4.1.3

.github/workflows/linting.yml

@@ -8,7 +8,6 @@ on:
     branches:
       - master
       - linting
-  workflow_dispatch:
 
 jobs:
   nodejs-test:

.github/workflows/waf_test_ipSets.yml

@@ -0,0 +1,76 @@
+name: IpSet-Firewall
+
+env:
+  AWS_REGION: eu-central-1
+  AWS_ROLE: FirewallFactoryGithubPipelineRole
+  AWS_ACCOUNT: 859220371210
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency: ci-${{ github.ref }}
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'bin/**/*'
+      - 'lib/**/*'
+      - 'package*.json'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - 'bin/**/*'
+      - 'lib/**/*'
+      - 'package*.json'
+jobs:
+  deploy_production_main:
+    name: Test and deploy IpSet Firewall
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout
+        uses: actions/checkout@v3
+      - name: 📁 Install Taskfile
+        run: |
+          npm install -g @go-task/cli
+      - name: ☊ Use Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: '18.x'
+      - name: 💾 Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.OS }}-node-
+            ${{ runner.OS }}-
+      - name: 🌐 Install CDK and typescript globally
+        run: |
+          npm i -g aws-cdk typescript ts-node @types/node
+          npm link typescript
+      - name: 📦 Install Packages
+        run: |
+          npm install
+      - name: 🔑 Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1.7.0
+        env:
+          ACCOUNT_ID: ${{ env.AWS_ACCOUNT }}
+        with:
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+          role-session-name: GitHubActionsSession
+          mask-aws-account-id: false
+      - name: 🚀 Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: 🫙 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🔥 Deploy Firewall to AWS
+        run: |
+          task deploy config=ipSetsTests
+      - name: 🗑️ Remove Firewall from AWS
+        run: |
+          task destroy config=ipSetsTests

.github/workflows/waf_test_onlymanagedrulegroups.yml

@@ -0,0 +1,76 @@
+name: ManagedRuleGroups-Firewall
+
+env:
+  AWS_REGION: eu-central-1
+  AWS_ROLE: FirewallFactoryGithubPipelineRole
+  AWS_ACCOUNT: 859220371210
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency: ci-${{ github.ref }}
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'bin/**/*'
+      - 'lib/**/*'
+      - 'package*.json'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - 'bin/**/*'
+      - 'lib/**/*'
+      - 'package*.json'
+jobs:
+  deploy_production_main:
+    name: Test and deploy OnlyManagedRuleGroups Firewall
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout
+        uses: actions/checkout@v3
+      - name: 📁 Install Taskfile
+        run: |
+          npm install -g @go-task/cli
+      - name: ☊ Use Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: '18.x'
+      - name: 💾 Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.OS }}-node-
+            ${{ runner.OS }}-
+      - name: 🌐 Install CDK and typescript globally
+        run: |
+          npm i -g aws-cdk typescript ts-node @types/node
+          npm link typescript
+      - name: 📦 Install Packages
+        run: |
+          npm install
+      - name: 🔑 Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1.7.0
+        env:
+          ACCOUNT_ID: ${{ env.AWS_ACCOUNT }}
+        with:
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+          role-session-name: GitHubActionsSession
+          mask-aws-account-id: false
+      - name: 🚀 Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: 🫙 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🔥 Deploy Firewall to AWS
+        run: |
+          task deploy config=onlyManagedRuleGroupsTests
+      - name: 🗑️ Remove Firewall from AWS
+        run: |
+          task destroy config=onlyManagedRuleGroupsTests

.github/workflows/waf_test_regexPatternSets.yml

@@ -0,0 +1,77 @@
+name: RegexPatternSets-Firewall
+
+env:
+  AWS_REGION: eu-central-1
+  AWS_ROLE: FirewallFactoryGithubPipelineRole
+  AWS_ACCOUNT: 859220371210
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency: ci-${{ github.ref }}
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'bin/**/*'
+      - 'lib/**/*'
+      - 'package*.json'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - 'bin/**/*'
+      - 'lib/**/*'
+      - 'package*.json'
+
+jobs:
+  deploy_production_main:
+    name: Test and deploy RegexPatternSets Firewall
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout
+        uses: actions/checkout@v3
+      - name: 📁 Install Taskfile
+        run: |
+          npm install -g @go-task/cli
+      - name: ☊ Use Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: '18.x'
+      - name: 💾 Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.OS }}-node-
+            ${{ runner.OS }}-
+      - name: 🌐 Install CDK and typescript globally
+        run: |
+          npm i -g aws-cdk typescript ts-node @types/node
+          npm link typescript
+      - name: 📦 Install Packages
+        run: |
+          npm install
+      - name: 🔑 Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1.7.0
+        env:
+          ACCOUNT_ID: ${{ env.AWS_ACCOUNT }}
+        with:
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+          role-session-name: GitHubActionsSession
+          mask-aws-account-id: false
+      - name: 🚀 Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: 🫙 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🔥 Deploy Firewall to AWS
+        run: |
+          task deploy config=regexPatternSetsTests
+      - name: 🗑️ Remove Firewall from AWS
+        run: |
+          task destroy config=regexPatternSetsTests

CHANGELOG.md

@@ -2,7 +2,20 @@
 
 ## Released
 
+## 4.1.3
+## Added
+- Optional Lambda function to prerequisite Stack that send notifications about potential DDoS activity for protected resources to messengers (Slack/Teams) - [AWS Shield Advanced]
+- Automated test workflows of example firewalls, to ensure code quality and test coverage
+
+### Fixed
+- Bump @aws-sdk/client-cloudformation from 3.427.0 to 3.428.0
+- Bump @aws-sdk/client-shield from 3.427.0 to 3.428.0
+- Bump typescript from 4.9.5 to 5.2.2
+- Bump jest from 29.5.0 to 29.7.0
+- Bump eslint from 8.48.0 to 8.51.0
+
 ## 4.1.2
+
 ### Fixed
 - Separate NotStatements where not parsed correctly while deployment
 - Bump @typescript-eslint/eslint-plugin 6.7.4 from to 6.7.5

README.md

@@ -10,7 +10,7 @@
 
 **[🚧 Feature request](https://github.com/globaldatanet/aws-firewall-factory/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)** | **[🐛 Bug Report](https://github.com/globaldatanet/aws-firewall-factory/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)**
 
-<img src="https://socialify.git.ci/globaldatanet/aws-firewall-factory/image?description=1&font=Raleway&issues=1&logo=https://raw.githubusercontent.com/globaldatanet/aws-firewall-factory/master/static/icon/firewallfactory.svg&pattern=Solid&stargazers=1&theme=Dark" alt="AWSFirewallFactory" width="900" height="320"/>
+<img src="https://socialify.git.ci/globaldatanet/aws-firewall-factory/image?font=Bitter&forks=1&logo=https%3A%2F%2Fgithub.com%2Fglobaldatanet%2Faws-firewall-factory%2Fraw%2F4.1.3%2Fstatic%2Ficon%2Ffirewallfactory.svg&name=1&pattern=Solid&stargazers=1&theme=Dark" alt="aws-firewall-factory" width="640" height="320" />
 
 ## 𒋰 Table of contents
 
@@ -19,6 +19,7 @@
 - [🎬 Media](#-media)
     - [🔗 Useful Links](#-useful-links)
 - [🗺️ Architecture](#️-architecture)
+- [🧪 Tests](#-tests)
 - [🦸🏼‍♀️ Contributors](#️-contributors)
   - [👩‍💻 Contribute](#-contribute)
   - [👏 Supporters](#-supporters)
@@ -57,6 +58,17 @@ If you want to learn more about the AWS Firewall Factory feel free to look at th
 
 ![Architecture](./static/AWSFIREWALLMANAGER.png "Architecture")
 
+## 🧪 Tests
+|  Test | Status  |
+|---|---|
+|  CodeQL | ![CodeQL](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/github-code-scanning/codeql/badge.svg?branch=master)  |
+|  Linting | ![linting](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/linting.yml/badge.svg?branch=master)  |
+|  WAF Deployment - Only Managed Rule Groups  | ![onlyManagedRuleGroups](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_onlymanagedrulegroups.yml/badge.svg?branch=master)  |
+|  WAF Deployment - IpSets | ![IpSets](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_ipSets.yml/badge.svg?branch=master)   |
+|  WAF Deployment - RegexPatternSets | ![regexPatternSets](https://github.com/globaldatanet/aws-firewall-factory/actions/workflows/waf_test_regexPatternSets.yml/badge.svg?branch=master)  |
+
+
+
 ## 🦸🏼‍♀️ Contributors
 
 <a href="https://github.com/globaldatanet/aws-firewall-factory/graphs/contributors">

Taskfile.yml

@@ -47,7 +47,7 @@ tasks:
   cdkdestroy:
     desc: CDK Destroy
     cmds:
-      - cdk destroy
+      - cdk destroy --require-approval never --force
     vars:
       ACCOUNT:
         sh: aws sts get-caller-identity |jq -r .Account
@@ -59,7 +59,7 @@ tasks:
   cdkdeploy:
     desc: CDK Deploy
     cmds:
-      - cdk deploy --require-approval never {{.TAGS}} --toolkit-stack-name {{.TOOL_KIT_STACKNAME}}
+      - DOCKER_BUILDKIT=1 cdk deploy --require-approval never {{.TAGS}} --toolkit-stack-name {{.TOOL_KIT_STACKNAME}}
     vars:
       ACCOUNT:
         sh: aws sts get-caller-identity |jq -r .Account

gotestwaf/gotestwaf.ts

@@ -0,0 +1,13 @@
+import * as values from "../values";
+
+/**
+ * relative path to config file imported from the env PROCESS_PARAMETERS
+ */
+const CONFIG_OBJECT_NAME = process.env.PROCESS_PARAMETERS;
+
+if(!CONFIG_OBJECT_NAME || (values.configs[CONFIG_OBJECT_NAME] === undefined && values.prereq[CONFIG_OBJECT_NAME] === undefined)) {
+  console.log("Configuration ", CONFIG_OBJECT_NAME, " not found.");
+  process.exit(1);
+}
+
+console.log(JSON.stringify(values.configs[CONFIG_OBJECT_NAME]));

lib/firewall-stack.ts

@@ -173,7 +173,7 @@ export class FirewallStack extends cdk.Stack {
     managedRuleGroupVersionLambdaRole.addToPolicy(wafGetManagedRuleGroupVersion);
 
     const managedRuleGroupVersionLambda = new NodejsFunction.NodejsFunction(this, "managedRuleGroupVersionLambdaFunction", {
-      entry: path.join(__dirname, "../lib/lambda/ManagedRuleGRoupVersion/index.ts"),
+      entry: path.join(__dirname, "../lib/lambda/ManagedRuleGroupVersion/index.ts"),
       handler: "handler",
       timeout: cdk.Duration.seconds(30),
       architecture:lambda.Architecture.ARM_64,