Merge pull request #1261 from aligent/feature/DO-1591-fix-waf-metrics

feat: fix waf metrics
aligent · Dec 10, 2023 · b9c63a8 · b9c63a8
2 parents 2a73f4f + 9d5ed50
commit b9c63a8
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 4 deletions.
diff --git a/packages/graphql-mesh-server/lib/metrics.ts b/packages/graphql-mesh-server/lib/metrics.ts
@@ -10,6 +10,7 @@ import {
   LogQueryWidget,
   Alarm,
   ComparisonOperator,
+  IMetric,
 } from "aws-cdk-lib/aws-cloudwatch";
 import { FargateService } from "aws-cdk-lib/aws-ecs";
 import {
@@ -103,15 +104,72 @@ export class PerformanceMetrics extends Construct {
     ];
 
     // WAF metrics and widgets
-    const wafRequestMetrics: Metric[] = [
+    const wafWebACL = props.firewall.acl.name || "no-waf-name";
+    const wafRegion = Stack.of(this).region; // assumes waf is in the same region
+
+    const wafRequestMetrics: IMetric[] = [
+      // fixme: cdk doesn't support the "id" property so this doesn't show correctly
+      //       it also doesn't allow metrics to be hidden so again, this wouldn't work...
+      //       you can theoretically override these properties manually so that could work?
+      //       for now though this works well enough
+      // new MathExpression({
+      //   expression: "REMOVE_EMPTY(METRICS())",
+      //   label: "WAF Requests",
+      // }),
       new Metric({
         namespace: "AWS/WAFV2",
         metricName: "AllowedRequests",
+        label: "Allowed Requests",
         dimensionsMap: {
-          WebACL: props.firewall.acl.ref.split("|")[0],
+          WebACL: wafWebACL,
           Rule: "ALL",
-          Region: Stack.of(this).region, // assumes waf is in the same region
+          Region: wafRegion,
         },
+        statistic: "sum",
+      }),
+      new Metric({
+        namespace: "AWS/WAFV2",
+        metricName: "BlockedRequests",
+        label: "Blocked Requests",
+        dimensionsMap: {
+          WebACL: wafWebACL,
+          Rule: "ALL",
+          Region: wafRegion,
+        },
+        statistic: "sum",
+      }),
+      new Metric({
+        namespace: "AWS/WAFV2",
+        metricName: "BlockedRequests",
+        label: "Blocked IPv6 Requests",
+        dimensionsMap: {
+          WebACL: wafWebACL,
+          Rule: "BlockIPv6",
+          Region: wafRegion,
+        },
+        statistic: "sum",
+      }),
+      new Metric({
+        namespace: "AWS/WAFV2",
+        metricName: "BlockedRequests",
+        label: "Blocked IPv4 Requests",
+        dimensionsMap: {
+          WebACL: wafWebACL,
+          Rule: "BlockIPv4",
+          Region: wafRegion,
+        },
+        statistic: "sum",
+      }),
+      new Metric({
+        namespace: "AWS/WAFV2",
+        metricName: "BlockedRequests",
+        label: "Blocked by Rate Limiting Requests",
+        dimensionsMap: {
+          WebACL: wafWebACL,
+          Rule: "RateLimit",
+          Region: wafRegion,
+        },
+        statistic: "sum",
       }),
     ];
 

diff --git a/packages/graphql-mesh-server/lib/web-application-firewall.ts b/packages/graphql-mesh-server/lib/web-application-firewall.ts
@@ -71,6 +71,7 @@ export interface AWSManagedRule {
 export interface WebApplicationFirewallProps {
   /**
    * Name of the WAF
+   * Defaults to 'graphql-mesh-web-acl'
    */
   name?: string;
 
@@ -149,7 +150,7 @@ export class WebApplicationFirewall extends Construct {
     }
 
     this.acl = new CfnWebACL(this, "WebAcl", {
-      name: props.name,
+      name: props.name || "graphql-mesh-web-acl",
       defaultAction,
       scope: props.scope || Scope.REGIONAL,
       visibilityConfig: props.visibilityConfig,