehensive test suites
+- ✅ Build and deployment scripts
+- ✅ Detailed documentation
+
+These examples serve as practical references for implementing WAF-protected HTTP APIs in production environments.
+
 ## Usage
 
 ### Basic Usage

README.md

@@ -0,0 +1,10 @@
+*.swp
+package-lock.json
+__pycache__
+.pytest_cache
+.venv
+*.egg-info
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

example/python/.gitignore

@@ -0,0 +1,45 @@
+# Makefile for WAF HTTP API Python Example
+
+.PHONY: help install test build deploy synth destroy clean
+
+help: ## Show this help message
+	@echo "WAF HTTP API Python Example"
+	@echo "Available commands:"
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "  %-15s %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+install: ## Install dependencies
+	@echo "📦 Installing dependencies..."
+	@source .venv/bin/activate && pip install -r requirements.txt
+	@source .venv/bin/activate && pip install -r requirements-dev.txt
+
+test: ## Run tests
+	@echo "🧪 Running tests..."
+	@source .venv/bin/activate && pytest -v
+
+build: ## Build (synthesize CloudFormation template)
+	@echo "🔧 Synthesizing CloudFormation template..."
+	@source .venv/bin/activate && cdk synth
+
+deploy: ## Deploy to AWS
+	@echo "🚀 Deploying to AWS..."
+	@source .venv/bin/activate && cdk deploy --require-approval never
+
+synth: build ## Alias for build
+
+destroy: ## Destroy AWS resources
+	@echo "🗑️  Destroying AWS resources..."
+	@source .venv/bin/activate && cdk destroy --force
+
+clean: ## Clean build artifacts
+	@echo "🧹 Cleaning build artifacts..."
+	@rm -rf cdk.out/
+	@rm -rf .pytest_cache/
+	@find . -type d -name "__pycache__" -exec rm -rf {} +
+	@find . -type f -name "*.pyc" -delete
+
+setup: ## Initial setup (create venv and install dependencies)
+	@echo "🏗️  Setting up Python environment..."
+	@python3 -m venv .venv
+	@source .venv/bin/activate && pip install --upgrade pip
+	@make install
+	@echo "✅ Setup complete! Run 'source .venv/bin/activate' to activate the virtual environment."

example/python/Makefile

@@ -0,0 +1,221 @@
+# WAF HTTP API Python Example
+
+This is a Python CDK example that demonstrates how to use the `waf-http-api` construct to create a WAF-protected HTTP API.
+
+## Architecture
+
+This example creates:
+
+- **Lambda Function**: Python 3.12 runtime that returns a greeting with request information
+- **HTTP API Gateway**: RESTful API with multiple routes (`/` and `/hello`)
+- **WafHttpApi Construct**: Automatically creates CloudFront distribution and WAF WebACL
+- **Origin Verification**: Secret header mechanism to ensure requests come through CloudFront
+
+## Features
+
+- ✅ **Python 3.12 Lambda Runtime**: Latest Python runtime for optimal performance
+- ✅ **WafHttpApi Construct**: Uses the official `waf-http-api` package for simplified setup
+- ✅ **Comprehensive Security**: WAF protection with IP reputation and common rule sets
+- ✅ **Origin Verification**: CloudFront adds secret headers to verify legitimate requests
+- ✅ **Multiple HTTP Methods**: Supports GET and POST requests
+- ✅ **CORS Support**: Configured for cross-origin requests
+- ✅ **Detailed Logging**: Request information and verification status
+- ✅ **Infrastructure as Code**: Fully defined using AWS CDK Python
+
+## Prerequisites
+
+- Python 3.8 or later
+- AWS CDK CLI installed (`npm install -g aws-cdk`)
+- AWS credentials configured
+
+## Setup
+
+1. **Create and activate virtual environment**:
+
+   ```bash
+   python3 -m venv .venv
+   source .venv/bin/activate  # On Windows: .venv\Scripts\activate.bat
+   ```
+
+2. **Install dependencies**:
+
+   ```bash
+   pip install -r requirements.txt
+   pip install -r requirements-dev.txt
+   ```
+
+   This will install:
+
+   - `aws-cdk-lib`: AWS CDK core library
+   - `constructs`: CDK constructs framework
+   - `waf-http-api`: The WAF HTTP API construct package
+   - `pytest`: Testing framework
+
+## Usage
+
+### Build and Test
+
+```bash
+# Run tests
+pytest
+
+# Synthesize CloudFormation template
+cdk synth
+
+# Deploy to AWS
+cdk deploy
+
+# Clean up resources
+cdk destroy
+```
+
+### Testing the API
+
+After deployment, you'll get several outputs:
+
+- **CloudFrontUrl**: Use this endpoint for production traffic (recommended)
+- **HttpApiUrl**: Direct API Gateway URL (not recommended for production)
+
+```bash
+# Test the API through CloudFront (recommended)
+curl https://d1234567890.cloudfront.net/
+
+# Test the hello endpoint
+curl https://d1234567890.cloudfront.net/hello
+
+# POST request
+curl -X POST https://d1234567890.cloudfront.net/hello \
+  -H "Content-Type: application/json" \
+  -d '{"test": "data"}'
+```
+
+## Project Structure
+
+```
+example/python/
+├── app.py                              # CDK app entry point
+├── waf_http_api_example/
+│   ├── __init__.py
+│   └── waf_http_api_example_stack.py   # Main stack definition
+├── tests/
+│   ├── __init__.py
+│   └── test_waf_http_api_example.py    # Comprehensive test suite
+├── requirements.txt                    # Runtime dependencies
+├── requirements-dev.txt                # Development dependencies
+├── cdk.json                           # CDK configuration
+└── README.md                          # This file
+```
+
+## Key Components
+
+### Lambda Function
+
+- **Runtime**: Python 3.12
+- **Handler**: Inline code that processes HTTP requests
+- **Features**: Origin verification, detailed logging, CORS headers
+
+### HTTP API Gateway
+
+- **Type**: HTTP API (faster and cheaper than REST API)
+- **Routes**: `GET /`, `GET /hello`, `POST /hello`
+- **Integration**: Lambda proxy integration
+
+### WafHttpApi Construct
+
+- **Package**: `waf_http_api` from PyPI
+- **Features**: Automatically creates and configures CloudFront and WAF
+- **Configuration**: Simple API with sensible defaults
+- **Extensibility**: Support for custom domains and WAF rules
+
+### CloudFront Distribution (via WafHttpApi)
+
+- **Caching**: Optimized for API responses
+- **Security**: WAF integration for DDoS and application-layer protection
+- **Origin**: HTTP API Gateway with custom verification headers
+
+### WAF WebACL (via WafHttpApi)
+
+- **Scope**: CloudFront (global)
+- **Rules**:
+  - AWS Managed IP Reputation List
+  - AWS Managed Common Rule Set
+- **Action**: Allow by default, block malicious traffic
+
+## Security Features
+
+1. **WAF Protection**: Blocks malicious requests before they reach your API
+2. **Origin Verification**: Secret headers ensure requests come through CloudFront
+3. **HTTPS Only**: All traffic redirected to HTTPS
+4. **IP Reputation**: Automatic blocking of known malicious IP addresses
+5. **Common Attack Protection**: OWASP Top 10 and common web vulnerabilities
+
+## Monitoring and Observability
+
+- **CloudWatch Logs**: Lambda function logs for debugging
+- **WAF Metrics**: Request counts, blocked requests, rule matches
+- **CloudFront Metrics**: Cache hit rates, origin response times
+- **API Gateway Metrics**: Request counts, latency, error rates
+
+## Cost Optimization
+
+- **HTTP API**: More cost-effective than REST API
+- **CloudFront**: Reduces origin load and improves performance
+- **Lambda**: Pay-per-request pricing with efficient Python runtime
+- **WAF**: Only pay for requests processed
+
+## Development
+
+### Running Tests
+
+```bash
+# Run all tests
+pytest
+
+# Run with verbose output
+pytest -v
+
+# Run specific test
+pytest tests/test_waf_http_api_example.py::TestWafHttpApiExampleStack::test_lambda_function_created_with_python_312
+```
+
+### Adding Custom WAF Rules
+
+You can extend the WAF configuration by adding custom rules to the `web_acl` in the stack:
+
+```python
+# Add rate limiting rule
+rate_limit_rule = wafv2.CfnWebACL.RuleProperty(
+    name="RateLimitRule",
+    priority=10,
+    action=wafv2.CfnWebACL.RuleActionProperty(block={}),
+    statement=wafv2.CfnWebACL.StatementProperty(
+        rate_based_statement=wafv2.CfnWebACL.RateBasedStatementProperty(
+            limit=2000,
+            aggregate_key_type="IP"
+        )
+    ),
+    visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
+        cloud_watch_metrics_enabled=True,
+        metric_name="RateLimitRule",
+        sampled_requests_enabled=True
+    )
+)
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **403 Forbidden**: Check that requests are going through CloudFront, not directly to API Gateway
+2. **Origin Verification Failed**: Ensure the secret header is properly configured
+3. **WAF Blocking Legitimate Traffic**: Review WAF logs and adjust rules if needed
+
+### Debugging
+
+1. **Check Lambda Logs**: View CloudWatch logs for the Lambda function
+2. **WAF Logs**: Enable WAF logging to S3 for detailed analysis
+3. **CloudFront Logs**: Enable access logs for request analysis
+
+## License
+
+This example is provided under the same license as the main waf-http-api project.

example/python/README.md

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+import os
+
+import aws_cdk as cdk
+
+from waf_http_api_example.waf_http_api_example_stack import WafHttpApiExampleStack
+
+
+app = cdk.App()
+WafHttpApiExampleStack(app, "WafHttpApiExampleStack",
+    # If you don't specify 'env', this stack will be environment-agnostic.
+    # Account/Region-dependent features and context lookups will not work,
+    # but a single synthesized template can be deployed anywhere.
+
+    # Uncomment the next line to specialize this stack for the AWS Account
+    # and Region that are implied by the current CLI configuration.
+
+    env=cdk.Environment(
+        account=os.getenv('CDK_DEFAULT_ACCOUNT'), 
+        region=os.getenv('CDK_DEFAULT_REGION')
+    ),
+
+    # Uncomment the next line if you know exactly what Account and Region you
+    # want to deploy the stack to.
+
+    #env=cdk.Environment(account='123456789012', region='us-east-1'),
+
+    # For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html
+    )
+
+app.synth()

example/python/app.py

@@ -0,0 +1,3 @@
+{
+  "acknowledged-issue-numbers": [34892, 34892]
+}