enable BotControlRule and SQLiRuleSet

.projenrc.js

@@ -10,7 +10,7 @@ const project = new awscdk.AwsCdkTypeScriptApp({
     '@aws-sdk/client-ses',
     '@aws-sdk/client-ssm',
     '@aws-sdk/client-wafv2',
-    //'@aws-sdk/client-workmail',
+    '@aws-sdk/util-utf8-node',
     '@databases/pg',
     '@types/aws-lambda',
     'cdk-bootstrapless-synthesizer@^2.2.2',

src/functions/create-web-acl.ts

@@ -1,4 +1,5 @@
 import { WAFV2Client, CreateWebACLCommand, UpdateWebACLCommand, DeleteWebACLCommand, GetWebACLCommand, CreateWebACLCommandInput } from '@aws-sdk/client-wafv2';
+import { fromUtf8 } from '@aws-sdk/util-utf8-node';
 import { CdkCustomResourceHandler, CdkCustomResourceResponse } from 'aws-lambda';
 
 const client = new WAFV2Client({ region: 'us-east-1' });
@@ -53,7 +54,32 @@ const parsePhysicalResourceId = (physicalResourceId: string) => {
 export const handler: CdkCustomResourceHandler = async (event, _context) => {
   const props = event.ResourceProperties as CreateWebACLCommandInput & { Name: string; ServiceToken: string };
   console.log(JSON.stringify(props));
-  props.Rules?.map(rule => rule.Priority = Number(rule.Priority) );
+  props.Rules?.map(rule => {
+    rule.Priority = Number(rule.Priority);
+    rule.Statement?.ManagedRuleGroupStatement?.ScopeDownStatement?.ByteMatchStatement?.TextTransformations?.map(tf => {
+      tf.Priority = Number(tf.Priority);
+    });
+    rule.Statement?.ManagedRuleGroupStatement?.ScopeDownStatement?.NotStatement?.Statement?.ByteMatchStatement?.TextTransformations?.map(tf => {
+      tf.Priority = Number(tf.Priority);
+    });
+    // for Supabase Studio SSR
+    if (typeof rule.Statement?.ManagedRuleGroupStatement != 'undefined' && rule.Statement?.ManagedRuleGroupStatement?.VendorName == 'AWS' && rule.Statement?.ManagedRuleGroupStatement?.Name == 'AWSManagedRulesBotControlRuleSet') {
+      rule.Statement.ManagedRuleGroupStatement.ScopeDownStatement = {
+        NotStatement: {
+          Statement: {
+            ByteMatchStatement: {
+              SearchString: fromUtf8('node-fetch'),
+              FieldToMatch: {
+                SingleHeader: { Name: 'user-agent' },
+              },
+              TextTransformations: [{ Priority: 0, Type: 'NONE' }],
+              PositionalConstraint: 'STARTS_WITH',
+            },
+          },
+        },
+      };
+    };
+  });
 
   switch (event.RequestType) {
     case 'Create': {

src/supabase-cdn.ts

@@ -87,22 +87,38 @@ export class SupabaseCdn extends Construct {
             },
             OverrideAction: { None: {} },
           },
-          //{
-          //  Name: 'AWS-AWSManagedRulesBotControlRuleSet',
-          //  Priority: 2,
-          //  Statement: {
-          //    ManagedRuleGroupStatement: {
-          //      VendorName: 'AWS',
-          //      Name: 'AWSManagedRulesBotControlRuleSet',
-          //    },
-          //  },
-          //  VisibilityConfig: {
-          //    SampledRequestsEnabled: true,
-          //    CloudWatchMetricsEnabled: true,
-          //    MetricName: 'AWS-AWSManagedRulesBotControlRuleSet',
-          //  },
-          //  OverrideAction: { None: {} },
-          //},
+          {
+            Name: 'AWS-AWSManagedRulesSQLiRuleSet',
+            Priority: 2,
+            Statement: {
+              ManagedRuleGroupStatement: {
+                VendorName: 'AWS',
+                Name: 'AWSManagedRulesSQLiRuleSet',
+              },
+            },
+            VisibilityConfig: {
+              SampledRequestsEnabled: true,
+              CloudWatchMetricsEnabled: true,
+              MetricName: 'AWS-AWSManagedRulesSQLiRuleSet',
+            },
+            OverrideAction: { None: {} },
+          },
+          {
+            Name: 'AWS-AWSManagedRulesBotControlRuleSet',
+            Priority: 3,
+            Statement: {
+              ManagedRuleGroupStatement: {
+                VendorName: 'AWS',
+                Name: 'AWSManagedRulesBotControlRuleSet',
+              },
+            },
+            VisibilityConfig: {
+              SampledRequestsEnabled: true,
+              CloudWatchMetricsEnabled: true,
+              MetricName: 'AWS-AWSManagedRulesBotControlRuleSet',
+            },
+            OverrideAction: { None: {} },
+          },
         ],
         DefaultAction: { Allow: {} },
       } as CreateWebACLCommandInput,