Feat/waf evaluation window sec

[sid88in]

Title: feat(waf): support evaluationWindowSec on throttle rules

---

Supersedes #651. Original implementation by @timo92 — rebased onto current master and extended. (Their commit is preserved in history, so authorship is retained.)

What

Adds an optional evaluationWindowSec to WAF throttle rules, mapping to the AWS WAFv2 RateBasedStatement.EvaluationWindowSec property — the look-back window, in seconds, over which AWS WAF counts requests for a rate-based rule. Valid values are 60 | 120 | 300 | 600; AWS defaults to 300.

appSync:
  waf:
    rules:
      - throttle:
          limit: 200
          evaluationWindowSec: 60

Changes made on top of #651

• Emit only when explicitly set. The original PR defaulted the value to 300 and wrote it into every throttle rule's RateBasedStatement — including the bare throttle: 200 shorthand. Because AWS resets a rate-based rule's request counts whenever one of its settings changes on a live rule, that would have caused an unsolicited WebACL update (and a brief rate-limiting pause) on every existing user's next deploy, even though 300 matches AWS's own default. It's now left undefined unless the user sets it, so the generated CloudFormation is byte-identical for existing stacks and AWS applies its native default. This mirrors how priority, forwardedIPConfig, and scopeDownStatement are already handled.
• Config validation. Added an enum (60 | 120 | 300 | 600) to the throttle schema so invalid values are rejected at serverless config validation instead of failing at deploy time.
• Merged latest master, including the jest 27 → 30 bump and the e2e CFN-synthesis harness that postdated the original branch.

Tests

• Unit (src/__tests__): added valid (300) and invalid (301) evaluationWindowSec validation cases; WAF snapshots updated.
• e2e / CFN synthesis (e2e/waf.e2e.test.ts, offline): examples/waf now exercises both paths — a default throttle: 200 rule (asserts the synthesized template contains no EvaluationWindowSec) and an explicit evaluationWindowSec: 60 rule (asserts it's emitted with the right value).
• Local run: npm run lint clean, npm test (289 passing), npm run test:e2e (86 passing).

Reviewer notes / not covered here

• Verified offline (v3 base, CFN synthesis) only. A live serverless deploy against a stack that already has a throttle WAF rule should confirm the upgrade produces a no-op WebACL diff.
• Not smoke-tested on Serverless Framework v4.

Summary by CodeRabbit

• New Features

  • Added support for configurable evaluation window duration in WAF throttle rules, allowing granular control over rate-based rule timing.

• Documentation

  • Updated WAF configuration examples and issue templates with improved formatting and structure for better clarity.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds support for an optional evaluationWindowSec configuration parameter to AWS WAF throttle rules. The feature includes type definitions, validation schema constraints, conditional CloudFormation synthesis logic, comprehensive test coverage, and documentation updates. GitHub issue and PR templates are also improved for consistency.

Changes

WAF Throttle EvaluationWindowSec Feature

Layer / File(s)	Summary
Type schema definitions src/types/common.ts, src/types/cloudFormation.ts	WafThrottleConfig and CfnWafRuleRateBasedStatement now include optional evaluationWindowSec?: number properties to represent the new field.
Validation schema constraints src/validation.ts	Throttle rule schema is extended to validate evaluationWindowSec as an optional integer restricted to enum values: 60, 120, 300, or 600.
Throttle rule synthesis src/resources/Waf.ts	buildThrottleRule conditionally includes EvaluationWindowSec in the generated RateBasedStatement only when explicitly provided, preserving CloudFormation output stability for configs without the setting.
Validation and unit test coverage src/__tests__/validation/base.test.ts, src/__tests__/waf.test.ts	Test suites updated to verify valid configurations with evaluationWindowSec: 300, invalid configurations with out-of-range values (e.g., 301), and unit snapshots include the field in throttle rule presets.
End-to-end CloudFormation validation e2e/waf.e2e.test.ts	Two new e2e test cases verify synthesized WebACL rules omit EvaluationWindowSec for shorthand throttle syntax and include it with expected values for explicit object-form configuration.
Documentation and configuration examples doc/WAF.md, examples/waf/serverless.yml	WAF documentation updated with parameter details and supported window values; example configuration demonstrates forwarded IP-based throttling with the new evaluationWindowSec field.

GitHub Issue and PR Template Improvements

Layer / File(s)	Summary
Issue and PR template refinements .github/ISSUE_TEMPLATE/add-new-feature---behavior.md, .github/ISSUE_TEMPLATE/report-bug.md, .github/PULL_REQUEST_TEMPLATE.md	GitHub templates reorganized with improved structural guidance; PR template adds a dedicated "Proposed changes" section, and issue templates improve section clarity and formatting consistency.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• AlexHladin

Poem

🐰 Whiskers twitch with WAF delight,
Evaluation windows set just right,
Sixty, one-twenty, three-oh-oh,
Six-hundred seconds let traffic flow!
Tests and docs dance in perfect time, ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Feat/waf evaluation window sec' is directly related to the main changeset, which adds support for the evaluationWindowSec property to WAF throttling rules across multiple files (types, validation, implementation, tests, and documentation).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/waf-evaluation-window-sec

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/types/common.ts (1)

26-26: ⚡ Quick win

Consider using a literal union type for compile-time safety.

The evaluationWindowSec field accepts number but AWS WAF only supports specific values (60, 120, 300, 600). Using a literal union type would catch invalid values at compile time rather than relying solely on runtime validation.

🔒 Proposed type improvement

-      evaluationWindowSec?: number;
+      evaluationWindowSec?: 60 | 120 | 300 | 600;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/types/common.ts` at line 26, Change the evaluationWindowSec property from
a plain number to a literal union of the allowed AWS WAF values (60 | 120 | 300
| 600) to enforce valid values at compile time; update the declaration of
evaluationWindowSec in the relevant interface/type (the evaluationWindowSec
field in src/types/common.ts) and adjust any call sites, defaults, or tests that
pass other numeric values so they use one of the permitted literals.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/ISSUE_TEMPLATE/add-new-feature---behavior.md:
- Line 24: Two fenced code blocks in the add-new-feature---behavior template are
missing language identifiers (causing markdownlint MD040); update both code
fences referenced around the example text to use a language tag (e.g., change
``` to ```text) so the blocks read as fenced with language identifiers, ensuring
the first example ("Currently, AWS RDS Postgresql is not supported as
datasource.") and the second example ("AWS RDS Postgresql is supported as
datasource for queries or mutations.") are both prefixed by ```text.

---

Nitpick comments:
In `@src/types/common.ts`:
- Line 26: Change the evaluationWindowSec property from a plain number to a
literal union of the allowed AWS WAF values (60 | 120 | 300 | 600) to enforce
valid values at compile time; update the declaration of evaluationWindowSec in
the relevant interface/type (the evaluationWindowSec field in
src/types/common.ts) and adjust any call sites, defaults, or tests that pass
other numeric values so they use one of the permitted literals.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd3c883b-c92c-4028-a207-86ea638c45c6

📥 Commits

Reviewing files that changed from the base of the PR and between 082c00b and c96aefe.

⛔ Files ignored due to path filters (2)

• src/__tests__/__snapshots__/waf.test.ts.snap is excluded by !**/*.snap
• src/__tests__/validation/__snapshots__/base.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (12)

• .github/ISSUE_TEMPLATE/add-new-feature---behavior.md
• .github/ISSUE_TEMPLATE/report-bug.md
• .github/PULL_REQUEST_TEMPLATE.md
• doc/WAF.md
• e2e/waf.e2e.test.ts
• examples/waf/serverless.yml
• src/__tests__/validation/base.test.ts
• src/__tests__/waf.test.ts
• src/resources/Waf.ts
• src/types/cloudFormation.ts
• src/types/common.ts
• src/validation.ts

💤 Files with no reviewable changes (1)

• .github/ISSUE_TEMPLATE/report-bug.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add language identifiers to fenced code blocks to satisfy markdownlint (MD040).

Two example fences are missing a language tag, which can fail markdown lint checks.

Suggested patch

-```
+```text
 Currently, AWS RDS Postgresql is not supported as datasource.

@@
- +text
AWS RDS Postgresql is supported as datasource for queries or mutations.

Also applies to: 35-35

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 24-24: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/ISSUE_TEMPLATE/add-new-feature---behavior.md at line 24, Two fenced
code blocks in the add-new-feature---behavior template are missing language
identifiers (causing markdownlint MD040); update both code fences referenced
around the example text to use a language tag (e.g., change ``` to ```text) so
the blocks read as fenced with language identifiers, ensuring the first example
("Currently, AWS RDS Postgresql is not supported as datasource.") and the second
example ("AWS RDS Postgresql is supported as datasource for queries or
mutations.") are both prefixed by ```text.