Merge pull request #448 from globaldatanet/4.5.1

4.5.1

.eslintrc

@@ -7,40 +7,61 @@
   "extends": [
     "eslint:recommended",
     "plugin:@typescript-eslint/eslint-recommended",
-    "plugin:@typescript-eslint/recommended"
+    "plugin:@typescript-eslint/recommended",
+    "plugin:@typescript-eslint/recommended-requiring-type-checking"
+  ],
+  "parserOptions": {
+    "ecmaVersion": 2018,
+    "sourceType": "module",
+    "project": "tsconfig.eslint.json"
+  },
+  "ignorePatterns": [
+    "*.js",
+    "*.d.ts",
+    "node_modules/",
+    "*.generated.ts",
+    "values",
+    "gotestwaf",
+    "coverage"
   ],
   "rules": {
-    "semi": [2, "always"],
-    "eqeqeq": 2,
-    "indent": [2, 2, {"SwitchCase": 1}],
-    "quotes": ["error", "double"],
-    "linebreak-style": "off",
-    "array-bracket-newline": "off",
-    "array-bracket-spacing": ["error", "never"],
-    "no-trailing-spaces": "off",
-    "padded-blocks": "off",
-    "arrow-body-style": "off",
-    "init-declarations": "off",
-    "comma-dangle": "off",
-    "keyword-spacing": [0, {"before": true, "after": true, "overrides": null}],
-    "prefer-template": "off",
-    "id-blacklist": "off",
-    "no-console": "off",
-    "no-sync": "off",
-    "complexity": "off",
-    "max-statements": "off",
-    "array-element-newline": "off",
-    "object-curly-spacing": "off",
-    "template-curly-spacing": "off",
-    "camelcase": "off",
-    "no-use-before-define": "off",
-    "id-length": "off",
-    "id-match": "off",
-    "max-len": "off",
-    "no-magic-numbers": "off",
-    "no-underscore-dangle": "off",
-    "no-process-env": "off",
-    "func-style": ["error", "declaration", { "allowArrowFunctions": true }],
-    "no-useless-escape": "off"
+    "semi": [
+      "error",
+      "always"
+    ],
+    "indent": [
+      "error",
+      2,
+      {
+        "SwitchCase": 1
+      }
+    ],
+    "quotes": [
+      "error",
+      "double"
+    ],
+    "@typescript-eslint/naming-convention": [
+      "error",
+      {
+        "selector": [
+          "method"
+        ],
+        "format": [
+          "strictCamelCase"
+        ]
+      },
+      {
+        "selector": [
+          "class",
+          "interface",
+          "typeParameter",
+          "typeAlias"
+        ],
+        "format": [
+          "StrictPascalCase"
+        ]
+      }
+    ]
   }
-}
+}
+

.github/workflows/docs.yml

@@ -36,5 +36,6 @@ jobs:
         run: npx typedoc --options typedoc.json
       - name: 🚀 Upload Documentation
         run: |
+            cp -a ./static/docs/images/. ./docs/assets/
             aws s3 sync ./docs s3://${{env.S3_BUCKET}} --delete
             aws cloudfront create-invalidation --distribution-id ${{env.DISTRIBUTION_ID}} --paths "/*"

.github/workflows/fwf_enumCheck.yml

@@ -52,4 +52,4 @@ jobs:
           mask-aws-account-id: false
       - name: 🧪 Check Enums for ManagedRule Groups
         run: |
-            ts-node ./lib/tools/enumcheck.ts
+            ts-node ./workflows/enumcheck.ts

.github/workflows/waf_test_onlymanagedrulegroupsWithExcludes.yml

@@ -0,0 +1,76 @@
+name: ManagedRuleGroupsExcludes-Firewall
+
+env:
+  AWS_REGION: eu-central-1
+  AWS_ROLE: FirewallFactoryGithubPipelineRole
+  AWS_ACCOUNT: 859220371210
+
+permissions:
+  id-token: write
+  contents: read
+
+# concurrency:
+#   group: test_envrionment
+#   cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+    paths:
+      - 'bin/**/*'
+      - 'lib/**/*'
+      - 'package*.json'
+jobs:
+  deploy_production_main:
+    name: Test and deploy OnlyManagedRuleGroups Firewall
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout
+        uses: actions/checkout@v4.1.1
+      - name: 📁 Install Taskfile
+        run: |
+          npm install -g @go-task/cli
+      - name: ☊ Use Node.js
+        uses: actions/setup-node@v4.0.2
+        with:
+          node-version: '21.x'
+      - name: 💾 Cache Node.js modules
+        uses: actions/cache@v4.0.2
+        with:
+          path: ~/.npm
+          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.OS }}-node-
+            ${{ runner.OS }}-
+      - name: 🌐 Install CDK and typescript globally
+        run: |
+          npm i -g aws-cdk typescript ts-node @types/node yarn
+          npm link typescript
+      - name: 📦 Install Packages
+        run: |
+          npm install
+      - name: 🔑 Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        env:
+          ACCOUNT_ID: ${{ env.AWS_ACCOUNT }}
+        with:
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+          role-session-name: GitHubActionsSession
+          mask-aws-account-id: false
+      - name: 🚀 Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: 🫙 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.3.0
+      - name: 🔥 Deploy Firewall to AWS
+        run: |
+          export STACK_NAME=WAFStack
+          task deploy config=onlyManagedRuleGroupsWithExcludesTests
+      - name: 🗑️ Remove Firewall from AWS
+        run: |
+          export STACK_NAME=WAFStack
+          task destroy config=onlyManagedRuleGroupsWithExcludesTests

.gitignore

@@ -1,4 +1,3 @@
-*.js
 !jest.config.js
 *.d.ts
 node_modules

CHANGELOG.md

@@ -1,6 +1,53 @@
 # Change Log
 
 ## Released
+
+
+## 4.5.1
+### Added
+- Renamed Type: Changed the type name WafConfig to wafConfig in the Config module to follow naming conventions and improve consistency across the codebase.
+- Change the ManagedRuleGroup interface, to extends the wafv2.CfnWebACL.ManagedRuleGroupStatementProperty.
+- Changed structure in lib and improved Documentation, extended jsdoc with examples.
+
+### Fixed
+- Corrected the regex pattern for IPSet descriptions to ensure accurate validation
+- Fixed Bug on IPSet capacity check
+- Bump aws-cdk: 2.148.0 to 2.154.1
+- Bump aws-cdk-lib: ^2.148.0 to ^2.150.0
+- Bump @aws-sdk/client-cloudformation: 3.606.0 to 3.637.0
+- Bump @aws-sdk/client-cloudfront: ^3.606.0 to ^3.637.0
+- Bump @aws-sdk/client-cloudwatch: 3.606.0 to 3.637.0
+- Bump @aws-sdk/client-config-service: ^3.606.0 to ^3.637.0
+- Bump @aws-sdk/client-ec2: ^3.606.0 to ^3.637.0
+- Bump @aws-sdk/client-fms: 3.606.0 to 3.637.0
+- Bump @aws-sdk/client-pricing: 3.606.0 to 3.637.0
+- Bump @aws-sdk/client-s3: ^3.606.0 to ^3.637.0
+- Bump @aws-sdk/client-secrets-manager: ^3.606.0 to ^3.637.0
+- Bump @aws-sdk/client-service-quotas: 3.606.0 to 3.637.0
+- Bump @aws-sdk/client-shield: 3.606.0 to 3.637.0
+- Bump @aws-sdk/client-iam: 3.606.0 to 3.637.0
+- Bump @aws-sdk/client-ssm: 3.606.0 to 3.637.0
+- Bump @aws-sdk/client-wafv2: 3.606.0 to 3.637.0
+- Bump @aws-solutions-constructs/aws-eventbridge-stepfunctions: ^2.60.0 to ^2.65.0
+- Bump @babel/traverse: ^7.24.7 to ^7.25.4
+- Bump @types/node: ^20.14.9 to ^22.5.0
+- Bump @types/aws-lambda: ^8.10.140 to ^8.10.143
+- Bump @types/lodash: 4.17.6 to 4.17.7
+- Bump axios: ^1.7.2 to ^1.7.5
+- Bump cdk-sops-secrets: ^1.12.0 to ^1.13.1
+- Bump cfonts: ^3.2.0 to ^3.3.0
+- Bump constructs: 10.2.0 to 10.3.0
+- Bump lodash: 4.17.20 to 4.17.21
+- Bump npm: 10.8.1 to 10.8.2
+- Bump table: ^6.8.0 to ^6.8.2
+- Bump i: ^0.3.6 to ^0.3.7
+- Bump typedoc-plugin-extras: ^3.0.0 to ^3.1.0
+- Bump uuid: ^10.0.0 to ^10.0.0
+- Bump typescript: 5.4.5 to 5.5.4
+- Bump ts-jest: 29.1.5 to 29.2.5
+- Bump adaptivecards: 3.0.2 to 3.0.4
+- Bump aws-lambda: ^1.0.6 to ^1.0.7
+
 ## 4.5.0
 ### Added
  - Added support for deploying Shield Advanced policies, including the ability to calculate pricing. AWS Shield Advanced provides customized detection based on traffic patterns to your protected resources, detects and alerts on smaller DDoS attacks, and identifies application layer attacks by baselining traffic and spotting anomalies.

Features.md

@@ -67,7 +67,7 @@
     - Bot vs Non-bot Requests
 
 See example:
-![FirewallDashboard](./static/FirewallDashboard.jpg)
+![FirewallDashboard](./static/docs/images/waf_Dashboard.jpg)
 
 20. Example Configurations
     1.  Example WAF Configuration againts: [OWASP Top Ten](https://owasp.org/www-project-top-ten/)
@@ -97,7 +97,7 @@ See example:
   The Dashboard shows the ammount of DDoS attacks detected
 
   See example:
-  ![ShieldDashboard](./static/shield-dashboard.png)
+  ![ShieldDashboard](./static/docs/images/shield-dashboard.png)
 
 27. Cloudwatch Cross-Account association - The Firewall Factory offers CloudFormation templates for associating the monitoring account with source accounts:
     - [Monitoring account template](./static/cf-templates/monitoring-account-sink.template.yml)

README.md

@@ -63,6 +63,7 @@ If you want to learn more about the AWS Firewall Factory feel free to look at th
 |  CodeQL | ![CodeQL](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/github-code-scanning/codeql/badge.svg?branch=master)  |
 |  Linting | ![linting](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/linting.yml/badge.svg?branch=master)  |
 |  WAF Deployment - Only Managed Rule Groups  | ![onlyManagedRuleGroups](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_onlymanagedrulegroups.yml/badge.svg?branch=master)  |
+|  WAF Deployment - Only Managed Rule Groups with Excludes | ![rateBasedwithScopeDown](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_onlymanagedrulegroupsWithExcludes.yml/badge.svg?branch=master)  |
 |  WAF Deployment - IpSets | ![IpSets](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_ipSets.yml/badge.svg?branch=master)   |
 |  WAF Deployment - RegexPatternSets | ![regexPatternSets](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_regexPatternSets.yml/badge.svg?branch=master)  |
 |  WAF Deployment - RateBasedwithScopeDown | ![rateBasedwithScopeDown](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_rateBasedwithScopeDown.yml/badge.svg?branch=master)  |

Taskfile.yml

@@ -39,7 +39,7 @@ tasks:
   diff:
     desc: CDK Diff
     cmds:
-      - cdk diff
+      - bash -c 'source options.sh && cdk diff --toolkit-stack-name {{.TOOL_KIT_STACKNAME}}'
     silent: true
     interactive: true
     env:

bin/aws-firewall-factory.ts

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { WafStack } from "../lib/_web-application-firewall-stack";
-import { PrerequisitesStack } from "../lib/_prerequisites-stack";
-import { ShieldStack } from "../lib/_shield-advanced-stack";
+import { WafStack } from "../lib/_waf/index";
+import { PrerequisitesStack } from "../lib/_prerequisites/index";
+import { ShieldStack } from "../lib/_shield-advanced/index";
 import * as cdk from "aws-cdk-lib";
 import {
-  Config,
+  wafConfig,
   ShieldConfig,
   Prerequisites,
   PriceRegions,
@@ -19,6 +19,12 @@ import {
   ssmHelper,
 } from "../lib/tools/helpers";
 
+
+/** 
+ * @Module
+ * # AWS Firewall Factory
+ */
+
 const app = new cdk.App();
 
 // Main function to handle the user choice and deploy respective stack
@@ -45,11 +51,10 @@ void (async () => {
   // Deploying prerequisite stack
   console.log(process.env.PREREQUISITE);
   if (process.env.STACK_NAME === "PreRequisiteStack") {
-    // eslint-disable-next-line @typescript-eslint/no-var-requires, @typescript-eslint/no-unsafe-assignment
     const prerequisites: Prerequisites = values.prereq[CONFIG_OBJECT_NAME];
     const deploymentRegion = afwfHelper.outputInfoBanner();
     const runtimeProperties = afwfHelper.initRuntimeProperties();
-    ssmHelper.getAllAwsRegionsFromPublicSsmParameter(
+    await ssmHelper.getAllAwsRegionsFromPublicSsmParameter(
       deploymentRegion,
       runtimeProperties
     );
@@ -125,13 +130,13 @@ void (async () => {
     );
 
     await pricingHelper.isShieldPriceCalculated(shieldConfig);
-    await guidanceHelper.outputGuidance(runtimeProperties);
+    guidanceHelper.outputGuidance(runtimeProperties);
   }
   // ---------------------------------------------------------------------
   // Deploying Firewall stack
   if (process.env.STACK_NAME === "WAFStack") {
     // eslint-disable-next-line @typescript-eslint/no-var-requires
-    const config: Config = values.configs[CONFIG_OBJECT_NAME];
+    const config: wafConfig = values.configs[CONFIG_OBJECT_NAME];
     const deploymentRegion = afwfHelper.outputInfoBanner(config);
     const runtimeProperties = afwfHelper.initRuntimeProperties();
     if (process.env.SKIP_QUOTA_CHECK === "true") {
@@ -270,6 +275,6 @@ void (async () => {
       config,
       deploymentRegion
     );
-    await guidanceHelper.outputGuidance(runtimeProperties, config);
+    guidanceHelper.outputGuidance(runtimeProperties, config);
   }
 })();

lib/_prerequisites/index.ts

@@ -0,0 +1,38 @@
+/** 
+ * @packageDocumentation
+ * # AWS Firewall Factory - Prerequisites Stack
+ *
+ * The Prequisites Stack is used to deploy the prerequisites for the AWS Firewall Factory.
+ * 
+ * It contains the following resources:
+ *  - S3 Bucket for Logging
+ *  - KMS Key for Encryption
+ *  - Lambda Function for Notifications for Managed RuleGroup Updates
+ *  - Lambda Function for Notifications for DDoS (Advanced Shield)
+ *  - Lambda Function for Notifications for Unused WAF (WebACL)
+ * @description
+ * 
+ * @example
+ * import { Prerequisites } from "../../lib/types/config";
+ * export const prequisites: Prerequisites = {
+ *  General: {
+ *    Prefix: "aws-firewall-factory",
+ *  },
+ *  Logging: {
+ *    BucketProperties: {
+ *      BucketName: "aws-firewall-factory-logs",
+ *      KmsEncryptionKey: true,
+ *      ObjectLock: {
+ *        Days: 5,
+ *        Mode: "GOVERNANCE"
+ *      }
+ *    },
+ *    FireHoseKey: {
+ *      KeyAlias: "aws-firewall-factory-firehosekey"
+ *    },
+ *    CrossAccountIdforPermissions: "123456789012",
+ *  },
+ *  DdosNotifications:{WebhookSopsFile: "./values/examples/webhooks/slack.json"}
+ * };
+ */
+export * from "./stack";