4.1.4

Added

• Automation for Documentation for the AWS Firewall Factory to assist you in utilizing our solution.
  The documentation will be updated regularly to provide you with the most current information. We also added more comments to functions and enums to provide more information to you. Issue 220
• First preperations to support for Network Firewalls

Fixed

• Console log error if only one Managed Rule Group was specified - the table output was not working for PostProcess.
• Bump @mhlabs/cfn-diagram from 1.1.29 to 1.1.38 -> thanks to ljacobsson for the new release
• Bump @babel/traverse to 7.23.2
• Bump @types/uuid from 9.0.5 to 9.0.7
• Bump @types/node from 18.16.3 to 20.8.10

4.1.3

Added

• Optional Lambda function to prerequisite Stack that send notifications about potential DDoS activity for protected resources to messengers (Slack/Teams) - [AWS Shield Advanced]
• Automated test workflows of example firewalls, to ensure code quality and test coverage

Fixed

• Bump @aws-sdk/client-cloudformation from 3.427.0 to 3.428.0
• Bump @aws-sdk/client-shield from 3.427.0 to 3.428.0
• Bump typescript from 4.9.5 to 5.2.2
• Bump jest from 29.5.0 to 29.7.0
• Bump eslint from 8.48.0 to 8.51.0

4.1.2

Fixed

• Separate NotStatements where not parsed correctly while deployment
• Bump @typescript-eslint/eslint-plugin 6.7.4 from to 6.7.5
• Bump @typescript-eslint/parser 6.0.0 from to 6.7.5

4.1.1

Added

• Added Console output if ManagedRuleGroup OverrideAction is set to Count - This option is not commonly used. If any rule in the rule group results in a match, this override sets the resulting action from the rule group to Count.
• Enums for all AWS ManagedRuleGroup Rules and Labels, this will help you to not create exclude Rules of Label Match Statements for none existing Rules or Labels. AWS CloudFormation even not trow any error right now if you try use not existing Labels or Rules.
• Optional Lambda function to prerequisite Stack that sends notifications about changes in AWS managed rule groups, such as upcoming new versions and urgent security updates, to messaging platforms like Slack or Teams.

Fixed

• RegexPatternSets and IPSets in NotStatements AWS Firewall Factory are ignored while WCU calculation
• gotestwaf task was not customized for Typescript configuration files.
• ManagedRuleGroupVersion lambda was always using the latest ManagedRulegroup version if no version was specified. Now the lambda function is using the current Default version.
• Added Optional Parameter for ManagedRuleGroupVersion lambda, you can now set enforceUpdate to load the latest or the current Default version during WAF update.
• Bump @aws-cdk-lib from 2.93.0 to 2.100.0
• Bump @aws-cdk from 2.93.0 to 2.100.0
• Bump @aws-sdk/client-cloudformation from 3.398.0 to 3.427.0
• Bump @aws-sdk/client-cloudwatch from 3.398.0 to 3.427.0
• Bump @aws-sdk/client-fms from 3.398.0 to 3.427.0
• Bump @aws-sdk/client-pricing from 3.398.0 to 3.427.0
• Bump @aws-sdk/client-service-quotas from 3.398.0 to 3.427.0
• Bump @aws-sdk/client-shield from 3.398.0 to 3.427.0
• Bump @aws-sdk/client-wafv2 from 3.398.0 to 3.427.0
• Bump @typescript-eslint/eslint-plugin from 6.4.1 to 6.7.4

4.1.0

Added

• This update presents a new feature that centralizes the management of RegexPatternSet. With this improvement, manual updates of regexpatternset across multiple AWS accounts are no longer necessary.
  Users can now define the feature in code and replicate it for use by WAF rules wherever applicable.
• Additionally, cdk destroy has been included in the taskfile.
• Furthermore, we have modified several enums to enhance their ease of with previous versions: use while maintaining downward compatibility, such as
  • WebAclScope
  • AwsManagedRules
  • ManagedRuleGroupVendor
  • CustomResponseBodiesContentType
  • WebAclTypeEnum
• uuidFirewallFactoryResourceIdentitfier: Introducing a firewall identifier UUID that will be utilized for resource names in AWS.

Fixed

• Capacity and version information for Managed Rule Groups are now optional. We calculate the capacity on the fly, so specifying capacity is unnecessary. If no version is provided, we will retrieve the latest version for the Managed Rule Group using the API.
• DeliveryStreamName not checked - Erroneous if exceeding 64 character limit source.
• Fixed nonfunctional documentation links.

Removed

• Export names from CloudFormation stack outputs, as we rely on the stack name and output names from the particular CloudFormation stack to obtain the necessary information.

4.0.0

Added

• A custom resource to retrieve the latest version of the ManagedRuleGroup and check if the specified version is valid.
• Typescript configuration files for WAF configurations - now it is easier to write custom rules because of the types for rule statements.
• A function to convert CdkRule to SdkRule - with the introduction of Typescript configuration and CDK interfaces, we now need to convert every CDK rule to an SDK rule to be able to use the CheckCapacity API call.
• ManagedRuleGroupVersions for CloudFormation Output
• Example Configurations
  1. Example WAF configuration against: OWASP Top Ten
  2. Example configuration for prerequisite stack
• Added TOOL_KIT_STACKNAME to the TaskFile - to specify the name of the bootstrap stack (see Bootstrapping your AWS environment).
• Migrate script to migrate from json to ts config (./values/migrate.ts)
  • ts node ./values/migrate.ts YOURJSON.json
• You now need to set the priority for your custom rules. If you want to learn more about processing order of rules and rule groups in a web ACL, check out this link.

Fixed

• Allow sub-statements of IPSetReferenceStatements -> Allow IPSetReferenceStatement.ARN entries that reference an aws-firewall-factory controlled ipset (i.e. the name of the ipset) within AND, OR and NOT statements (as sub-statements).
• Adjusted WAF Config skeleton generation function for Typescript configuration.
• Updated dependencies to the latest version

Removed

• Json config files for WAF configurations
• DeployHash generation for new configs - legacy functionality - we will now use Prefix, Stage & FirewallName to create unique WAF and CloudFormation StackNames.

3.3.1

3.3.1

Fixed

• example Json Files
• Bump @aws-cdk from 2.79.1 to 2.89.0
• Bump @mhlabs/cfn-diagram from 1.1.36 to 1.1.29
• Bump @aws-cdk-lib from 2.77.0 to 2.80.0
• Bump typescript-json-schema from 0.56.0 to 0.59.0

3.3.0

Added

• Refactor of bin/aws-firewall-factory.ts, grouping duplicated code on a function, adding comments and better organizing the file.

• Refactor of lib/firewall-stack.ts, outsource the creation of the CloudWatch Dashboard into an own Construct

• Adds a centralized IPSets management feature.
  No more we'll have to be manually updating ipsets across multiple AWS accounts, it can be defined in code and replicated for use by WAF rules everywhere its needed. Check the examples for defining ipsets and using them in the WebACLs on values/ip-sets-managed.json.

• Logging to S3, you can now decide if you want to send your WAF logs directly to S3 or via Firehose

3.2.6

Add

• Linting Github Action for typescript 18 & 20

Fixed

• Bump @aws-sdk/client-cloudformation from 3.321.1 to 3.353.0
• Bump @aws-sdk/client-cloudwatch 3.341.0 to 3.353.0
• Bump @aws-sdk/client-fms 3.342.0 to 3.353.0
• Bump @aws-sdk/client-pricing 3.341 .0 to 3.353.0
• Bump @aws-sdk/client-service-quotas 3.342.0 to 3.353.0
• Bump @aws-sdk/client-wafv2 from 3.321.1 to 3.353.0
• Bump @mhlabs/cfn-diagram from 1.1.32 to 1.1.36
• Add more Linting rules see ./eslintrc

3.2.5

Fixed

• Pricing Calculation - Check for Shield Advanced State
  • All public regions & Global (Amazon CloudFront locations) - No charge per policy per Region
  • AWS WAF WebACLs or Rules created by Firewall Manager - Included. No additional charge.