(network-firewall): unable to deploy the CfnFirewallPolicy construct

[swsunny]

I am unable to deploy the CfnFirewallPolicy construct fixed in the latest update. in typescript construct is valid, but in cloudformation its giving below error:

Properties validation failed for resource policy with message:
 #/FirewallPolicy/StatelessDefaultActions: expected type: JSONArray, found: JSONObject #/FirewallPolicy/StatelessFragmentDefaultActions: expected type: JSONArray, found: JSONObject

same issue was reported (network-firewall): unable to deploy the CfnFirewallPolicy construct #11974 and fixed in 1.83 CDK version but still am getting this error.

Using CDK 1.83

CDK Sample : Template

   const firewallpolicy = new CfnFirewallPolicy(this, 'policy', {
     firewallPolicyName: "cdkfirewallpolicy", 
     firewallPolicy: {
       statelessDefaultActions: {
         statelessActions: ['aws:pass'],
       },
       statelessFragmentDefaultActions: {
         statelessActions: ['aws:drop'],
      },
    },
   });

[grusy]

That's broken in the cfn-spec.
Up to 23.0 "StatelessDefaultActions" is defined with type "StatelessActions" which is incorrect.
In 24.0 it appears to be fixed and defines the type as "List".

The same issue applies to other definitions for the firewall policy like "TargetTypes" or "StatefulRules"

[skinny85]

There should be a PR automatically opened tomorrow updating the version of the CloudFormation spec the CDK uses to 24.0.0, hopefully that will contain the fix for this issue!

[swsunny]

Thanks @skinny85 for the update!

Waiting for the deployment and will let you know if its fixed.

[skinny85]

It seems like the PR bumping the spec to 24.0.0 contains a bunch of changes to AWS::NetworkFirewall resource types, so hopefully it will be fixed when that's merged and released!

[grusy]

Looking good with the new cfnspec

The example above needs to be modified but then it generates deployable CloudFormation

   const firewallpolicy = new CfnFirewallPolicy(this, 'policy', {
     firewallPolicyName: "cdkfirewallpolicy", 
     firewallPolicy: {
       statelessDefaultActions: ['aws:pass'],
       statelessFragmentDefaultActions: ['aws:drop'],
     },
   });

I've tested the issue I had with 'TargetTypes' and that's also working now.

[swsunny]

Hi @grusy @skinny85

I am still not able to deploy this, what are additional package i need to update.

Below is my package.json file.

{
"name": "network-firewall-policy",
"version": "0.1.0",
"bin": {
"network-firewall-policy": "bin/network-firewall-policy.js"
},
"scripts": {
"build": "tsc",
"watch": "tsc -w",
"test": "jest",
"cdk": "cdk"
},
"devDependencies": {
"@aws-cdk/assert": "^1.85.0",
"@types/jest": "^26.0.10",
"@types/node": "10.17.27",
"aws-cdk": "^1.85.0",
"jest": "^26.4.2",
"ts-jest": "^26.2.0",
"ts-node": "^9.0.0",
"typescript": "~3.9.7"
},
"dependencies": {
"@aws-cdk/aws-networkfirewall": "^1.85.0",
"@aws-cdk/core": "^1.85.0",
"cfn-spec": "0.0.1",
"install": "^0.13.0",
"npm": "^6.14.11",
"source-map-support": "^0.5.16"
}
}

[grusy]

I've build the entire aws-network firewall module including dependencies (core, cloud-assembly-scheme, cx-api, region-info) and that worked for me.

[skinny85]

@swsunny this has still not been released, see #12615 for progress.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[skinny85]

@swsunny this has been merged and released as part of CDK version 1.86.0, please upgrade to that version, and the NetworkFirewall resources should now work!

[swsunny]

@skinny85 Thanks!

I already updated and working on module creation.

Policy module done and now working on rule group.