Fix: ipsets #388
Fix: ipsets #388
Conversation
| @@ -593,7 +593,16 @@ function calculateRatebasedStatementwithoutScopeDownStatement(customRule: FmsRul | |||
| * @returns the capacity of the IPSet statement | |||
| */ | |||
| function calculateIpsSetStatementCapacity(ipSetReferenceStatement: wafv2.CfnWebACL.IPSetReferenceStatementProperty) { | |||
| let ipSetRuleCapacity = 1; | |||
| // FIXME: ipset statements doesn't always has a capacity of one, it can vary, which was giving a error while deploying (sample of the error available below) | |||
There was a problem hiding this comment.
Hi, according to the docs an IPSet reference statement is only 4 if you configure the statement to use forwarded IP addresses and specify a position of ANY, increase the WCU usage by 4.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html
Could you please give me an example rule which was not working, maybe we need to ask AWS to change their docs?
There was a problem hiding this comment.
Hi @daknhh! It says in the docs which you've sent that the cost is 1 WCU for most, not for all cases.
I think there's some edge cases that the cost of a simple single IpsetReferenceStatement can be bigger then 1 WCU. In my FMS configs the error wasn't happening on all other configs, but on a single one which has a Scope of CLOUDFRONT.
I don't know if the scope and/or the Type of AWS::CloudFront::Distribution has anything to do with the bug, with the WCU cost being higher then "1", but I know that WAF started deploying on this config after I've set a fixed WCU cost of 4 for single IpSetStatements, hence this commit.
I've suggested a long term solution for this issue in the comments on the commit.
There was a problem hiding this comment.
That could be. I will open a support case on Monday to clarify with AWS support. I would like to avoid to just create a separate stack for IpSets.
There was a problem hiding this comment.
Still waiting for Feedback from AWS Support. I am on it :)
|
I wish to inform that, while calling IPset rule in WebACL, under “IP address to use as the originating address” we have two options.
WCU 1 will be consumed for IPset rule along with the options Source IP or First IP address or Last IP address. When you choose Any IP address options it will be using WCU 4, so total you can see 5 WCU (1 for IPset Rule + 4 for Any IP address Option ), when using IPset in combination with Any IP address. <- this is what aws support reponded. So technically: This should work |
|
Hi @vboufleur i was testing with the ipSets-global.ts with the calculation fix which was working fine. |
|
Hi @daknhh, sorry for the delay in answering you, I got very busy with work lately. As soon as I get some free time I'll retest setting the WCU to only "1" and I'll let you know on the results. |
Two small fixes related to ipsets management. The one related to capacity management should be considered as a tmp workaround, as it requires a great change on the repo code, which is 1) deploy the ipsets on a different CloudFormation stack, 2) output the ipset ARN on the first stack, 3) replace the ipset name with the ARN on the FMS config, 4) then finally, deploy the FMS CloudFormation stack.