WafBuilder¶

Bases: AbstractAWSResourceBuilder['WafBuilder', WafConfig]

AWS WAF (Web Application Firewall) builder for CloudFront distribution protection.

Creates a comprehensive WAF v2 Web ACL configured with AWS Managed Rules and custom rate limiting to protect CloudFront distributions from common web exploits, malicious traffic, and automated attacks. Implements organizational security standards with built-in monitoring, metrics collection, and cross-stack integration.

Source code in mare_aws_common_lib/builders/waf_builder.py

class WafBuilder(AbstractAWSResourceBuilder["WafBuilder", WafConfig]):
    """AWS WAF (Web Application Firewall) builder for CloudFront distribution protection.

    Creates a comprehensive WAF v2 Web ACL configured with AWS Managed Rules and custom
    rate limiting to protect CloudFront distributions from common web exploits, malicious
    traffic, and automated attacks. Implements organizational security standards with
    built-in monitoring, metrics collection, and cross-stack integration.
    """

    _resource_type : AWSResourceType = AWSResourceType.WAF
    _requires_builder_config: bool = False

    def reset(self) -> None:
        """Reset the builder state to initial configuration.

        Clears any previous build state and prepares the builder for a new
        WAF Web ACL creation. Inherits base reset functionality from the
        abstract parent class.

        Called automatically before each build operation to ensure clean state
        and prevent cross-contamination between multiple WAF deployments.
        """
        super().reset()

    def build(self, scope : Construct) -> wafv2.CfnWebACL:
        """Build and deploy the complete WAF Web ACL infrastructure.

        Orchestrates the creation of a comprehensive WAF v2 Web ACL with multiple
        security rule groups and automatically stores the resulting ARN in Parameter
        Store for cross-stack integration. This method serves as the main entry point
        for WAF deployment.

        Args:
            scope: CDK construct scope for resource creation and dependency management

        Returns:
            wafv2.CfnWebACL: The created WAF Web ACL resource with all configured rules
        """
        super().build()

        web_acl = self._create_web_acl(scope)

        # Store the web acl arn in the store parameter in order to be available to other stacks
        self._application_helper.store_parameter(scope, 
                                   "web_acl_id", 
                                   web_acl.attr_arn)

        return web_acl

    def _create_web_acl(self, scope: Construct) -> wafv2.CfnWebACL:
        """Build and deploy the WAF Web ACL with comprehensive security rules.

        Creates a complete WAF v2 Web ACL configured for CloudFront protection
        with multiple AWS Managed Rule groups and custom rate limiting. Automatically
        stores the Web ACL ARN in Parameter Store for cross-stack integration.

        Args:
            scope: CDK construct scope for resource creation

        Returns:
            wafv2.CfnWebACL: The created WAF Web ACL resource with all configured rules
        """
        waf = wafv2.CfnWebACL(
            scope,
            self._get_cfn_logical_id("cloudfront-web-acl"),
            name=self._get_name_for_resource(f"{self._application_helper.get_target_env()}-waf", 
                                             max_length=AWSResourceNameLength.WEB_ACL.value),
            scope="CLOUDFRONT",
            default_action=wafv2.CfnWebACL.DefaultActionProperty(allow={}),
            visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                sampled_requests_enabled=True,
                cloud_watch_metrics_enabled=True,
                metric_name=self._get_name_for_resource(f"{self._application_helper.get_target_env()}-waf-metric", 
                                                        max_length=AWSResourceNameLength.METRIC.value)
            ),
            rules=[
                # Rate Limiting (e.g., 1000 requests per 5 minutes per IP)
                wafv2.CfnWebACL.RuleProperty(
                    name="RateLimitRule",
                    priority=0,
                    statement=wafv2.CfnWebACL.StatementProperty(
                        rate_based_statement=wafv2.CfnWebACL.RateBasedStatementProperty(
                            limit=self._config.rate_limit,
                            aggregate_key_type="IP"
                        )
                    ),
                    action=wafv2.CfnWebACL.RuleActionProperty(block={}),
                    visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                        sampled_requests_enabled=True,
                        cloud_watch_metrics_enabled=True,
                        metric_name="RateLimitRule"
                    )
                ),
                # AWS Managed Rules - IP reputation list
                wafv2.CfnWebACL.RuleProperty(
                    name="AWS-AWSManagedRulesAmazonIpReputationList",
                    priority=1,
                    statement=wafv2.CfnWebACL.StatementProperty(
                        managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                            vendor_name="AWS", 
                            name="AWSManagedRulesAmazonIpReputationList",
                            rule_action_overrides=self._create_rule_action_overrides(
                                self._config.ip_reputation_overrides
                            )
                        )
                    ),
                    override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                    visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                        sampled_requests_enabled=True,
                        cloud_watch_metrics_enabled=True,
                        metric_name="AWS-AWSManagedRulesAmazonIpReputationList"
                    ),
                ),
                # AWS Managed Rules - Core Rule Set
                wafv2.CfnWebACL.RuleProperty(
                    name="AWS-AWSManagedRulesCommonRuleSet",
                    priority=2,
                    statement=wafv2.CfnWebACL.StatementProperty(
                        managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                            vendor_name="AWS", 
                            name="AWSManagedRulesCommonRuleSet",
                            rule_action_overrides=self._create_rule_action_overrides(
                                self._config.common_ruleset_overrides
                            )
                        )
                    ),
                    override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                    visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                        sampled_requests_enabled=True,
                        cloud_watch_metrics_enabled=True,
                        metric_name="AWS-AWSManagedRulesCommonRuleSet"
                    ),
                ),
                # AWS Managed Rules - Bad inputs set
                wafv2.CfnWebACL.RuleProperty(
                    name="AWS-AWSManagedRulesKnownBadInputsRuleSet",
                    priority=3,
                    statement=wafv2.CfnWebACL.StatementProperty(
                        managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                            vendor_name="AWS", 
                            name="AWSManagedRulesKnownBadInputsRuleSet",
                            rule_action_overrides=self._create_rule_action_overrides(
                                self._config.bad_inputs_overrides
                            )
                        )
                    ),
                    override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                    visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                        sampled_requests_enabled=True,
                        cloud_watch_metrics_enabled=True,
                        metric_name="AWS-AWSManagedRulesKnownBadInputsRuleSet"
                    ),
                ),
                # AWS Managed Rules - SQL Injection Protection
                wafv2.CfnWebACL.RuleProperty(
                    name="AWS-AWSManagedRulesSQLiRuleSet",
                    priority=4,
                    statement=wafv2.CfnWebACL.StatementProperty(
                        managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                            vendor_name="AWS",
                            name="AWSManagedRulesSQLiRuleSet",
                            rule_action_overrides=self._create_rule_action_overrides(
                                self._config.sqli_overrides
                            )
                        )
                    ),
                    override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                    visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                        sampled_requests_enabled=True,
                        cloud_watch_metrics_enabled=True,
                        metric_name="AWS-AWSManagedRulesSQLiRuleSet"
                    )
                ),
                # AWS Managed Rules - Bot Control
                wafv2.CfnWebACL.RuleProperty(
                    name="AWS-AWSManagedRulesBotControlRuleSet",
                    priority=5,
                    statement=wafv2.CfnWebACL.StatementProperty(
                        managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                            vendor_name="AWS", 
                            name="AWSManagedRulesBotControlRuleSet",
                            rule_action_overrides=self._create_rule_action_overrides(
                                self._config.bot_control_overrides
                            )
                        )
                    ),
                    override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                    visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                        sampled_requests_enabled=True,
                        cloud_watch_metrics_enabled=True,
                        metric_name="AWS-AWSManagedRulesBotControlRuleSet"
                    ),
                ),
            ]
        )
        self._tag_resource(waf)

        return waf

    def _create_rule_action_overrides(self, overrides: Dict[str, RuleActionType]) -> list:
        """Create WAF rule action overrides from configuration dictionary.

        Transforms the configuration dictionary of rule overrides into WAF-compatible
        rule action override properties. This allows fine-tuning of individual rules
        within AWS Managed Rule Groups by specifying custom actions (allow, block, count)
        that override the default rule group behavior.

        Args:
            overrides: Dictionary mapping rule names to desired action types.
                      Keys are rule names as strings, values are RuleActionType enums.

        Returns:
            list: List of RuleActionOverrideProperty objects ready for WAF configuration.
                  Returns empty list if no overrides are provided or if the input is None.
        """
        if not overrides:
            return []

        rule_overrides = []
        for rule_name, action_type in overrides.items():
            action_property = None

            if action_type == RuleActionType.ALLOW:
                action_property = wafv2.CfnWebACL.RuleActionProperty(allow={})
            elif action_type == RuleActionType.BLOCK:
                action_property = wafv2.CfnWebACL.RuleActionProperty(block={})
            elif action_type == RuleActionType.COUNT:
                action_property = wafv2.CfnWebACL.RuleActionProperty(count={})

            if action_property:
                rule_overrides.append(
                    wafv2.CfnWebACL.RuleActionOverrideProperty(
                        name=rule_name,
                        action_to_use=action_property
                    )
                )

        return rule_overrides

    def _set_config(self) -> None:
        """Create and validate the WAF configuration from builder config.

        Parses and validates the provided builder configuration against the WafConfig
        model schema using Pydantic validation.

        Raises:
            ValidationError: If the builder configuration is invalid, missing required
                           fields, or contains values that don't conform to the WafConfig
                           model schema. 
        """
        try:
            self._config = WafConfig.model_validate(self._builder_config or {})
        except ValidationError as e:
            self._log_validation_error(e, WafConfig)
            raise

    def _control_consistency(self) -> None:
        """Validate builder configuration and internal state consistency.
        Perform consistency checks and configuration validation before build.

        Validates the WafConfig using Pydantic models to ensure all
        required fields are present and valid.

        Raises:
            ValidationError: If configuration validation fails. Error details
                           are printed to console for debugging.
        """
        super()._control_consistency()

        self._set_config()

Attributes¶

`_requires_builder_config = False` `class-attribute` `instance-attribute` ¶

`_resource_type = AWSResourceType.WAF` `class-attribute` `instance-attribute` ¶

Functions¶

`_control_consistency()` ¶

Validate builder configuration and internal state consistency. Perform consistency checks and configuration validation before build.

Validates the WafConfig using Pydantic models to ensure all required fields are present and valid.

Raises:

Type	Description
`ValidationError`	If configuration validation fails. Error details are printed to console for debugging.

Source code in mare_aws_common_lib/builders/waf_builder.py

def _control_consistency(self) -> None:
    """Validate builder configuration and internal state consistency.
    Perform consistency checks and configuration validation before build.

    Validates the WafConfig using Pydantic models to ensure all
    required fields are present and valid.

    Raises:
        ValidationError: If configuration validation fails. Error details
                       are printed to console for debugging.
    """
    super()._control_consistency()

    self._set_config()

`_create_rule_action_overrides(overrides)` ¶

Create WAF rule action overrides from configuration dictionary.

Transforms the configuration dictionary of rule overrides into WAF-compatible rule action override properties. This allows fine-tuning of individual rules within AWS Managed Rule Groups by specifying custom actions (allow, block, count) that override the default rule group behavior.

Parameters:

Name	Type	Description	Default
`overrides`	`Dict[str, RuleActionType]`	Dictionary mapping rule names to desired action types. Keys are rule names as strings, values are RuleActionType enums.	required

Returns:

Name	Type	Description
`list`	`list`	List of RuleActionOverrideProperty objects ready for WAF configuration. Returns empty list if no overrides are provided or if the input is None.

Source code in mare_aws_common_lib/builders/waf_builder.py

def _create_rule_action_overrides(self, overrides: Dict[str, RuleActionType]) -> list:
    """Create WAF rule action overrides from configuration dictionary.

    Transforms the configuration dictionary of rule overrides into WAF-compatible
    rule action override properties. This allows fine-tuning of individual rules
    within AWS Managed Rule Groups by specifying custom actions (allow, block, count)
    that override the default rule group behavior.

    Args:
        overrides: Dictionary mapping rule names to desired action types.
                  Keys are rule names as strings, values are RuleActionType enums.

    Returns:
        list: List of RuleActionOverrideProperty objects ready for WAF configuration.
              Returns empty list if no overrides are provided or if the input is None.
    """
    if not overrides:
        return []

    rule_overrides = []
    for rule_name, action_type in overrides.items():
        action_property = None

        if action_type == RuleActionType.ALLOW:
            action_property = wafv2.CfnWebACL.RuleActionProperty(allow={})
        elif action_type == RuleActionType.BLOCK:
            action_property = wafv2.CfnWebACL.RuleActionProperty(block={})
        elif action_type == RuleActionType.COUNT:
            action_property = wafv2.CfnWebACL.RuleActionProperty(count={})

        if action_property:
            rule_overrides.append(
                wafv2.CfnWebACL.RuleActionOverrideProperty(
                    name=rule_name,
                    action_to_use=action_property
                )
            )

    return rule_overrides

`_create_web_acl(scope)` ¶

Build and deploy the WAF Web ACL with comprehensive security rules.

Creates a complete WAF v2 Web ACL configured for CloudFront protection with multiple AWS Managed Rule groups and custom rate limiting. Automatically stores the Web ACL ARN in Parameter Store for cross-stack integration.

Parameters:

Name	Type	Description	Default
`scope`	`Construct`	CDK construct scope for resource creation	required

Returns:

Type	Description
`CfnWebACL`	wafv2.CfnWebACL: The created WAF Web ACL resource with all configured rules

Source code in mare_aws_common_lib/builders/waf_builder.py

def _create_web_acl(self, scope: Construct) -> wafv2.CfnWebACL:
    """Build and deploy the WAF Web ACL with comprehensive security rules.

    Creates a complete WAF v2 Web ACL configured for CloudFront protection
    with multiple AWS Managed Rule groups and custom rate limiting. Automatically
    stores the Web ACL ARN in Parameter Store for cross-stack integration.

    Args:
        scope: CDK construct scope for resource creation

    Returns:
        wafv2.CfnWebACL: The created WAF Web ACL resource with all configured rules
    """
    waf = wafv2.CfnWebACL(
        scope,
        self._get_cfn_logical_id("cloudfront-web-acl"),
        name=self._get_name_for_resource(f"{self._application_helper.get_target_env()}-waf", 
                                         max_length=AWSResourceNameLength.WEB_ACL.value),
        scope="CLOUDFRONT",
        default_action=wafv2.CfnWebACL.DefaultActionProperty(allow={}),
        visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
            sampled_requests_enabled=True,
            cloud_watch_metrics_enabled=True,
            metric_name=self._get_name_for_resource(f"{self._application_helper.get_target_env()}-waf-metric", 
                                                    max_length=AWSResourceNameLength.METRIC.value)
        ),
        rules=[
            # Rate Limiting (e.g., 1000 requests per 5 minutes per IP)
            wafv2.CfnWebACL.RuleProperty(
                name="RateLimitRule",
                priority=0,
                statement=wafv2.CfnWebACL.StatementProperty(
                    rate_based_statement=wafv2.CfnWebACL.RateBasedStatementProperty(
                        limit=self._config.rate_limit,
                        aggregate_key_type="IP"
                    )
                ),
                action=wafv2.CfnWebACL.RuleActionProperty(block={}),
                visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                    sampled_requests_enabled=True,
                    cloud_watch_metrics_enabled=True,
                    metric_name="RateLimitRule"
                )
            ),
            # AWS Managed Rules - IP reputation list
            wafv2.CfnWebACL.RuleProperty(
                name="AWS-AWSManagedRulesAmazonIpReputationList",
                priority=1,
                statement=wafv2.CfnWebACL.StatementProperty(
                    managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                        vendor_name="AWS", 
                        name="AWSManagedRulesAmazonIpReputationList",
                        rule_action_overrides=self._create_rule_action_overrides(
                            self._config.ip_reputation_overrides
                        )
                    )
                ),
                override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                    sampled_requests_enabled=True,
                    cloud_watch_metrics_enabled=True,
                    metric_name="AWS-AWSManagedRulesAmazonIpReputationList"
                ),
            ),
            # AWS Managed Rules - Core Rule Set
            wafv2.CfnWebACL.RuleProperty(
                name="AWS-AWSManagedRulesCommonRuleSet",
                priority=2,
                statement=wafv2.CfnWebACL.StatementProperty(
                    managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                        vendor_name="AWS", 
                        name="AWSManagedRulesCommonRuleSet",
                        rule_action_overrides=self._create_rule_action_overrides(
                            self._config.common_ruleset_overrides
                        )
                    )
                ),
                override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                    sampled_requests_enabled=True,
                    cloud_watch_metrics_enabled=True,
                    metric_name="AWS-AWSManagedRulesCommonRuleSet"
                ),
            ),
            # AWS Managed Rules - Bad inputs set
            wafv2.CfnWebACL.RuleProperty(
                name="AWS-AWSManagedRulesKnownBadInputsRuleSet",
                priority=3,
                statement=wafv2.CfnWebACL.StatementProperty(
                    managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                        vendor_name="AWS", 
                        name="AWSManagedRulesKnownBadInputsRuleSet",
                        rule_action_overrides=self._create_rule_action_overrides(
                            self._config.bad_inputs_overrides
                        )
                    )
                ),
                override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                    sampled_requests_enabled=True,
                    cloud_watch_metrics_enabled=True,
                    metric_name="AWS-AWSManagedRulesKnownBadInputsRuleSet"
                ),
            ),
            # AWS Managed Rules - SQL Injection Protection
            wafv2.CfnWebACL.RuleProperty(
                name="AWS-AWSManagedRulesSQLiRuleSet",
                priority=4,
                statement=wafv2.CfnWebACL.StatementProperty(
                    managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                        vendor_name="AWS",
                        name="AWSManagedRulesSQLiRuleSet",
                        rule_action_overrides=self._create_rule_action_overrides(
                            self._config.sqli_overrides
                        )
                    )
                ),
                override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                    sampled_requests_enabled=True,
                    cloud_watch_metrics_enabled=True,
                    metric_name="AWS-AWSManagedRulesSQLiRuleSet"
                )
            ),
            # AWS Managed Rules - Bot Control
            wafv2.CfnWebACL.RuleProperty(
                name="AWS-AWSManagedRulesBotControlRuleSet",
                priority=5,
                statement=wafv2.CfnWebACL.StatementProperty(
                    managed_rule_group_statement=wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
                        vendor_name="AWS", 
                        name="AWSManagedRulesBotControlRuleSet",
                        rule_action_overrides=self._create_rule_action_overrides(
                            self._config.bot_control_overrides
                        )
                    )
                ),
                override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
                visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
                    sampled_requests_enabled=True,
                    cloud_watch_metrics_enabled=True,
                    metric_name="AWS-AWSManagedRulesBotControlRuleSet"
                ),
            ),
        ]
    )
    self._tag_resource(waf)

    return waf

`_set_config()` ¶

Create and validate the WAF configuration from builder config.

Parses and validates the provided builder configuration against the WafConfig model schema using Pydantic validation.

Raises:

Type	Description
`ValidationError`	If the builder configuration is invalid, missing required fields, or contains values that don't conform to the WafConfig model schema.

Source code in mare_aws_common_lib/builders/waf_builder.py

def _set_config(self) -> None:
    """Create and validate the WAF configuration from builder config.

    Parses and validates the provided builder configuration against the WafConfig
    model schema using Pydantic validation.

    Raises:
        ValidationError: If the builder configuration is invalid, missing required
                       fields, or contains values that don't conform to the WafConfig
                       model schema. 
    """
    try:
        self._config = WafConfig.model_validate(self._builder_config or {})
    except ValidationError as e:
        self._log_validation_error(e, WafConfig)
        raise

`build(scope)` ¶

Build and deploy the complete WAF Web ACL infrastructure.

Orchestrates the creation of a comprehensive WAF v2 Web ACL with multiple security rule groups and automatically stores the resulting ARN in Parameter Store for cross-stack integration. This method serves as the main entry point for WAF deployment.

Parameters:

Name	Type	Description	Default
`scope`	`Construct`	CDK construct scope for resource creation and dependency management	required

Returns:

Type	Description
`CfnWebACL`	wafv2.CfnWebACL: The created WAF Web ACL resource with all configured rules

Source code in mare_aws_common_lib/builders/waf_builder.py

def build(self, scope : Construct) -> wafv2.CfnWebACL:
    """Build and deploy the complete WAF Web ACL infrastructure.

    Orchestrates the creation of a comprehensive WAF v2 Web ACL with multiple
    security rule groups and automatically stores the resulting ARN in Parameter
    Store for cross-stack integration. This method serves as the main entry point
    for WAF deployment.

    Args:
        scope: CDK construct scope for resource creation and dependency management

    Returns:
        wafv2.CfnWebACL: The created WAF Web ACL resource with all configured rules
    """
    super().build()

    web_acl = self._create_web_acl(scope)

    # Store the web acl arn in the store parameter in order to be available to other stacks
    self._application_helper.store_parameter(scope, 
                               "web_acl_id", 
                               web_acl.attr_arn)

    return web_acl

`reset()` ¶

Reset the builder state to initial configuration.

Clears any previous build state and prepares the builder for a new WAF Web ACL creation. Inherits base reset functionality from the abstract parent class.

Called automatically before each build operation to ensure clean state and prevent cross-contamination between multiple WAF deployments.

Source code in mare_aws_common_lib/builders/waf_builder.py

def reset(self) -> None:
    """Reset the builder state to initial configuration.

    Clears any previous build state and prepares the builder for a new
    WAF Web ACL creation. Inherits base reset functionality from the
    abstract parent class.

    Called automatically before each build operation to ensure clean state
    and prevent cross-contamination between multiple WAF deployments.
    """
    super().reset()

WafBuilder¶

Attributes¶

_requires_builder_config = False class-attribute instance-attribute ¶

_resource_type = AWSResourceType.WAF class-attribute instance-attribute ¶

Functions¶

_control_consistency() ¶

_create_rule_action_overrides(overrides) ¶

_create_web_acl(scope) ¶

_set_config() ¶

build(scope) ¶

reset() ¶

`_requires_builder_config = False` `class-attribute` `instance-attribute` ¶

`_resource_type = AWSResourceType.WAF` `class-attribute` `instance-attribute` ¶

`_control_consistency()` ¶

`_create_rule_action_overrides(overrides)` ¶

`_create_web_acl(scope)` ¶

`_set_config()` ¶

`build(scope)` ¶

`reset()` ¶