- conflict peer dependency on package.json
- Add RuleLabels when calculating capacity (its needed)
- Add CustomResponseBodies + custom actions for custom rules This feature adds specifying CustomResponseBodies on the WebAcl and custom actions for custom rules.
- Bump @aws-sdk/client-cloudformation from 3.319.0 to 3.321.1
- Bump @aws-sdk/client-pricing from 3.319.0 to 3.321.1
- Bump @aws-sdk/client-fms from 3.319.0 to 3.321.1
- Bump @aws-sdk/client-cloudwatch from 3.315.0 to 3.319.0
- Bump @aws-sdk/client-service-quotas from 3.315.0 to 3.319.0
- Bump typescript from 3.9.10 to 4.9.5
- Bump @types/node from 18.16.1 to 18.16.3
- Helpers - newquota.RequestedQuotas false positive
- Bump @aws-sdk/client-cloudformation from 3.315.0 to 3.319.0
- Bump @aws-sdk/client-pricing from 3.315.0 to 3.319.0
- Bump @aws-sdk/client-fms from 3.315.0 to 3.319.0
- Bump aws-cdk-lib from 2.74.0 to 2.76.0
- Bump eslint-plugin-promise from 5.2.0 to 6.1.1
- Bump @aws-sdk/client-wafv2 from 3.52.0 to 3.319.0
- Bump @aws-sdk/client-cloudwatch from 3.315.0 to 3.319.0
- Bump @types/node from 10.17.27 to 18.16.1
- Bump ts-node from 9.1.1 to 10.9.1
- Bump @aws-sdk/client-service-quotas from 3.315.0 to 3.319.0
- Bump typescript-json-schema from 0.53.1 to 0.56.0
-
adjust dependabot interval to weekly
-
added dependabot
versionEnabled
must be set to true if version is defined- Don't fail in CI is job is skipped
- Enable commiting package-lock.json to repo
- Pattern for the WebAcl Description Kudos to @vboufleur for fixing this.
- Allow many rule action overrides Kudos to @vboufleur for fixing this.
- Fix counter in package.json for versioning
- Feature Issue#52 - Added Regex for FMS Description Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+-@]*)$. -> Thanks to @vboufleur
- Allow a list of resource types to apply firewall -> Kudos to @vboufleur for implementing this feature.
- Updated Readme for DeployHash usage. -> Thanks to @vboufleur
- PropertyOverride for s3 Bucket in prerequisites-stack for ObjectLockEnabled
- No empty arrays are allowed on RuleActionOverrides Kudos to @vboufleur for fix this.
- Feature Issue#48 - The firewall manager policy description is now configurable per policy. - Thanks to @andre1AB
- Added OWASP TOP TEN Example Config
- Added OWASP TOP TEN Example Config Generation
- Added Prerequisite Stack Config Generation - Creates Skeleton of Parameters for the Prerequisite Stack
- Added Prerequisite Stack:
- Creation of S3 Bucket for Logs (Optional)
- Optional Settings: ObjectLock and Kms Encrytion (Default SSE), CrossAccount Access to the Key and Bucket
- Creation of KMS Key for FireHose (Optional)
- Optional Settings: CrossAccount Access to the Key
- Creation of S3 Bucket for Logs (Optional)
- RuleActionOverride for ManagedRuleGroups: Action setting to use in the place of a rule action that is configured inside the rule group. You specify one override for each rule whose action you want to change.
- Updated Prequisites section in Readme
- Overwrite Action without Exclude Rules for Managed Rule Groups
- Task validateconfig fails because of missing /test/config-loader.ts - Issue#46 - Thanks to @stoennies
- Added OWASP TOP TEN Example Config Issue#45 - Thanks to @mmoallemi99
- Added multi domainname usage in waf-test
- Old GoTestWAF was deprecated. Updated to Version v0.3.1-178-g415bb4c
- Added Cost Calculation for CloudWatch Dashboarding - The CloudWatch Dashboard will now be included in the cost calculation for the WAF.
Fix AWS Firewall Factory check for Dashboard
- Added CloudWatch Dashboarding - Set "CreateDashboard": true to get a Dashboard deployed for your Firewall in the central Security Account. To use this Feature the cross-account functionality in CloudWatch must be enabled. To enable your account to share CloudWatch data with the central security account follow this how to.
- If you leave the version for a ManagedRuleGroup empty the Firewall Factory will retrieve the latest version of the ManageRuleGroup and add it to your configuration.
- Diagram Creation using template parameter
- Added:
- RemediationEnabled?: Indicates if the policy should be automatically applied to new resources.
- IncludeMap: Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.
- ExcludeMap?: Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.
- ResourceTags?: An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.
- ResourcesCleanUp?: Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.
- TaskFile: validateconfig: Validates the current config generateconfig: Generate skeleton for a waf configuration file
- DeployTo will now be managed trough the includeMap
- Example JSON WAF
- A Firewall can now deployed using: task deploy config=NAMEOFYOURCONFIGFILE without JSON
- Outputs for PostProcess and PreProcess Custom Rule not dynamic
- Price calculation for your WAF
- Outputs were not dynamic
- Added Linting with typescript-eslint
- Added .gitignore and .npmignore file
- Added 2 functions for building service data (managed & custom rules) to remove redundant code
- Refactoring bin file: outsource capacity checks & other functions to helpers.ts
- Transform capacity.json to Typescript Type Rule
- Start refactoring lib file: get rid of redundant code and use JS shortcuts
- Extend types of the Config interface
- Restructuring runtime properties: introduce separate layer for PreProcess and PostProcess
- New types for Firewall Manager API and CDK mapping
-
preProcessRuleGroups and postProcessRuleGroups - you can decide now where the Custom or ManagedRules should be added to.
-
RuleLabels - A label is a string made up of a prefix, optional namespaces, and a name. The components of a label are delimited with a colon. Labels have the following requirements and characteristics:
-
Labels are case-sensitive.
-
Each label namespace or label name can have up to 128 characters.
-
You can specify up to five namespaces in a label.
-
Components of a label are separated by colon (:).
-
- Values Structure:
- Removed (Rules and ManagedRuleGroups)
- Added PreProcess and PostProcess
ℹ️ See example json.
- Optimized RuleGroup Splitting - RuleGroups will now be splitted into Groups with up to 1000 WCU.
-
Added S3LoggingBucketName to json. You need to specify the S3 Bucket where the Logs should be placed in now. We also added a Prefix for the logs to be aws conform (Prefix: AWSLogs/AWS_ACCOUNTID/FirewallManager/AWS_REGION/).
-
Added Testing your WAF with GoTestWAF. To be able to check your waf we introduced the SecuredDomain Parameter in the json which should be your Domain which will be checked using the WAF tool.
-
Introduced three new Parameters in the taskfile (WAF_TEST,CREATE_DIAGRAM and CDK_DIFF).
Parameter | Value |
---|---|
WAF_TEST | true (testing your waf with GoTestWAF) false (Skipping WAF testing) |
CREATE_DIAGRAM | true (generating a diagram using draw.io) false (Skipping diagram generation) |
CDK_DIFF | true (generating a cdk before invoking cdk deploy) false (Skipping cdk diff) |
- Add schema validation
New Support for Captcha - You can now add Captcha as Action to your WAFs. AWS WAF Captcha is available in the US East (N. Virginia), US West (Oregon), Europe (Frankfurt), South America (Sao Paulo), and Asia Pacific (Singapore) AWS Regions and supports Application Load Balancer, Amazon API Gateway, and AWS AppSync resources.
You can now name your Rules. If you define a Name in your RulesArray the Name + a Base36 Timestamp will be used for creation of your Rule - otherwise a name will be generated. This will help you to query your logs in Athena. The same Rulename also apply to the metric just with adding "-metric" to the name.
Updated Readme - Community Release
- Automated Capactiy Calculation via API - CheckCapacity
- Algorithm to split Rules into RuleGroups
- Automated Update of RuleGroup if Capacity Changed
- Add ManagedRuleGroups via configuration file
- Automated Generation of draw.io diagram for each WAF
- Checking of the softlimit quota for WCU set in the AWS Account (Stop deployment if Caluclated WCU is above the quota)
- Easy configuration of WAF Rules trough json file.
- Deployment Hash to deploy same WAF more than one time for testing and/or blue/green deployments.
- Stopping deployment if soft limit will be exceeded: Firewall Manager policies per organization per Region (L-0B28E140) - Maximum number of web ACL capacity units in a web ACL in WAF for regional (L-D9F31E8A)
- NEW RegexMatchStatement and IPSetReferenceStatement is working now 🚀