Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.6.0 #488

Merged
merged 7 commits into from
Nov 14, 2024
Merged

4.6.0 #488

Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Type Update and Review
  • Loading branch information
daknhh committed Nov 14, 2024
commit 5b21f31fa73dbd2da7837e84813e9564146fb221
24 changes: 11 additions & 13 deletions bin/aws-firewall-factory.ts
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
import { WafStack } from "../lib/_waf/index";
import { PrerequisitesStack } from "../lib/_prerequisites/index";
import { ShieldStack } from "../lib/_shield-advanced/index";
import { AutoUpdatedManagedIpSetsStack } from "../lib/_autoUpdatedManagedIpSets/index";
#!/usr/bin/env node
import { WafStack } from "../lib/_waf";
import { PrerequisitesStack } from "../lib/_prerequisites";
import { ShieldStack } from "../lib/_shield-advanced";
import { AutoUpdatedManagedIpSetsStack } from "../lib/_autoUpdatedManagedIpSets";
import { AutoUpdatedManagedIpSetsConfig, ShieldConfig, PrerequisitesConfig, WafConfig, PriceRegions, RegionString } from "../lib/types";
import * as cdk from "aws-cdk-lib";
import { waf, shield, autoUpdatedManagedIpSets, prerequisites } from "../lib/types/config/index";
import { general, pricing } from "../lib/types/enums/index";
import * as helpers from "../lib/tools/helpers";


@@ -40,7 +40,7 @@ void (async () => {
case "PreRequisiteStack": {
// ---------------------------------------------------------------------
// Deploying prerequisite stack
const prerequisites: prerequisites.PrerequisitesConfig = values.prereq[CONFIG_OBJECT_NAME];
const prerequisites: PrerequisitesConfig = values.prereq[CONFIG_OBJECT_NAME];
const deploymentRegion = helpers.afwfHelper.outputInfoBanner();
const runtimeProperties = helpers.afwfHelper.initRuntimeProperties();
await helpers.ssmHelper.getAllAwsRegionsFromPublicSsmParameter(
@@ -66,8 +66,7 @@ void (async () => {
break;
}
case "ShieldAdvancedStack": {
// eslint-disable-next-line @typescript-eslint/no-var-requires, @typescript-eslint/no-unsafe-assignment
const shieldConfig: shield.ShieldConfig = values.shieldConfigs[CONFIG_OBJECT_NAME];
const shieldConfig: ShieldConfig = values.shieldConfigs[CONFIG_OBJECT_NAME];
const deploymentRegion = process.env.AWS_REGION;
const runtimeProperties = helpers.afwfHelper.initRuntimeProperties();
console.log(`🛡️ Deploy Shield Policy: ${shieldConfig.General.Prefix.toUpperCase()}-${
@@ -121,8 +120,7 @@ void (async () => {
case "WAFStack": {
// ---------------------------------------------------------------------
// Deploying Firewall stack
// eslint-disable-next-line @typescript-eslint/no-var-requires
const config: waf.WafConfig = values.configs[CONFIG_OBJECT_NAME];
const config: WafConfig = values.configs[CONFIG_OBJECT_NAME];
const deploymentRegion = helpers.afwfHelper.outputInfoBanner(config);
const runtimeProperties = helpers.afwfHelper.initRuntimeProperties();
if (process.env.SKIP_QUOTA_CHECK === "true") {
@@ -256,7 +254,7 @@ void (async () => {
);

await helpers.pricingHelper.isWafPriceCalculated(
pricing.PriceRegions[deploymentRegion as general.RegionString],
PriceRegions[deploymentRegion as RegionString],
runtimeProperties,
config,
deploymentRegion
@@ -274,7 +272,7 @@ void (async () => {
`);
}
const app = new cdk.App();
const autoUpdatedManagedIpSetsConfig: autoUpdatedManagedIpSets.AutoUpdatedManagedIpSetsConfig = values.autoUpdatedManagedIpSetsConfigs[CONFIG_OBJECT_NAME];
const autoUpdatedManagedIpSetsConfig: AutoUpdatedManagedIpSetsConfig = values.autoUpdatedManagedIpSetsConfigs[CONFIG_OBJECT_NAME];
new AutoUpdatedManagedIpSetsStack(
app,
"AutoUpdatedManagedIpSets",
6 changes: 3 additions & 3 deletions lib/_autoUpdatedManagedIpSets/stack.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import { runtime, autoUpdatedManagedIpSets } from "../types/config/index";
import { RuntimeProps, AutoUpdatedManagedIpSetsConfig } from "../types/config/index";
import {
aws_lambda as lambda,
aws_lambda_nodejs as NodejsFunction,
@@ -17,11 +17,11 @@ export interface AutoUpdatedManagedIpSetsStackProps extends cdk.StackProps {
/**
* Class Variable for WAF Properties.
*/
readonly config: autoUpdatedManagedIpSets.AutoUpdatedManagedIpSetsConfig;
readonly config: AutoUpdatedManagedIpSetsConfig;
/**
* Class Variable for Runtime Properties.
*/
runtimeProperties: runtime.RuntimeProps;
runtimeProperties: RuntimeProps;
}


9 changes: 4 additions & 5 deletions lib/_prerequisites/stack.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import { prerequisites, runtime } from "../types/config/index";
import {PrerequisitesConfig, RuntimeProps } from "../types/config/index";
import {
aws_s3 as s3,
aws_kms as kms,
@@ -43,11 +43,11 @@ export interface StackProps extends cdk.StackProps {
/**
* Class Variable for Prerequisites Properties.
*/
readonly prerequisites: prerequisites.PrerequisitesConfig;
readonly prerequisites: PrerequisitesConfig;
/**
* Class Variable for Runtime Properties.
*/
runtimeProperties: runtime.RuntimeProps;
runtimeProperties: RuntimeProps;
}

export class PrerequisitesStack extends cdk.Stack {
@@ -340,7 +340,7 @@ export class PrerequisitesStack extends cdk.Stack {
console.log(
"\n🪣 Creating Bucket with Name: AWS-Firewall-Factory-Logging"
);
let encryptionKey = undefined;
let encryptionKey: kms.Key | undefined;
if (props.prerequisites.Logging.BucketProperties?.KmsEncryptionKey) {
console.log(
" 🔑 Creating KMS Key for: AWS-Firewall-Factory-Logging Bucket."
@@ -440,7 +440,6 @@ export class PrerequisitesStack extends cdk.Stack {
console.log(
" ➕ Adding ObjectLock to Bucket: AWS-Firewall-Factory-Logging \n"
);
// eslint-disable-next-line @typescript-eslint/restrict-plus-operands
console.log(
" ⚙️ Settings: \n 🗓️ Retention-Days: " +
props.prerequisites.Logging.BucketProperties?.ObjectLock?.Days +
8 changes: 4 additions & 4 deletions lib/_shield-advanced/stack.ts
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@ import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import { aws_fms as fms } from "aws-cdk-lib";
import { getGuidance } from "../tools/helpers/guidance";
import { runtime, shield, waf } from "../types/config/index";
import { RuntimeProps, ShieldConfig, ManagedServiceData } from "../types/config";
import { ShieldDashboard } from "../constructs/shieldDashboard/index";

/**
@@ -32,11 +32,11 @@ export interface ShieldProps extends cdk.StackProps {
/**
* Class Variable for a Shield Config.
*/
readonly shieldConfig: shield.ShieldConfig;
readonly shieldConfig: ShieldConfig;
/**
* Class Variable for Runtime Properties.
*/
readonly runtimeProperties: runtime.RuntimeProps;
readonly runtimeProperties: RuntimeProps;
}
export class ShieldStack extends cdk.Stack {
readonly oamSinkArn: string = "";
@@ -45,7 +45,7 @@ export class ShieldStack extends cdk.Stack {
const preProcessRuleGroups: never[] = [];
const postProcessRuleGroups: never[] = [];
let loggingConfiguration;
const managedServiceData: waf.ManagedServiceData = {
const managedServiceData: ManagedServiceData = {
type: "SHIELD_ADVANCED",
defaultAction: { type: props.shieldConfig.defaultActionType },
preProcessRuleGroups: preProcessRuleGroups,
2 changes: 1 addition & 1 deletion lib/_waf/index.ts
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@
* @example
* import { waf } from "../../lib/types/config";
* import {ManagedRuleGroupVendor, AwsManagedRules, WebAclScope, WebAclTypeEnum} from "../../lib/types/enums/waf";
* export const config: waf.WafConfig = {
* export const config: WafConfig= {
* General: {
* FireHoseKeyArn: "",
* Prefix: "aws-firewall-factory",
18 changes: 7 additions & 11 deletions lib/_waf/stack.ts
Original file line number Diff line number Diff line change
@@ -1,10 +1,7 @@
/* eslint-disable @typescript-eslint/no-explicit-any */
/* eslint-disable @typescript-eslint/no-unsafe-assignment */
/* eslint-disable @typescript-eslint/no-unsafe-member-access */
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import { aws_wafv2 as wafv2, aws_fms as fms,aws_lambda_nodejs as NodejsFunction, aws_lambda as lambda, aws_kinesisfirehose as firehouse, aws_iam as iam, aws_logs as logs } from "aws-cdk-lib";
import { runtime, waf } from "../types/config/index";
import { RuntimeProps, WafConfig, SubVariables, ManagedServiceData, ManagedRuleGroup, ServiceDataManagedRuleGroup, ServiceDataRuleGroup } from "../types/config/index";
import {WafCloudWatchDashboard} from "../constructs/wafDashboard/index";
import * as path from "path";
import * as cr from "aws-cdk-lib/custom-resources";
@@ -25,11 +22,11 @@ export interface ConfigStackProps extends cdk.StackProps {
/**
* Class Variable for WAF Properties.
*/
readonly config: waf.WafConfig;
readonly config: WafConfig;
/**
* Class Variable for Runtime Properties.
*/
runtimeProperties: runtime.RuntimeProps;
runtimeProperties: RuntimeProps;
}

export class WafStack extends cdk.Stack {
@@ -206,10 +203,10 @@ export class WafStack extends cdk.Stack {

// --------------------------------------------------------------------

const preProcessRuleGroups = [];
const postProcessRuleGroups = [];
const preProcessRuleGroups: (ServiceDataManagedRuleGroup | ManagedRuleGroup | ServiceDataRuleGroup)[] = [];
const postProcessRuleGroups: (ServiceDataManagedRuleGroup | ManagedRuleGroup | ServiceDataRuleGroup)[] = [];
const MANAGEDRULEGROUPSINFO: string[]= [""];
let subVariables : waf.SubVariables = {};
let subVariables : SubVariables = {};
if (props.config.WebAcl.PreProcess.ManagedRuleGroups) {
const preProcessmanagedRgs = wafHelper.buildServiceDataManagedRgs(this, props.config.WebAcl.PreProcess.ManagedRuleGroups, managedRuleGroupVersionProvider, props.config.WebAcl.Scope, props.runtimeProperties);
preProcessRuleGroups.push(...preProcessmanagedRgs.ServiceData);
@@ -239,7 +236,7 @@ export class WafStack extends cdk.Stack {
console.log("\nℹ️ No Custom Rules defined in PostProcess.");
}

const managedServiceData : waf.ManagedServiceData = {
const managedServiceData : ManagedServiceData = {
type: "WAFV2",
defaultAction: { type: "ALLOW" },
preProcessRuleGroups: preProcessRuleGroups,
@@ -277,7 +274,6 @@ export class WafStack extends cdk.Stack {
}

if(props.config.General.CreateDashboard && props.config.General.CreateDashboard === true) {
// eslint-disable-next-line @typescript-eslint/no-unsafe-call
new WafCloudWatchDashboard(this, "cloudwatch",props.config, MANAGEDRULEGROUPSINFO); // NOSONAR -> SonarQube is identitfying this line as a Major Issue, but it is not. Sonarqube identify the following Error: Either remove this useless object instantiation or use it.
}
}
30 changes: 15 additions & 15 deletions lib/constructs/wafDashboard/dashboard.ts
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
/* eslint-disable @typescript-eslint/no-unsafe-call */
/* eslint-disable @typescript-eslint/no-unsafe-member-access */
/* eslint-disable @typescript-eslint/restrict-plus-operands */
import { aws_cloudwatch as cloudwatch } from "aws-cdk-lib";
import * as fs from "fs";
import * as path from "path";
import * as cdk from "aws-cdk-lib";
import { waf } from "../../types/config";
import { WafConfig } from "../../types/config";
import { Construct } from "constructs";

const REGION = cdk.Aws.REGION;
@@ -15,17 +15,17 @@
*/
const packageJsonPath = path.resolve(__dirname, "../../../package.json");
const packageJsonContent = fs.readFileSync(packageJsonPath, "utf-8");
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
const packageJson = JSON.parse(packageJsonContent);

Check failure on line 19 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unsafe assignment of an `any` value
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
const FIREWALL_FACTORY_VERSION = packageJson.version;

Check failure on line 21 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unsafe assignment of an `any` value

Check failure on line 21 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unsafe member access .version on an `any` value

/**
* Central CloudWatch Dashboard Construct
*/
export class WafCloudWatchDashboard extends Construct {

constructor(scope: Construct, id: string, config: waf.WafConfig,managedRuleGroupsInfo:string[]) {
constructor(scope: Construct, id: string, config: WafConfig,managedRuleGroupsInfo:string[]) {
super(scope, id);
console.log("\n🎨 Creating central CloudWatch Dashboard \n 📊 DashboardName: ","\u001b[32m", `${config.General.Prefix.toUpperCase()}-${config.WebAcl.Name}-${config.General.Stage}${config.General.DeployHash ? "-"+config.General.DeployHash : ""}`,"\u001b[0m");
console.log(" ℹ️ Warnings for Math expressions can be ignored.");
@@ -66,8 +66,8 @@
const firstrow = new cloudwatch.Row(infowidget,app,fwfactory);
cwdashboard.addWidgets(firstrow);
for(const account of config.WebAcl.IncludeMap.account){
// eslint-disable-next-line no-useless-escape
const countexpression = "SEARCH('{AWS\/WAFV2,\Region,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\CountedRequests\"', '\Sum', 300)";

Check failure on line 70 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unnecessary escape character: \/

Check failure on line 70 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unnecessary escape character: \R

Check failure on line 70 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unnecessary escape character: \W

Check failure on line 70 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unnecessary escape character: \R

Check failure on line 70 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unnecessary escape character: \W

Check failure on line 70 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unnecessary escape character: \M

Check failure on line 70 in lib/constructs/wafDashboard/dashboard.ts

GitHub Actions / nodejs-test (21)

Unnecessary escape character: \C

const countedRequests = new cloudwatch.GraphWidget({
title: "🔢 Counted Requests in " + account,
@@ -83,7 +83,7 @@
searchRegion: REGION,
color: "#9dbcd4"
}));
// eslint-disable-next-line no-useless-escape
const blockedexpression = "SEARCH('{AWS\/WAFV2,\Region,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\BlockedRequests\"', '\Sum', 300)";
const blockedRequests = new cloudwatch.GraphWidget({
title: "❌ Blocked Requests in " + account,
@@ -99,7 +99,7 @@
searchRegion: REGION,
color: "#ff0000"
}));
// eslint-disable-next-line no-useless-escape

const allowedexpression = "SEARCH('{AWS\/WAFV2,\Region,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\AllowedRequests\"', '\Sum', 300)";
const allowedRequests = new cloudwatch.GraphWidget({
title: "✅ Allowed Requests in " + account,
@@ -115,15 +115,15 @@
searchRegion: REGION,
color: "#00FF00"
}));
// eslint-disable-next-line no-useless-escape
const sinlevaluecountedrequestsexpression = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \MetricName=\"CountedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
// eslint-disable-next-line no-useless-escape
const expression1 = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \MetricName=\"AllowedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
// eslint-disable-next-line no-useless-escape
const expression2 = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \MetricName=\"BlockedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
// eslint-disable-next-line no-useless-escape
const expression3 = "SEARCH('{AWS\/WAFV2,\LabelName,\LabelNamespace,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \LabelNamespace=\"awswaf:managed:aws:bot-control:bot:category\" \MetricName=\"AllowedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
// eslint-disable-next-line no-useless-escape
const expression4 = "SEARCH('{AWS\/WAFV2,\LabelName,\LabelNamespace,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \LabelNamespace=\"awswaf:managed:aws:bot-control:bot:category\" \MetricName=\"BlockedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
const expression5 = "SUM([e3,e4])";
const expression6 = "SUM([e1,e2,-e3,-e4])";
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/* eslint-disable @typescript-eslint/restrict-plus-operands */
/* eslint-disable @typescript-eslint/no-unsafe-member-access */
/* eslint-disable @typescript-eslint/no-unsafe-call */
/* eslint-disable @typescript-eslint/no-unsafe-assignment */

import { IncomingWebhook } from "./IncomingWebhook";
import { SNSEventRecord } from "aws-lambda";
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/* eslint-disable @typescript-eslint/restrict-plus-operands */
/* eslint-disable @typescript-eslint/no-unsafe-member-access */
/* eslint-disable @typescript-eslint/no-unsafe-call */
/* eslint-disable @typescript-eslint/no-unsafe-assignment */

import { IncomingWebhook } from "./IncomingWebhook";
import { SNSEventRecord } from "aws-lambda";
8 changes: 4 additions & 4 deletions lib/lambda/ManagedRuleGroupVersion/index.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/* eslint-disable @typescript-eslint/no-unsafe-argument */
/* eslint-disable @typescript-eslint/no-unsafe-assignment */
/* eslint-disable @typescript-eslint/restrict-template-expressions */
/* eslint-disable @typescript-eslint/naming-convention */
import {
CdkCustomResourceEvent,
CdkCustomResourceResponse
2 changes: 1 addition & 1 deletion lib/lambda/SendUnusedResourceNotification/index.ts
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ export const handler = async (
for (const file of files) {
console.log(`📄 Importing File: ${file}`);
const content = await getFileContent(bucketName, file);
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
allwebacls.push(JSON.parse(content));
}

Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/* eslint-disable @typescript-eslint/restrict-plus-operands */
/* eslint-disable @typescript-eslint/no-unsafe-member-access */
/* eslint-disable @typescript-eslint/no-unsafe-call */
/* eslint-disable @typescript-eslint/no-unsafe-assignment */

import { IncomingWebhook } from "./IncomingWebhook";
import { PolicySummary } from "@aws-sdk/client-fms";
Loading
Loading