Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.3.0 #346

Merged
merged 50 commits into from
Apr 17, 2024
Merged

4.3.0 #346

merged 50 commits into from
Apr 17, 2024

Conversation

daknhh
Copy link
Contributor

@daknhh daknhh commented Apr 15, 2024

Added

  • Allow reusing ipsets with same name. This commit differentiate ipsets from different FMS configs by adding the name of the webacl to it. Without this commit, trying to run aws-firewall-factory for two configs which uses a ipset with the same name would give a error on CloudFormation ('IpSet with name x already exists')
  • CheckCapacity: see which rule failed. This commit helps a lot by immediately letting us know which rule failed capacity checking and requires fixes
  • Save chars on ManagedServiceData FMS prop. The ManagedServiceData has a hard limit of 8192 characters. I've asked AWS about raising it and they said that this is a hard limit and they can't raise it. This commit is for saving as much chars as we can out of the ManagedServiceData prop, for squeezing in our rules (even if they have a ton of RuleActionOverrides on them)
  • Values: allow async code. This adds a dynamic import of the firewall config for enabling people that want to run async code on then, ensuring that all async code will run during the import
  • Issue#317 Evaluation time windows for request aggregation with rate-based rules. You can now select time windows of 1 minute, 2 minutes or 10 minutes, in addition to the previously supported 5 minutes.
  • CustomRule StatementType is now part of the log Capacity Table

Fixed

  • RateBasedStatement.CustomKeys is a array of objects, not a object
  • Recursive code for adding RateBasedStatement.ScopeDownStatement. The prop ScopeDownStatement of RateBasedStatements can have And, Or and Not statements, just like any other Statement. Without this fix, deploying RateBasedStatements with complex ScopeDownStatements fails on capacity checking.
  • Don't enforce update if EnforceUpdate prop is not defined. If its not defined, set EnforceUpdate to false.
  • Enhance the enumcheck to handle API throttling by adding sleep functionality.
  • Bumped Jest from version 29.7.0 to 29.7.0 (old version: 29.7.0).
  • Bumped TypeScript from version 5.3.3 to 5.4.5 (old version: 5.3.3).
  • Bumped ESLint from version 8.56.0 to 8.56.0 (old version: 8.56.0).
  • Bumped @typescript-eslint/parser and @typescript-eslint/eslint-plugin from version 6.19.0 to 7.6.0.
  • Bumped AWS CDK from version 2.121.1 to 2.137.0 (old version: 2.121.1).
  • Bumped @aws-sdk/client-cloudformation, @aws-sdk/client-cloudwatch, @aws-sdk/client-fms, @aws-sdk/client-pricing, @aws-sdk/client-service-quotas, @aws-sdk/client-shield, @aws-sdk/client-ssm, and @aws-sdk/client-wafv2 from version 3.490.0 to 3.554.0
  • Removed redundant declaration of "@typescript-eslint/eslint-plugin" and "@typescript-eslint/parser" dependencies.
  • Removed redundant declaration of "@types/lodash" dependency.
  • Added missing comma after TypeScript version 5.3.3 in devDependencies.

vboufleur and others added 30 commits April 3, 2024 17:04
@vboufleur
Ensure the repo runs only under Node 18
cc4be9f 
I've found issues running it on Node 20.

Also adds a change to ensure that only npm is used for managing dependencies, done by the script `npx only-allow npm`.

Not a good idea to mix dependency managers on the same project, like npm and Yarn.
@vboufleur
Fix: customKeys is a array of objects
9159eda 
Docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratebasedstatement.html\#cfn-wafv2-webacl-ratebasedstatement-customkeys
@vboufleur
Allow reusing ipsets with same name
90b330c 
This commit differentiate ipsets from different FMS configs by adding the name of the webacl to it.

Without this commit, trying to run aws-firewall-factory for two configs which uses a ipset with the same name would give a error on CloudFormation ('IpSet with name x already exists')
@vboufleur
CheckCapacity: see which rule failed
c0c43ba 
This commit helps a lot by immediately letting us know which rule failed capacity checking and requires fixes
@vboufleur
Fix: recursive scopeDownStatement
0d9cc9e 
The prop ScopeDownStatement of RateBasedStatements can have And, Or and Not statements, just like any other Statement. Without this fix, deploying RateBasedStatements with complex ScopeDownStatement fails on capacity checking.
@vboufleur
Save chars on ManagedServiceData FMS prop
0f2e233 
The ManagedServiceData has a hard limit of 8192 characters. I've asked AWS about raising it and they said that this is a hard limit and they can't raise it.

This commit is for saving as much chars as we can out of the ManagedServiceData prop, for squeezing in our rules (even if they have a ton of RuleActionOverrides on them)
@vboufleur
Values: allow async code
b90666d 
This adds a dynamic import of the firewall config for enabling people that want to run async code on then, ensuring that all async code will run during the import
@vboufleur
Fix: don't enforce update if prop is not defined
169aa6e 
Sometimes the lambda that fetches the latest version of the ManagedRules fetches a 'beta' version, one that shouldn't be used on WAF.

Without this fix the error below can happen on CloudFormation:

```
Resource handler returned message: The managed rule group AWSManagedRulesLinuxRuleSet's version [Version_2.2_PLUS_RC_COUNT] isn't valid.
This managed rule group version must be an available version for the WAF managed rule group, and have the same format.
```
@vboufleur
Bump versions + CHANGELOG
3151d2a
@daknhh
add missing label
54c4157
@daknhh
update labels
0e3695b
@daknhh
update cdk lib and extend transformer for evaluationWindowSec
5111ffc
@daknhh
fix transformer
7045c87
@daknhh
enahnce enum checker
1daf583
@daknhh
bump versions
12193c0
@daknhh
adjust changelog
8d7fd18
@daknhh
update changelog
8817eb3
@daknhh
adjust output and changelog
06926fd
@daknhh
extend for ratebasedStatements
22bf903
@daknhh
fix calculation
be8ef5c
@daknhh
fix ratebasedstatementcapacitycalculation
748a1d5
@daknhh
add statementtype to console.log
7640350
@daknhh
add description to function
10e36b3
@daknhh
improve github action
5d2dc99
@daknhh
gh
4e27e6c
@daknhh
gh
246c844
@daknhh
change to lambda
3ccb919
@daknhh
fix entry point
aa3e7a9
@daknhh
gh check
b9971b6
@daknhh
correct action
388bee8
@daknhh daknhh mentioned this pull request Apr 16, 2024
Merged
@daknhh daknhh merged commit 5ea87b1 into master Apr 17, 2024
7 checks passed
@daknhh daknhh mentioned this pull request Apr 17, 2024
Closed
@daknhh daknhh deleted the pullrequests/vboufleur/fix/several branch April 17, 2024 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daknhh @vboufleur