From 51d02cf154c695c04e46d0e8403fb053240ad13f Mon Sep 17 00:00:00 2001 From: roleyfoley Date: Wed, 20 Sep 2023 17:04:18 +1000 Subject: [PATCH] fix(firewall): add both log destinations for all - When selecting the all option two log destinations should be created one for the flow logs and one for the alert logs --- aws/components/firewall/setup.ftl | 8 +-- aws/services/networkfirewall/resource.ftl | 54 +++++++++++-------- awstest/modules/firewall/module.ftl | 63 +++++++++++++++++++++++ 3 files changed, 99 insertions(+), 26 deletions(-) diff --git a/aws/components/firewall/setup.ftl b/aws/components/firewall/setup.ftl index 42cd31ca0..bcd5a28c6 100644 --- a/aws/components/firewall/setup.ftl +++ b/aws/components/firewall/setup.ftl @@ -142,19 +142,19 @@ [#break] [/#switch] - [#local logType = ""] + [#local logTypes = []] [#switch solution.Logging.Events] [#case "all"] - [#local logType = "flow"] + [#local logTypes = ["flow", "alert"]] [#break] [#case "alert-only"] - [#local logType = "alert"] + [#local logTypes = ["alert"]] [#break] [/#switch] [#local logConfig = getNetworkFirewallLoggingConfiguration( - logType, + logTypes, solution.Logging.DestinationType, loggingDestinationId, loggingS3Prefix)] diff --git a/aws/services/networkfirewall/resource.ftl b/aws/services/networkfirewall/resource.ftl index 1bcf093c5..840ea78ff 100644 --- a/aws/services/networkfirewall/resource.ftl +++ b/aws/services/networkfirewall/resource.ftl @@ -172,7 +172,7 @@ /] [/#macro] -[#function getNetworkFirewallLoggingConfiguration logType destinationType destinationId s3Prefix ] +[#function getNetworkFirewallLoggingConfiguration logTypes destinationType destinationId s3Prefix ] [#local logDestination = {}] @@ -205,28 +205,38 @@ /] [/#switch] - [#switch logType?upper_case ] - [#case "FLOW"] - [#case "ALERT"] - [#local logType = logType?upper_case] - [#break] + [#local result = []] - [#default] - [@fatal - message="Invalid network firewall log type" - context={ - "provided" : logType - } - /] - [/#switch] + [#list logTypes as logType ] + [#switch logType?upper_case ] + [#case "FLOW"] + [#case "ALERT"] + [#local logType = logType?upper_case] + [#break] - [#return - { - "LogDestinationType" : destinationType, - "LogType" : logType, - "LogDestination" : logDestination - } - ] + [#default] + [@fatal + message="Invalid network firewall log type" + context={ + "provided" : logType + } + /] + [/#switch] + + [#local result = combineEntities( + result, + [ + { + "LogDestinationType" : destinationType, + "LogType" : logType?upper_case, + "LogDestination" : logDestination + } + ], + APPEND_COMBINE_BEHAVIOUR + )] + [/#list] + + [#return result ] [/#function] [#macro createNetworkFirewallLogging id @@ -239,7 +249,7 @@ properties={ "FirewallArn" : getArn(firewallId), "LoggingConfiguration" : { - "LogDestinationConfigs" : asArray(logDestinationConfigs) + "LogDestinationConfigs" : logDestinationConfigs } } outputs=AWS_NETWORK_FIREWALL_LOGGING_OUTPUT_MAPPINGS diff --git a/awstest/modules/firewall/module.ftl b/awstest/modules/firewall/module.ftl index 55f023454..8cc173578 100644 --- a/awstest/modules/firewall/module.ftl +++ b/awstest/modules/firewall/module.ftl @@ -74,6 +74,69 @@ } /] + [#-- flowlogs --] + [@loadModule + blueprint={ + "Tiers" : { + "mgmt" : { + "Components" : { + "firewalllogs" : { + "Type": "firewall", + "deployment:Unit" : "aws-firewall", + "Profiles" : { + "Testing" : ["firewalllogs"] + }, + "Logging": { + "Events": "all" + }, + "Engine" : "network", + "Rules" : { + "default" : { + "Action" : "drop", + "Priority" : "default", + "Inspection" : "Stateless" + } + } + } + } + } + }, + "TestCases" : { + "firewalllogs" : { + "OutputSuffix" : "template.json", + "Structural" : { + "CFN" : { + "Resource" : { + "loggingConfig" : { + "Name" : "networkfirewallloggingXmgmtXfirewalllogs", + "Type" : "AWS::NetworkFirewall::LoggingConfiguration" + } + } + }, + "JSON" : { + "Length" : { + "LogDestinations" : { + "Path": "Resources.networkfirewallloggingXmgmtXfirewalllogs.Properties.LoggingConfiguration.LogDestinationConfigs", + "Count": 2 + } + } + } + } + } + }, + "TestProfiles" : { + "firewalllogs" : { + "firewall" : { + "TestCases" : [ "firewalllogs" ] + }, + "*" : { + "TestCases" : [ "_cfn-lint" ] + } + } + } + } + /] + [#-- Simple Network rule --] [@loadModule blueprint={