Merge pull request #238 from globaldatanet/bugfix

fix

.github/workflows/docs.yml

@@ -15,6 +15,7 @@ on:
     branches:
       - master
       - 4.1.4
+      - bugfix
 jobs:
   deploy_production_main:
     name: Update Documentation

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 ## Released
 
+## 4.1.6
+### Fixed
+- Fixed Region addression in CloudWatch expressions for Dashboard
+- Bump @types/aws-lambda from 8.10.124 to 8.10.130
+- Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.13.2
+### Added
+- Add Optional setting to Config OverrideCustomerWebACLAssociation - Decide if FMS should replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy - Default is False
+- Add Optional setting to Config awsManagedRulesBotControlRuleSetProperty - Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet . See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesbotcontrolruleset.html
+- Add Optional setting to Config awsManagedRulesACFPRuleSetProperty - Details for your use of the account creation fraud prevention managed rule group, AWSManagedRulesACFPRuleSet. See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html
+- Add Optional setting to Config awsManagedRulesATPRuleSetProperty - Details for your use of the account takeover prevention managed rule group, AWSManagedRulesATPRuleSet. See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesatpruleset.html
+
 ## 4.1.5
 ### Fixed
 - Addressed issue with missing WCU Calculation OR statement within AND statement. - [Issues232](https://github.com/globaldatanet/aws-firewall-factory/issues/232)

lib/constructs/cloudwatch.ts

@@ -82,7 +82,7 @@ config.General.DeployHash;
       cwdashboard.addWidgets(firstrow);
       for(const account of config.WebAcl.IncludeMap.account){
         // eslint-disable-next-line no-useless-escape
-        const countexpression = "SEARCH('{AWS\/WAFV2,\REGION,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\CountedRequests\"', '\Sum', 300)";
+        const countexpression = "SEARCH('{AWS\/WAFV2,\Region,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\CountedRequests\"', '\Sum', 300)";
 
         const countedRequests = new cloudwatch.GraphWidget({
           title: "🔢 Counted Requests in " + account,
@@ -99,7 +99,7 @@ config.General.DeployHash;
             color: "#9dbcd4"
           }));
         // eslint-disable-next-line no-useless-escape
-        const blockedexpression = "SEARCH('{AWS\/WAFV2,\REGION,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\BlockedRequests\"', '\Sum', 300)";
+        const blockedexpression = "SEARCH('{AWS\/WAFV2,\Region,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\BlockedRequests\"', '\Sum', 300)";
         const blockedRequests = new cloudwatch.GraphWidget({
           title: "❌ Blocked Requests in " + account,
           width: 8,
@@ -115,7 +115,7 @@ config.General.DeployHash;
             color: "#ff0000"
           }));
         // eslint-disable-next-line no-useless-escape  
-        const allowedexpression = "SEARCH('{AWS\/WAFV2,\REGION,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\AllowedRequests\"', '\Sum', 300)";
+        const allowedexpression = "SEARCH('{AWS\/WAFV2,\Region,\WebACL,\Rule} \WebACL="+webaclNamewithPrefix+" \MetricName=\"\AllowedRequests\"', '\Sum', 300)";
         const allowedRequests = new cloudwatch.GraphWidget({
           title: "✅ Allowed Requests in " + account,
           width: 8,
@@ -131,15 +131,15 @@ config.General.DeployHash;
             color: "#00FF00"
           }));
         // eslint-disable-next-line no-useless-escape
-        const sinlevaluecountedrequestsexpression = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\REGION} \WebACL="+webaclNamewithPrefix+" \MetricName=\"CountedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
+        const sinlevaluecountedrequestsexpression = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \MetricName=\"CountedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
         // eslint-disable-next-line no-useless-escape
-        const expression1 = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\REGION} \WebACL="+webaclNamewithPrefix+" \MetricName=\"AllowedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
+        const expression1 = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \MetricName=\"AllowedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
         // eslint-disable-next-line no-useless-escape
-        const expression2 = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\REGION} \WebACL="+webaclNamewithPrefix+" \MetricName=\"BlockedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
+        const expression2 = "SEARCH('{AWS\/WAFV2,\Rule,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \MetricName=\"BlockedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
         // eslint-disable-next-line no-useless-escape
-        const expression3 = "SEARCH('{AWS\/WAFV2,\LabelName,\LabelNamespace,\WebACL,\REGION} \WebACL="+webaclNamewithPrefix+" \LabelNamespace=\"awswaf:managed:aws:bot-control:bot:category\" \MetricName=\"AllowedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
+        const expression3 = "SEARCH('{AWS\/WAFV2,\LabelName,\LabelNamespace,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \LabelNamespace=\"awswaf:managed:aws:bot-control:bot:category\" \MetricName=\"AllowedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
         // eslint-disable-next-line no-useless-escape
-        const expression4 = "SEARCH('{AWS\/WAFV2,\LabelName,\LabelNamespace,\WebACL,\REGION} \WebACL="+webaclNamewithPrefix+" \LabelNamespace=\"awswaf:managed:aws:bot-control:bot:category\" \MetricName=\"BlockedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
+        const expression4 = "SEARCH('{AWS\/WAFV2,\LabelName,\LabelNamespace,\WebACL,\Region} \WebACL="+webaclNamewithPrefix+" \LabelNamespace=\"awswaf:managed:aws:bot-control:bot:category\" \MetricName=\"BlockedRequests\" \Rule=\"ALL\"', '\Sum', 300)";
         const expression5 = "SUM([e3,e4])";
         const expression6 = "SUM([e1,e2,-e3,-e4])";
 

lib/types/config.ts

@@ -32,6 +32,10 @@ export interface Config {
     readonly Description?: string,
     readonly IncludeMap:  fms.CfnPolicy.IEMapProperty,
     readonly ExcludeMap?: fms.CfnPolicy.IEMapProperty,
+    /**
+     * Replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy - Default is False
+     */
+    readonly OverrideCustomerWebACLAssociation?: boolean,
     readonly Scope: fwmEnums.WebAclScope | "CLOUDFRONT" | "REGIONAL",
     /**
      * The type of resource protected by or in scope of the policy. To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.

lib/types/fms.ts

@@ -73,6 +73,18 @@ export interface ManagedRuleGroup {
   },
   ruleActionOverrides?: RuleActionOverrideProperty[],
   versionEnabled?: boolean
+  /**
+   * Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet . See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesbotcontrolruleset.html
+   */
+  awsManagedRulesBotControlRuleSetProperty?: { inspectionLevel: "COMMON" | "TARGETED", enableMachineLearning: boolean},
+  /**
+   * Details for your use of the account creation fraud prevention managed rule group, AWSManagedRulesACFPRuleSet. See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html
+   */
+  awsManagedRulesACFPRuleSetProperty?: waf.CfnWebACL.AWSManagedRulesACFPRuleSetProperty,
+  /**
+   * Details for your use of the account takeover prevention managed rule group, AWSManagedRulesATPRuleSet. See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesatpruleset.html
+   */
+  awsManagedRulesATPRuleSetProperty?: waf.CfnWebACL.AWSManagedRulesATPRuleSetProperty,
   /**
     * Enforce the [current Default version](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups-versioning.html) of the managed rule group to be retrieved using a Lambda Function.
   */
@@ -116,6 +128,9 @@ export interface ServiceDataManagedRuleGroup extends ServiceDataAbstactRuleGroup
   excludeRules: any,
   ruleGroupType: "ManagedRuleGroup",
   ruleActionOverrides: RuleActionOverrideProperty[] | undefined,
+  awsManagedRulesBotControlRuleSetProperty?: waf.CfnWebACL.AWSManagedRulesBotControlRuleSetProperty,
+  awsManagedRulesACFPRuleSetProperty?: waf.CfnWebACL.AWSManagedRulesACFPRuleSetProperty,
+  awsManagedRulesATPRuleSetProperty?: waf.CfnWebACL.AWSManagedRulesATPRuleSetProperty,
 }
 
 export interface ServiceDataRuleGroup extends ServiceDataAbstactRuleGroup {

lib/web-application-firewall-stack.ts

@@ -223,7 +223,7 @@ export class WafStack extends cdk.Stack {
       defaultAction: { type: "ALLOW" },
       preProcessRuleGroups: preProcessRuleGroups,
       postProcessRuleGroups: postProcessRuleGroups,
-      overrideCustomerWebACLAssociation: true,
+      overrideCustomerWebACLAssociation: props.config.WebAcl.OverrideCustomerWebACLAssociation ? props.config.WebAcl.OverrideCustomerWebACLAssociation : false,
       loggingConfiguration: {
         logDestinationConfigs: [loggingConfiguration || ""],
       },
@@ -289,6 +289,9 @@ function buildServiceDataManagedRgs(scope: Construct, managedRuleGroups: Managed
         excludeRules: managedRuleGroup.excludeRules ?  managedRuleGroup.excludeRules : [],
         ruleGroupType: "ManagedRuleGroup",
         ruleActionOverrides: managedRuleGroup.ruleActionOverrides ?  managedRuleGroup.ruleActionOverrides : undefined,
+        awsManagedRulesBotControlRuleSetProperty: managedRuleGroup.awsManagedRulesBotControlRuleSetProperty ? managedRuleGroup.awsManagedRulesBotControlRuleSetProperty : undefined,
+        awsManagedRulesACFPRuleSetProperty: managedRuleGroup.awsManagedRulesACFPRuleSetProperty ? managedRuleGroup.awsManagedRulesACFPRuleSetProperty : undefined,
+        awsManagedRulesATPRuleSetProperty: managedRuleGroup.awsManagedRulesATPRuleSetProperty ? managedRuleGroup.awsManagedRulesATPRuleSetProperty : undefined,
       });
       MANAGEDRULEGROUPSINFO.push(managedRuleGroup.name+" ["+managedRuleGroup.vendor +"]");
       continue;