From a2ddd3899f55e7827cb3e253b08fae9e9ae22665 Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Thu, 26 Oct 2023 14:36:03 +0100 Subject: [PATCH] this time for sure --- .../__snapshots__/documentation.test.ts.snap | 310 ------------------ 1 file changed, 310 deletions(-) diff --git a/test/docgen/view/__snapshots__/documentation.test.ts.snap b/test/docgen/view/__snapshots__/documentation.test.ts.snap index d4c936e5..7b372290 100644 --- a/test/docgen/view/__snapshots__/documentation.test.ts.snap +++ b/test/docgen/view/__snapshots__/documentation.test.ts.snap @@ -102641,316 +102641,6 @@ first call to addToResourcePolicy(s). -" -`; - -exports[`package installation uses --force when EBADPLATFORM is encountered 1`] = ` -"# AWS Firewall Construct - -A simple AWS VPC Firewall with one stateless rule and one stateful rule to meet the AWS Config Network Firewall Conformance. - -Stateful rules group can be further extend with Suricata rules as text file - -## Stateless rule group - -Allows only TCP:80 and TCP:443 - -## Stateful rule group - -Allows only whitelisted domains: - -* .docker.com -* .aws.amazon.com -* .amazonaws.com -* downloads.nessus.org -* plugins.nessus.org -* .fedoraproject.org -* .duosecurity.com -* crl3.digicert.com -* crl.godaddy.com -* certificate.godaddy.com - -# Example use case - -1. Create a new folder \`network-firewall\` in the same level as \`cdk-construct\` -1. Initialize a CDK app using command \`cdk new app --language=typescript\` -2. In the \`bin/network-firewall.ts\` - -\`\`\` -#!/usr/bin/env node -import 'source-map-support/register'; -import * as cdk from 'aws-cdk-lib'; -import { NetworkFirewallStack } from '../lib/network-firewall-stack'; - -const app = new cdk.App(); -new NetworkFirewallStack(app, 'NetworkFirewallStack', { - // needs the account and region for the Vpc lookup - env: { - region: process.env.CDK_DEFAULT_REGION, - account: process.env.CDK_DEFAULT_ACCOUNT, - }, -}); -\`\`\` - -4. Create a Suricata text file in \`lib/rules.txt\` as below. More examples can be found in https://suricata.readthedocs.io/en/suricata-6.0.2/rules/intro.html - -\`\`\` -pass ip 10.1.0.0/16 any -> 10.0.0.0/16 any (sid:100;) -drop ip any any <> any any (sid:101;) -alert tcp any any -> 1.1.1.1/32 80 (sid:102;msg:"example message";) -drop tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS denylisted FQDNs"; priority:1; flow:to_server, established; sid:103; rev:1;) -drop http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"example.com"; startswith; endswith; msg:"matching HTTP denylisted FQDNs"; priority:1; flow:to_server, established; sid:104; rev:1;) -\`\`\` - -3. In the \`lib/network-firewall-stack.ts\` -\`\`\` -import * as cdk from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as fwconstruct from '../../cdk-constructs/firewall-distributed-vpc' - -export class NetworkFirewallStack extends cdk.Stack { - constructor(scope: Construct, id: string, props?: cdk.StackProps) { - super(scope, id, props); - const vpc:cdk.aws_ec2.IVpc = cdk.aws_ec2.Vpc.fromLookup(this,"fwVpc", - { - vpcId: - }); - - const subnet = [ - cdk.aws_ec2.Subnet.fromSubnetId(this, "subnet1", ), - cdk.aws_ec2.Subnet.fromSubnetId(this, "subnet2", ) - ] - - - new fwconstruct.FirewallDistributedVpc(this,'fw',{ - vpc: vpc, - subnetList: subnet, - rulesFile: ["./lib/rules.txt"] - }) - - } -} -\`\`\` - -# Validate with Config Conformance Pack - -To ensure network firewall conformance, [deploy the conformance pack](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-cli.html) using [Network Firewall Conformance Pack](https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Security-Best-Practices-for-Network-Firewall.yaml). - -## Check the config rule conformation - -1. Get the rule names -\`\`\` -% aws configservice describe-config-rules --query 'ConfigRules[*].ConfigRuleName' -[ - "netfw-policy-default-action-fragment-packets-conformance-pack-ilk1uyn2w", - "netfw-policy-default-action-full-packets-conformance-pack-ilk1uyn2w", - "netfw-policy-rule-group-associated-conformance-pack-ilk1uyn2w", - "netfw-stateless-rule-group-not-empty-conformance-pack-ilk1uyn2w" -] -\`\`\` -2. Query the compliance details -\`\`\` -aws configservice get-compliance-details-by-config-rule --config-rule-name netfw-policy-default-action-fragment-packets-conformance-pack-ilk1uyn2w --query 'EvaluationResults[*].ComplianceType' -[ - "COMPLIANT" -] -\`\`\` -# API Reference - -## Constructs - -### NetworkFirewallDistributedConstruct - -#### Initializers - -\`\`\`typescript -import { NetworkFirewallDistributedConstruct } from '@richkang/cdk-construct-network-firewall-textfile-rules' - -new NetworkFirewallDistributedConstruct(scope: Construct, id: string, props: INetworkFirewallDistributedConstructProps) -\`\`\` - -| **Name** | **Type** | **Description** | -| --- | --- | --- | -| scope | constructs.Construct | *No description.* | -| id | string | *No description.* | -| props | INetworkFirewallDistributedConstructProps | *No description.* | - ---- - -##### \`scope\`Required - -- *Type:* constructs.Construct - ---- - -##### \`id\`Required - -- *Type:* string - ---- - -##### \`props\`Required - -- *Type:* INetworkFirewallDistributedConstructProps - ---- - -#### Methods - -| **Name** | **Description** | -| --- | --- | -| toString | Returns a string representation of this construct. | -| buildRulesSourcePropertyFromFile | *No description.* | - ---- - -##### \`toString\` - -\`\`\`typescript -public toString(): string -\`\`\` - -Returns a string representation of this construct. - -##### \`buildRulesSourcePropertyFromFile\` - -\`\`\`typescript -public buildRulesSourcePropertyFromFile(filenameList: string[], rulesVariable: RuleVariablesProperty): CfnRuleGroup[] -\`\`\` - -###### \`filenameList\`Required - -- *Type:* string[] - ---- - -###### \`rulesVariable\`Required - -- *Type:* aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.RuleVariablesProperty - ---- - -#### Static Functions - -| **Name** | **Description** | -| --- | --- | -| isConstruct | Checks if \`x\` is a construct. | - ---- - -##### \`isConstruct\` - -\`\`\`typescript -import { NetworkFirewallDistributedConstruct } from '@richkang/cdk-construct-network-firewall-textfile-rules' - -NetworkFirewallDistributedConstruct.isConstruct(x: any) -\`\`\` - -Checks if \`x\` is a construct. - -Use this method instead of \`instanceof\` to properly detect \`Construct\` -instances, even when the construct library is symlinked. - -Explanation: in JavaScript, multiple copies of the \`constructs\` library on -disk are seen as independent, completely different libraries. As a -consequence, the class \`Construct\` in each copy of the \`constructs\` library -is seen as a different class, and an instance of one class will not test as -\`instanceof\` the other class. \`npm install\` will not create installations -like this, but users may manually symlink construct libraries together or -use a monorepo tool: in those cases, multiple copies of the \`constructs\` -library can be accidentally installed, and \`instanceof\` will behave -unpredictably. It is safest to avoid using \`instanceof\`, and using -this type-testing method instead. - -###### \`x\`Required - -- *Type:* any - -Any object. - ---- - -#### Properties - -| **Name** | **Type** | **Description** | -| --- | --- | --- | -| node | constructs.Node | The tree node. | -| firewall | aws-cdk-lib.aws_networkfirewall.CfnFirewall | *No description.* | - ---- - -##### \`node\`Required - -\`\`\`typescript -public readonly node: Node; -\`\`\` - -- *Type:* constructs.Node - -The tree node. - ---- - -##### \`firewall\`Required - -\`\`\`typescript -public readonly firewall: CfnFirewall; -\`\`\` - -- *Type:* aws-cdk-lib.aws_networkfirewall.CfnFirewall - ---- - - - - -## Protocols - -### INetworkFirewallDistributedConstructProps - -- *Implemented By:* INetworkFirewallDistributedConstructProps - - -#### Properties - -| **Name** | **Type** | **Description** | -| --- | --- | --- | -| subnetList | aws-cdk-lib.aws_ec2.ISubnet[] | *No description.* | -| vpc | aws-cdk-lib.aws_ec2.IVpc | *No description.* | -| rulesFile | string[] | *No description.* | - ---- - -##### \`subnetList\`Required - -\`\`\`typescript -public readonly subnetList: ISubnet[]; -\`\`\` - -- *Type:* aws-cdk-lib.aws_ec2.ISubnet[] - ---- - -##### \`vpc\`Required - -\`\`\`typescript -public readonly vpc: IVpc; -\`\`\` - -- *Type:* aws-cdk-lib.aws_ec2.IVpc - ---- - -##### \`rulesFile\`Optional - -\`\`\`typescript -public readonly rulesFile: string[]; -\`\`\` - -- *Type:* string[] - ---- - " `;