Skip to content

Commit

Permalink
fix(firewall): add both log destinations for all
Browse files Browse the repository at this point in the history 
- When selecting the all option two log destinations should be created
one for the flow logs and one for the alert logs
  • Loading branch information
@roleyfoley @ml019
roleyfoley authored and ml019 committed Sep 20, 2023
1 parent 4f4f3c3 commit 51d02cf
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 26 deletions.
8 changes: 4 additions & 4 deletions aws/components/firewall/setup.ftl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,19 +142,19 @@
[#break]
[/#switch]

[#local logType = ""]
[#local logTypes = []]
[#switch solution.Logging.Events]
[#case "all"]
[#local logType = "flow"]
[#local logTypes = ["flow", "alert"]]
[#break]

[#case "alert-only"]
[#local logType = "alert"]
[#local logTypes = ["alert"]]
[#break]
[/#switch]

[#local logConfig = getNetworkFirewallLoggingConfiguration(
logType,
logTypes,
solution.Logging.DestinationType,
loggingDestinationId,
loggingS3Prefix)]
Expand Down
54 changes: 32 additions & 22 deletions aws/services/networkfirewall/resource.ftl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@
/]
[/#macro]

[#function getNetworkFirewallLoggingConfiguration logType destinationType destinationId s3Prefix ]
[#function getNetworkFirewallLoggingConfiguration logTypes destinationType destinationId s3Prefix ]

[#local logDestination = {}]

Expand Down Expand Up @@ -205,28 +205,38 @@
/]
[/#switch]

[#switch logType?upper_case ]
[#case "FLOW"]
[#case "ALERT"]
[#local logType = logType?upper_case]
[#break]
[#local result = []]

[#default]
[@fatal
message="Invalid network firewall log type"
context={
"provided" : logType
}
/]
[/#switch]
[#list logTypes as logType ]
[#switch logType?upper_case ]
[#case "FLOW"]
[#case "ALERT"]
[#local logType = logType?upper_case]
[#break]

[#return
{
"LogDestinationType" : destinationType,
"LogType" : logType,
"LogDestination" : logDestination
}
]
[#default]
[@fatal
message="Invalid network firewall log type"
context={
"provided" : logType
}
/]
[/#switch]

[#local result = combineEntities(
result,
[
{
"LogDestinationType" : destinationType,
"LogType" : logType?upper_case,
"LogDestination" : logDestination
}
],
APPEND_COMBINE_BEHAVIOUR
)]
[/#list]

[#return result ]
[/#function]

[#macro createNetworkFirewallLogging id
Expand All @@ -239,7 +249,7 @@
properties={
"FirewallArn" : getArn(firewallId),
"LoggingConfiguration" : {
"LogDestinationConfigs" : asArray(logDestinationConfigs)
"LogDestinationConfigs" : logDestinationConfigs
}
}
outputs=AWS_NETWORK_FIREWALL_LOGGING_OUTPUT_MAPPINGS
Expand Down
63 changes: 63 additions & 0 deletions awstest/modules/firewall/module.ftl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,69 @@
}
/]

[#-- flowlogs --]
[@loadModule
blueprint={
"Tiers" : {
"mgmt" : {
"Components" : {
"firewalllogs" : {
"Type": "firewall",
"deployment:Unit" : "aws-firewall",
"Profiles" : {
"Testing" : ["firewalllogs"]
},
"Logging": {
"Events": "all"
},
"Engine" : "network",
"Rules" : {
"default" : {
"Action" : "drop",
"Priority" : "default",
"Inspection" : "Stateless"
}
}
}
}
}
},
"TestCases" : {
"firewalllogs" : {
"OutputSuffix" : "template.json",
"Structural" : {
"CFN" : {
"Resource" : {
"loggingConfig" : {
"Name" : "networkfirewallloggingXmgmtXfirewalllogs",
"Type" : "AWS::NetworkFirewall::LoggingConfiguration"
}
}
},
"JSON" : {
"Length" : {
"LogDestinations" : {
"Path": "Resources.networkfirewallloggingXmgmtXfirewalllogs.Properties.LoggingConfiguration.LogDestinationConfigs",
"Count": 2
}
}
}
}
}
},
"TestProfiles" : {
"firewalllogs" : {
"firewall" : {
"TestCases" : [ "firewalllogs" ]
},
"*" : {
"TestCases" : [ "_cfn-lint" ]
}
}
}
}
/]

[#-- Simple Network rule --]
[@loadModule
blueprint={
Expand Down

0 comments on commit 51d02cf

Please sign in to comment.