feat: support associating WAF without creating (#501)

rikhilrai · web-flow · commit 4c283f0ada2c · 2022-06-11T10:26:03.000+02:00
diff --git a/README.md b/README.md
@@ -1,5 +1,6 @@
 [![Tests](https://github.com/sid88in/serverless-appsync-plugin/workflows/Tests/badge.svg)](https://github.com/sid88in/serverless-appsync-plugin/actions?query=workflow%3ATests) <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
 [![All Contributors](https://img.shields.io/badge/all_contributors-70-orange.svg?style=flat-square)](#contributors-)
+
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Deploy [AppSync](https://aws.amazon.com/appsync) API's in minutes using this [Serverless](https://www.serverless.com/) plugin.
@@ -37,7 +38,7 @@ Add `serverless-appsync-plugin` to the plugins section of `serverless.yml`
 
 ```yaml
 plugins:
-   - serverless-appsync-plugin
+  - serverless-appsync-plugin
 ```
 
 Add the following config to the custom section of `serverless.yml` and update it accordingly to your needs
@@ -262,6 +263,7 @@ custom:
     xrayEnabled: true # Bool, Optional. Enable X-Ray. disabled by default.
     wafConfig:
       enabled: true
+      arn: 'arn:aws:waf-regional:{REGION}:{ACCOUNT_ID}:rule/{RULE_ID}' # The arn for your WAF. Remaining WAF config options are ignored if arn is provided.
       name: AppSyncWaf
       defaultAction: Allow # or Block. Defaults to Allow
       description: 'My AppSync Waf rules'
diff --git a/__snapshots__/index.test.js.snap b/__snapshots__/index.test.js.snap
@@ -1449,6 +1449,23 @@ Object {
 }
 `;
 
+exports[`WAF should generate the WAF association and not the config 1`] = `
+Object {
+  "GraphQlWafAssoc": Object {
+    "Properties": Object {
+      "ResourceArn": Object {
+        "Fn::GetAtt": Array [
+          "GraphQlApi",
+          "Arn",
+        ],
+      },
+      "WebACLArn": "arn:aws:waf-regional:us-east-1:123456789012:rule/123-456-7890",
+    },
+    "Type": "AWS::WAFv2::WebACLAssociation",
+  },
+}
+`;
+
 exports[`api keys should fail with a date > 1 year 1`] = `"Api Key MyKey must be valid for a minimum of 1 day and a maximum of 365 days."`;
 
 exports[`api keys should fail with invalid duration 1`] = `"Could not parse foobar as a valid duration"`;
diff --git a/index.test.js b/index.test.js
@@ -2114,4 +2114,15 @@ describe('WAF', () => {
     expect(tags[0].Key).toBe('testKey');
     expect(tags[0].Value).toBe('testValue');
   });
+
+  it('should generate the WAF association and not the config', () => {
+    const apiConfig = {
+      ...config,
+      wafConfig: {
+        enabled: true,
+        arn: 'arn:aws:waf-regional:us-east-1:123456789012:rule/123-456-7890',
+      },
+    };
+    expect(plugin.getWafResources(apiConfig)).toMatchSnapshot();
+  });
 });
diff --git a/src/index.js b/src/index.js
@@ -1434,10 +1434,23 @@ class ServerlessAppsyncPlugin {
       return {};
     }
 
-    const Name = wafConfig.name || `${apiConfig.name}Waf`;
     const apiLogicalId = this.getLogicalId(apiConfig, RESOURCE_API);
-    const wafLogicalId = this.getLogicalId(apiConfig, RESOURCE_WAF);
     const wafAssocLogicalId = this.getLogicalId(apiConfig, RESOURCE_WAF_ASSOC);
+
+    if (wafConfig.arn) {
+      return {
+        [wafAssocLogicalId]: {
+          Type: 'AWS::WAFv2::WebACLAssociation',
+          Properties: {
+            ResourceArn: { 'Fn::GetAtt': [apiLogicalId, 'Arn'] },
+            WebACLArn: wafConfig.arn,
+          },
+        },
+      };
+    }
+
+    const Name = wafConfig.name || `${apiConfig.name}Waf`;
+    const wafLogicalId = this.getLogicalId(apiConfig, RESOURCE_WAF);
     const defaultAction = wafConfig.defaultAction || 'Allow';
 
     return {
