support for regex pattern sets

Author: Guslington

README.md

@@ -84,7 +84,7 @@ rules:
         Limit: 1000
 ```
 
-### IPSets
+### IP Sets
 
 to create static ip white and black lists use the following config:
 
@@ -115,4 +115,38 @@ rules:
             Arn: 
               # reference the ipset name in your config
               Fn::GetAtt: ['Whitelist', 'Arn']
+```
+
+### Regex Pattern Sets
+
+create the RegexPatternSet with an optional description specifying a list of regexes
+
+```yaml
+pattern_sets:
+  MyPattern:
+    desc: test pattern
+    regexes:
+    - '^[\w\-]+$'
+```
+
+create a rule using the RegexPatternSet
+
+```yaml
+rules:
+  Regex:
+    priority: 10
+    action:
+      Allow: {}
+    statement: 
+      RegexPatternSetReferenceStatement:
+        Arn:
+          # reference the pattern set name in your config
+          Fn::GetAtt: ['MyPattern', 'Arn']
+        # set the field amd transform properities acording to 
+        # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldtomatch.html
+        FieldToMatch:
+          AllQueryArguments: {}
+        TextTransformations:
+          - Priority: 1
+            Type: NONE
 ```

tests/iplists.test.yaml

@@ -4,10 +4,14 @@ test_metadata:
   description: IP white and black lists
 
 ipsets:
-  Whitelist:
+  WhitelistOne:
     desc: ips to whitelist for my waf
     addresses:
     - 127.0.0.1/32
+  WhitelistTwo:
+    desc: ips to whitelist for my waf
+    addresses:
+    - 169.168.0.1/32
 
 rules:
   IPWhitelistRule:
@@ -19,4 +23,7 @@ rules:
         Statements:
         - IPSetReferenceStatement:
             Arn: 
-              Fn::GetAtt: ['Whitelist', 'Arn']
+              Fn::GetAtt: ['WhitelistOne', 'Arn']
+        - IPSetReferenceStatement:
+            Arn: 
+              Fn::GetAtt: ['WhitelistTwo', 'Arn']

tests/pattern_sets.test.yaml

@@ -0,0 +1,25 @@
+test_metadata:
+  type: config
+  name: pattern_sets
+  description: regular expression pattern set rules
+
+pattern_sets:
+  MyPattern:
+    desc: test pattern
+    regexes:
+    - '^[\w\-]+$'
+
+rules:
+  Regex:
+    priority: 10
+    action:
+      Allow: {}
+    statement: 
+      RegexPatternSetReferenceStatement:
+        Arn:
+          Fn::GetAtt: ['MyPattern', 'Arn']
+        FieldToMatch:
+          AllQueryArguments: {}
+        TextTransformations:
+          - Priority: 1
+            Type: NONE

wafv2.cfndsl.rb

@@ -6,6 +6,7 @@
   extra_tags = external_parameters.fetch(:extra_tags, {})
   extra_tags.each { |key,value| tags << { Key: FnSub(key), Value: FnSub(value) } }
 
+  ipsets = external_parameters.fetch(:ipsets, [])
   ipsets.each do |name, properties|
     WAFv2_IPSet(name) {
       Name FnSub("${EnvironmentName}-#{name}")
@@ -17,6 +18,17 @@
     }
   end
 
+  pattern_sets = external_parameters.fetch(:pattern_sets, [])
+  pattern_sets.each do |name, properties|
+    WAFv2_RegexPatternSet(name) {
+      Description properties['desc'] if properties.has_key?('desc')
+      Name FnSub("${EnvironmentName}-#{name}")
+      RegularExpressionList properties['regexes']
+      Scope Ref(:Scope)
+      Tags tags
+    }
+  end
+
   waf_rules = []
   rules = external_parameters.fetch(:rules, {})
   # Loop over each rule in the confic and either override the default or add a new rule