Add logging configuration to firewall

Issue (aws-controllers-k8s/community#1553) Description of changes: Adds support for logging configuration to firwall spec By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
aws-controllers-k8s · Sep 9, 2023 · 4d045bf · 4d045bf
1 parent b092484
commit 4d045bf
Show file tree

Hide file tree

Showing 39 changed files with 1,212 additions and 21 deletions.
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2023-05-11T19:18:21Z"
-  build_hash: 9e2542cf2c0f92c014524c269474055cca758d70
-  go_version: go1.19.4
-  version: v0.26.0-3-g9e2542c
-api_directory_checksum: 6dad53af842b63621da7311c93b0d29ae0fd2895
+  build_date: "2023-08-24T21:37:01Z"
+  build_hash: e9b68590da73ce9143ba1e4361cebdc1d876c81e
+  go_version: go1.20.3
+  version: v0.26.1-7-ge9b6859
+api_directory_checksum: 3b4f3a0f27153a4083f22af65a852a14315600e5
 api_version: v1alpha1
 aws_sdk_go_version: v1.44.93
 generator_config_info:
-  file_checksum: 564fa544b26782213db03f16198b4efbd66e588c
+  file_checksum: 049ad2f8dad72cee7e6ec353278197e0d0b4a643
   original_file_name: generator.yaml
 last_modification:
   reason: API generation
diff --git a/apis/v1alpha1/firewall.go b/apis/v1alpha1/firewall.go
diff --git a/apis/v1alpha1/generator.yaml b/apis/v1alpha1/generator.yaml
@@ -8,6 +8,10 @@ resources:
     fields:
       FirewallName: 
         is_primary_key: true
+      LoggingConfiguration:
+        from:
+          operation: UpdateLoggingConfiguration
+          path: LoggingConfiguration          
     exceptions:
       terminal_codes:
       - InvalidRequestException
@@ -20,8 +24,20 @@ resources:
         in:
         - READY
     hooks:
+      delta_pre_compare:
+        code: customPreCompare(a, b)
+      sdk_delete_pre_build_request:
+        template_path: common/sdk_delete_pre_build_request.go.tpl
       sdk_delete_post_request:
         template_path: common/sdk_delete_post_request.go.tpl
+      sdk_create_post_set_output:
+        template_path: common/sdk_create_post_set_output.go.tpl
+      sdk_read_one_post_set_output:
+        template_path: common/sdk_read_many_post_set_output.go.tpl
+      sdk_file_end:
+        template_path: common/sdk_file_end.go.tpl
+    update_operation:
+      custom_method_name: customUpdateFirewall
   FirewallPolicy:
     exceptions:
       terminal_codes:

diff --git a/apis/v1alpha1/types.go b/apis/v1alpha1/types.go
diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml
@@ -6,4 +6,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: public.ecr.aws/aws-controllers-k8s/networkfirewall-controller
-  newTag: v0.0.0-non-release-version
+  newTag: 0.0.1
diff --git a/config/crd/bases/networkfirewall.services.k8s.aws_firewalls.yaml b/config/crd/bases/networkfirewall.services.k8s.aws_firewalls.yaml
@@ -76,6 +76,34 @@ spec:
                   a firewall that is in use. When you create a firewall, the operation
                   initializes this setting to TRUE.
                 type: boolean
+              loggingConfiguration:
+                description: Defines how Network Firewall performs logging for a firewall.
+                  If you omit this setting, Network Firewall disables logging for
+                  the firewall.
+                properties:
+                  logDestinationConfigs:
+                    items:
+                      description: "Defines where Network Firewall sends logs for
+                        the firewall for one log type. This is used in LoggingConfiguration.
+                        You can send each type of log to an Amazon S3 bucket, a CloudWatch
+                        log group, or a Kinesis Data Firehose delivery stream. \n
+                        Network Firewall generates logs for stateful rule groups.
+                        You can save alert and flow log types. The stateful rules
+                        engine records flow logs for all network traffic that it receives.
+                        It records alert logs for traffic that matches stateful rules
+                        that have the rule action set to DROP or ALERT."
+                      properties:
+                        logDestination:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        logDestinationType:
+                          type: string
+                        logType:
+                          type: string
+                      type: object
+                    type: array
+                type: object
               subnetChangeProtection:
                 description: A setting indicating whether the firewall is protected
                   against changes to the subnet associations. Use this setting to

diff --git a/config/iam/recommended-inline-policy b/config/iam/recommended-inline-policy
@@ -0,0 +1,21 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "network-firewall:CreateFirewall",
+                "network-firewall:CreateFirewallPolicy",
+                "network-firewall:DeleteFirewall ",
+                "network-firewall:DeleteFirewallPolicy",
+                "network-firewall:DescribeFirewall",
+                "network-firewall:DescribeFirewall",
+                "network-firewall:DescribeLoggingConfiguration"
+                "network-firewall:ListFirewallPolicies",
+                "network-firewall:ListFirewalls",
+                "network-firewall:UpdateLoggingConfiguration",
+            ],
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/generator.yaml b/generator.yaml
@@ -8,6 +8,10 @@ resources:
     fields:
       FirewallName: 
         is_primary_key: true
+      LoggingConfiguration:
+        from:
+          operation: UpdateLoggingConfiguration
+          path: LoggingConfiguration
     exceptions:
       terminal_codes:
       - InvalidRequestException
@@ -20,8 +24,20 @@ resources:
         in:
         - READY
     hooks:
+      delta_pre_compare:
+        code: customPreCompare(a, b)
+      sdk_delete_pre_build_request:
+        template_path: common/sdk_delete_pre_build_request.go.tpl
       sdk_delete_post_request:
         template_path: common/sdk_delete_post_request.go.tpl
+      sdk_create_post_set_output:
+        template_path: common/sdk_create_post_set_output.go.tpl
+      sdk_read_one_post_set_output:
+        template_path: common/sdk_read_many_post_set_output.go.tpl
+      sdk_file_end:
+        template_path: common/sdk_file_end.go.tpl
+    update_operation:
+      custom_method_name: customUpdateFirewall
   FirewallPolicy:
     exceptions:
       terminal_codes:

diff --git a/go.mod b/go.mod
@@ -6,6 +6,8 @@ require (
 	github.com/aws-controllers-k8s/runtime v0.26.0
 	github.com/aws/aws-sdk-go v1.44.93
 	github.com/go-logr/logr v1.2.3
+	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.0
 	k8s.io/api v0.26.1
@@ -45,7 +47,6 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect

diff --git a/go.sum b/go.sum
@@ -472,6 +472,7 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -1,16 +1,16 @@
 apiVersion: v1
 name: networkfirewall-chart
-description: A Helm chart for the ACK service controller for Network Firewall (NETWORKFIREWALL)
-version: v0.0.0-non-release-version
-appVersion: v0.0.0-non-release-version
+description: A Helm chart for the ACK service controller for Network Firewall (NetworkFirewall)
+version: 0.0.1
+appVersion: 0.0.1
 home: https://github.com/aws-controllers-k8s/networkfirewall-controller
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 sources:
   - https://github.com/aws-controllers-k8s/networkfirewall-controller
 maintainers:
   - name: ACK Admins
     url: https://github.com/orgs/aws-controllers-k8s/teams/ack-admin
-  - name: NETWORKFIREWALL Admins
+  - name: NetworkFirewall Admins
     url: https://github.com/orgs/aws-controllers-k8s/teams/networkfirewall-maintainer
 keywords:
   - aws

diff --git a/helm/crds/networkfirewall.services.k8s.aws_firewalls.yaml b/helm/crds/networkfirewall.services.k8s.aws_firewalls.yaml
@@ -76,6 +76,34 @@ spec:
                   a firewall that is in use. When you create a firewall, the operation
                   initializes this setting to TRUE.
                 type: boolean
+              loggingConfiguration:
+                description: Defines how Network Firewall performs logging for a firewall.
+                  If you omit this setting, Network Firewall disables logging for
+                  the firewall.
+                properties:
+                  logDestinationConfigs:
+                    items:
+                      description: "Defines where Network Firewall sends logs for
+                        the firewall for one log type. This is used in LoggingConfiguration.
+                        You can send each type of log to an Amazon S3 bucket, a CloudWatch
+                        log group, or a Kinesis Data Firehose delivery stream. \n
+                        Network Firewall generates logs for stateful rule groups.
+                        You can save alert and flow log types. The stateful rules
+                        engine records flow logs for all network traffic that it receives.
+                        It records alert logs for traffic that matches stateful rules
+                        that have the rule action set to DROP or ALERT."
+                      properties:
+                        logDestination:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        logDestinationType:
+                          type: string
+                        logType:
+                          type: string
+                      type: object
+                    type: array
+                type: object
               subnetChangeProtection:
                 description: A setting indicating whether the firewall is protected
                   against changes to the subnet associations. Use this setting to

diff --git a/helm/crds/services.k8s.aws_adoptedresources.yaml b/helm/crds/services.k8s.aws_adoptedresources.yaml
@@ -145,7 +145,10 @@ spec:
                             blockOwnerDeletion:
                               description: If true, AND if the owner has the "foregroundDeletion"
                                 finalizer, then the owner cannot be deleted from the
-                                key-value store until this reference is removed. Defaults
+                                key-value store until this reference is removed. See
+                                https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+                                for how the garbage collector interacts with this
+                                field and enforces the foreground deletion. Defaults
                                 to false. To set this field, a user needs "delete"
                                 permission of the owner, otherwise 422 (Unprocessable
                                 Entity) will be returned.

diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
@@ -1,10 +1,10 @@
 {{ .Chart.Name }} has been installed.
-This chart deploys "public.ecr.aws/aws-controllers-k8s/networkfirewall-controller:v0.0.0-non-release-version".
+This chart deploys "public.ecr.aws/aws-controllers-k8s/networkfirewall-controller:0.0.1".
 
 Check its status by running:
   kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}"
 
-You are now able to create Network Firewall (NETWORKFIREWALL) resources!
+You are now able to create Network Firewall (NetworkFirewall) resources!
 
 The controller is running in "{{ .Values.installScope }}" mode.
 The controller is configured to manage AWS resources in region: "{{ .Values.aws.region }}"