Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.5.1 #448

Merged
merged 37 commits into from
Sep 3, 2024
Merged

4.5.1 #448

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
a92d4e4
Fix Doc Generation
daknhh Jul 9, 2024
2d345e8
add more information
daknhh Jul 19, 2024
717a4ff
improve Docs
daknhh Jul 29, 2024
679c2cd
Updates
daknhh Aug 24, 2024
2d46a7d
Fixes
daknhh Aug 30, 2024
29e2869
eslint update
daknhh Aug 30, 2024
bcc2ada
add eslint config.js
daknhh Aug 30, 2024
c941129
linting
daknhh Aug 30, 2024
9d9267c
linting
daknhh Aug 30, 2024
12ecdcf
Linting
daknhh Aug 30, 2024
56b79b1
Linting
daknhh Aug 30, 2024
337b05f
linting
daknhh Aug 30, 2024
464e576
fix lint
daknhh Aug 30, 2024
c3e2ec3
lint
daknhh Aug 30, 2024
ca24a8e
fix
daknhh Aug 30, 2024
47f49d3
change to ManagedRuleGroupStatementProperty
daknhh Aug 30, 2024
33640d4
adjust changelog
daknhh Aug 30, 2024
aba7474
linting
daknhh Aug 30, 2024
038dc44
fix -scopeDownStatement.regexPatternSetReferenceStatement calculateC…
daknhh Aug 30, 2024
2f671a5
improve docs
daknhh Aug 30, 2024
2d8ab33
improve docs
daknhh Aug 31, 2024
ec782d5
fix lambda paths after restructure
daknhh Aug 31, 2024
a99493f
Adjust Changelog
daknhh Aug 31, 2024
5bb6532
add new tests and improve docs
daknhh Aug 31, 2024
56e2d9b
adjustname for new testrule
daknhh Aug 31, 2024
3cb5e35
Removed from the changelog because CloudFormation has not yet impleme…
daknhh Sep 2, 2024
520ef84
Removed from the changelog because CloudFormation has not yet impleme…
daknhh Sep 2, 2024
6826a3d
adjust docs for constructs
daknhh Sep 2, 2024
524dfa3
fix path to package.json
daknhh Sep 2, 2024
fd5b4e0
remove unused construct - restructure
daknhh Sep 2, 2024
70b258d
Adjust Docs
daknhh Sep 2, 2024
f4d7e57
change docs
daknhh Sep 2, 2024
b98c3e5
update docs
daknhh Sep 2, 2024
44accd5
add new test
daknhh Sep 2, 2024
1d94788
change test name
daknhh Sep 2, 2024
526b131
add icon to head of docs
daknhh Sep 2, 2024
55e5ea2
add icon to second header
daknhh Sep 2, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions .eslintignore

This file was deleted.

89 changes: 55 additions & 34 deletions .eslintrc
Original file line number Diff line number Diff line change
Expand Up @@ -7,40 +7,61 @@
"extends": [
"eslint:recommended",
"plugin:@typescript-eslint/eslint-recommended",
"plugin:@typescript-eslint/recommended"
"plugin:@typescript-eslint/recommended",
"plugin:@typescript-eslint/recommended-requiring-type-checking"
],
"parserOptions": {
"ecmaVersion": 2018,
"sourceType": "module",
"project": "tsconfig.eslint.json"
},
"ignorePatterns": [
"*.js",
"*.d.ts",
"node_modules/",
"*.generated.ts",
"values",
"gotestwaf",
"coverage"
],
"rules": {
"semi": [2, "always"],
"eqeqeq": 2,
"indent": [2, 2, {"SwitchCase": 1}],
"quotes": ["error", "double"],
"linebreak-style": "off",
"array-bracket-newline": "off",
"array-bracket-spacing": ["error", "never"],
"no-trailing-spaces": "off",
"padded-blocks": "off",
"arrow-body-style": "off",
"init-declarations": "off",
"comma-dangle": "off",
"keyword-spacing": [0, {"before": true, "after": true, "overrides": null}],
"prefer-template": "off",
"id-blacklist": "off",
"no-console": "off",
"no-sync": "off",
"complexity": "off",
"max-statements": "off",
"array-element-newline": "off",
"object-curly-spacing": "off",
"template-curly-spacing": "off",
"camelcase": "off",
"no-use-before-define": "off",
"id-length": "off",
"id-match": "off",
"max-len": "off",
"no-magic-numbers": "off",
"no-underscore-dangle": "off",
"no-process-env": "off",
"func-style": ["error", "declaration", { "allowArrowFunctions": true }],
"no-useless-escape": "off"
"semi": [
"error",
"always"
],
"indent": [
"error",
2,
{
"SwitchCase": 1
}
],
"quotes": [
"error",
"double"
],
"@typescript-eslint/naming-convention": [
"error",
{
"selector": [
"method"
],
"format": [
"strictCamelCase"
]
},
{
"selector": [
"class",
"interface",
"typeParameter",
"typeAlias"
],
"format": [
"StrictPascalCase"
]
}
]
}
}
}

File renamed without changes.
1 change: 1 addition & 0 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,5 +36,6 @@ jobs:
run: npx typedoc --options typedoc.json
- name: 🚀 Upload Documentation
run: |
cp -a ./static/docs/images/. ./docs/assets/
aws s3 sync ./docs s3://${{env.S3_BUCKET}} --delete
aws cloudfront create-invalidation --distribution-id ${{env.DISTRIBUTION_ID}} --paths "/*"
2 changes: 1 addition & 1 deletion .github/workflows/fwf_enumCheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,4 @@ jobs:
mask-aws-account-id: false
- name: 🧪 Check Enums for ManagedRule Groups
run: |
ts-node ./lib/tools/enumcheck.ts
ts-node ./workflows/enumcheck.ts
76 changes: 76 additions & 0 deletions .github/workflows/waf_test_onlymanagedrulegroupsWithExcludes.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: ManagedRuleGroupsExcludes-Firewall

env:
AWS_REGION: eu-central-1
AWS_ROLE: FirewallFactoryGithubPipelineRole
AWS_ACCOUNT: 859220371210

permissions:
id-token: write
contents: read

# concurrency:
# group: test_envrionment
# cancel-in-progress: true

on:
push:
branches:
- master
pull_request:
branches:
- master
paths:
- 'bin/**/*'
- 'lib/**/*'
- 'package*.json'
jobs:
deploy_production_main:
name: Test and deploy OnlyManagedRuleGroups Firewall
runs-on: ubuntu-latest
steps:
- name: ⬇️ Checkout
uses: actions/[email protected]
- name: 📁 Install Taskfile
run: |
npm install -g @go-task/cli
- name: ☊ Use Node.js
uses: actions/[email protected]
with:
node-version: '21.x'
- name: 💾 Cache Node.js modules
uses: actions/[email protected]
with:
path: ~/.npm
key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.OS }}-node-
${{ runner.OS }}-
- name: 🌐 Install CDK and typescript globally
run: |
npm i -g aws-cdk typescript ts-node @types/node yarn
npm link typescript
- name: 📦 Install Packages
run: |
npm install
- name: 🔑 Configure AWS credentials
uses: aws-actions/[email protected]
env:
ACCOUNT_ID: ${{ env.AWS_ACCOUNT }}
with:
role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.AWS_ROLE }}
aws-region: ${{ env.AWS_REGION }}
role-session-name: GitHubActionsSession
mask-aws-account-id: false
- name: 🚀 Set up QEMU
uses: docker/setup-qemu-action@v3
- name: 🫙 Set up Docker Buildx
uses: docker/[email protected]
- name: 🔥 Deploy Firewall to AWS
run: |
export STACK_NAME=WAFStack
task deploy config=onlyManagedRuleGroupsWithExcludesTests
- name: 🗑️ Remove Firewall from AWS
run: |
export STACK_NAME=WAFStack
task destroy config=onlyManagedRuleGroupsWithExcludesTests
1 change: 0 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
*.js
!jest.config.js
*.d.ts
node_modules
Expand Down
47 changes: 47 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,53 @@
# Change Log

## Released


## 4.5.1
### Added
- Renamed Type: Changed the type name WafConfig to wafConfig in the Config module to follow naming conventions and improve consistency across the codebase.
- Change the ManagedRuleGroup interface, to extends the wafv2.CfnWebACL.ManagedRuleGroupStatementProperty.
- Changed structure in lib and improved Documentation, extended jsdoc with examples.

### Fixed
- Corrected the regex pattern for IPSet descriptions to ensure accurate validation
- Fixed Bug on IPSet capacity check
- Bump aws-cdk: 2.148.0 to 2.154.1
- Bump aws-cdk-lib: ^2.148.0 to ^2.150.0
- Bump @aws-sdk/client-cloudformation: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-cloudfront: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-cloudwatch: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-config-service: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-ec2: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-fms: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-pricing: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-s3: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-secrets-manager: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-service-quotas: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-shield: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-iam: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-ssm: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-wafv2: 3.606.0 to 3.637.0
- Bump @aws-solutions-constructs/aws-eventbridge-stepfunctions: ^2.60.0 to ^2.65.0
- Bump @babel/traverse: ^7.24.7 to ^7.25.4
- Bump @types/node: ^20.14.9 to ^22.5.0
- Bump @types/aws-lambda: ^8.10.140 to ^8.10.143
- Bump @types/lodash: 4.17.6 to 4.17.7
- Bump axios: ^1.7.2 to ^1.7.5
- Bump cdk-sops-secrets: ^1.12.0 to ^1.13.1
- Bump cfonts: ^3.2.0 to ^3.3.0
- Bump constructs: 10.2.0 to 10.3.0
- Bump lodash: 4.17.20 to 4.17.21
- Bump npm: 10.8.1 to 10.8.2
- Bump table: ^6.8.0 to ^6.8.2
- Bump i: ^0.3.6 to ^0.3.7
- Bump typedoc-plugin-extras: ^3.0.0 to ^3.1.0
- Bump uuid: ^10.0.0 to ^10.0.0
- Bump typescript: 5.4.5 to 5.5.4
- Bump ts-jest: 29.1.5 to 29.2.5
- Bump adaptivecards: 3.0.2 to 3.0.4
- Bump aws-lambda: ^1.0.6 to ^1.0.7

## 4.5.0
### Added
- Added support for deploying Shield Advanced policies, including the ability to calculate pricing. AWS Shield Advanced provides customized detection based on traffic patterns to your protected resources, detects and alerts on smaller DDoS attacks, and identifies application layer attacks by baselining traffic and spotting anomalies.
Expand Down
4 changes: 2 additions & 2 deletions Features.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
- Bot vs Non-bot Requests

See example:
![FirewallDashboard](./static/FirewallDashboard.jpg)
![FirewallDashboard](./static/docs/images/waf_Dashboard.jpg)

20. Example Configurations
1. Example WAF Configuration againts: [OWASP Top Ten](https://owasp.org/www-project-top-ten/)
Expand Down Expand Up @@ -97,7 +97,7 @@ See example:
The Dashboard shows the ammount of DDoS attacks detected

See example:
![ShieldDashboard](./static/shield-dashboard.png)
![ShieldDashboard](./static/docs/images/shield-dashboard.png)

27. Cloudwatch Cross-Account association - The Firewall Factory offers CloudFormation templates for associating the monitoring account with source accounts:
- [Monitoring account template](./static/cf-templates/monitoring-account-sink.template.yml)
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ If you want to learn more about the AWS Firewall Factory feel free to look at th
| CodeQL | ![CodeQL](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/github-code-scanning/codeql/badge.svg?branch=master) |
| Linting | ![linting](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/linting.yml/badge.svg?branch=master) |
| WAF Deployment - Only Managed Rule Groups | ![onlyManagedRuleGroups](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_onlymanagedrulegroups.yml/badge.svg?branch=master) |
| WAF Deployment - Only Managed Rule Groups with Excludes | ![rateBasedwithScopeDown](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_onlymanagedrulegroupsWithExcludes.yml/badge.svg?branch=master) |
| WAF Deployment - IpSets | ![IpSets](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_ipSets.yml/badge.svg?branch=master) |
| WAF Deployment - RegexPatternSets | ![regexPatternSets](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_regexPatternSets.yml/badge.svg?branch=master) |
| WAF Deployment - RateBasedwithScopeDown | ![rateBasedwithScopeDown](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_rateBasedwithScopeDown.yml/badge.svg?branch=master) |
Expand Down
2 changes: 1 addition & 1 deletion Taskfile.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ tasks:
diff:
desc: CDK Diff
cmds:
- cdk diff
- bash -c 'source options.sh && cdk diff --toolkit-stack-name {{.TOOL_KIT_STACKNAME}}'
silent: true
interactive: true
env:
Expand Down
23 changes: 14 additions & 9 deletions bin/aws-firewall-factory.ts
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
#!/usr/bin/env node
import { WafStack } from "../lib/_web-application-firewall-stack";
import { PrerequisitesStack } from "../lib/_prerequisites-stack";
import { ShieldStack } from "../lib/_shield-advanced-stack";
import { WafStack } from "../lib/_waf/index";
import { PrerequisitesStack } from "../lib/_prerequisites/index";
import { ShieldStack } from "../lib/_shield-advanced/index";
import * as cdk from "aws-cdk-lib";
import {
Config,
wafConfig,
ShieldConfig,
Prerequisites,
PriceRegions,
Expand All @@ -19,6 +19,12 @@ import {
ssmHelper,
} from "../lib/tools/helpers";


/**
* @Module
* # AWS Firewall Factory
*/

const app = new cdk.App();

// Main function to handle the user choice and deploy respective stack
Expand All @@ -45,11 +51,10 @@ void (async () => {
// Deploying prerequisite stack
console.log(process.env.PREREQUISITE);
if (process.env.STACK_NAME === "PreRequisiteStack") {
// eslint-disable-next-line @typescript-eslint/no-var-requires, @typescript-eslint/no-unsafe-assignment
const prerequisites: Prerequisites = values.prereq[CONFIG_OBJECT_NAME];
const deploymentRegion = afwfHelper.outputInfoBanner();
const runtimeProperties = afwfHelper.initRuntimeProperties();
ssmHelper.getAllAwsRegionsFromPublicSsmParameter(
await ssmHelper.getAllAwsRegionsFromPublicSsmParameter(
deploymentRegion,
runtimeProperties
);
Expand Down Expand Up @@ -125,13 +130,13 @@ void (async () => {
);

await pricingHelper.isShieldPriceCalculated(shieldConfig);
await guidanceHelper.outputGuidance(runtimeProperties);
guidanceHelper.outputGuidance(runtimeProperties);
}
// ---------------------------------------------------------------------
// Deploying Firewall stack
if (process.env.STACK_NAME === "WAFStack") {
// eslint-disable-next-line @typescript-eslint/no-var-requires
const config: Config = values.configs[CONFIG_OBJECT_NAME];
const config: wafConfig = values.configs[CONFIG_OBJECT_NAME];
const deploymentRegion = afwfHelper.outputInfoBanner(config);
const runtimeProperties = afwfHelper.initRuntimeProperties();
if (process.env.SKIP_QUOTA_CHECK === "true") {
Expand Down Expand Up @@ -270,6 +275,6 @@ void (async () => {
config,
deploymentRegion
);
await guidanceHelper.outputGuidance(runtimeProperties, config);
guidanceHelper.outputGuidance(runtimeProperties, config);
}
})();
38 changes: 38 additions & 0 deletions lib/_prerequisites/index.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/**
* @packageDocumentation
* # AWS Firewall Factory - Prerequisites Stack
*
* The Prequisites Stack is used to deploy the prerequisites for the AWS Firewall Factory.
*
* It contains the following resources:
* - S3 Bucket for Logging
* - KMS Key for Encryption
* - Lambda Function for Notifications for Managed RuleGroup Updates
* - Lambda Function for Notifications for DDoS (Advanced Shield)
* - Lambda Function for Notifications for Unused WAF (WebACL)
* @description
*
* @example
* import { Prerequisites } from "../../lib/types/config";
* export const prequisites: Prerequisites = {
* General: {
* Prefix: "aws-firewall-factory",
* },
* Logging: {
* BucketProperties: {
* BucketName: "aws-firewall-factory-logs",
* KmsEncryptionKey: true,
* ObjectLock: {
* Days: 5,
* Mode: "GOVERNANCE"
* }
* },
* FireHoseKey: {
* KeyAlias: "aws-firewall-factory-firehosekey"
* },
* CrossAccountIdforPermissions: "123456789012",
* },
* DdosNotifications:{WebhookSopsFile: "./values/examples/webhooks/slack.json"}
* };
*/
export * from "./stack";
Loading