Merge pull request #533 from globaldatanet/pullrequests/vboufleur/fix/misc

4.6.1

Author: daknhh

.github/workflows/waf_test_ipSets.yml

@@ -71,6 +71,10 @@ jobs:
         run: |
           export STACK_NAME=WAFStack
           task deploy config=ipSetsTests
+      - name: Sleep for 30 seconds
+        uses: jakejarvis/wait-action@master
+        with:
+          time: '30s'
       - name: 🗑️ Remove Firewall from AWS
         run: |
           export STACK_NAME=WAFStack

.github/workflows/waf_test_rateBasedwithScopeDown.yml

@@ -71,6 +71,10 @@ jobs:
         run: |
           export STACK_NAME=WAFStack
           task deploy config=rateBasedwithScopeDownTests
+      - name: Sleep for 30 seconds
+        uses: jakejarvis/wait-action@master
+        with:
+          time: '30s'
       - name: 🗑️ Remove Firewall from AWS
         run: |
           export STACK_NAME=WAFStack

.github/workflows/waf_test_regexPatternSets.yml

@@ -70,6 +70,10 @@ jobs:
         run: |
           export STACK_NAME=WAFStack
           task deploy config=regexPatternSetsTests
+      - name: Sleep for 30 seconds
+        uses: jakejarvis/wait-action@master
+        with:
+          time: '30s'
       - name: 🗑️ Remove Firewall from AWS
         run: |
           export STACK_NAME=WAFStack

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 ## Released
 
+## 4.6.1
+### Fixed
+- Bug Fix: Resolved "code not found" error in WAF WCU Quota check. Kudos to [@vboufleur](https://github.com/vboufleur) for fixing this.
+- WAFConfig Updates: Kudos to [@vboufleur](https://github.com/vboufleur) for fixing this.
+- - Added OptimizeUnassociatedWebACL property.
+- - Fixed an issue where CDK rejected deployments if the first character of CustomResponseBodies properties was uppercase.
+- Fix: Corrected imports in UnusedNotification Lambda.
+
 ## 4.6.0
 ### Added
 - Automated IP Set Management: The AutoUpdatedManagedIpSet feature now supports automated management of IP sets through AWS Firewall Factory.

lib/lambda/SendUnusedResourceNotification/messengers/slack/notification.ts

@@ -3,7 +3,7 @@ import { MessageAttachment } from "@slack/types";
 import { PolicySummary } from "@aws-sdk/client-fms";
 import { AccountWebAcls, FmsPolicy } from "../../../SharedComponents/types/index";
 import {getProductPrice}  from "../../../../tools/helpers/pricing";
-import { pricing, general } from "../../../../types/enums";
+import { PriceRegions, RegionString } from "../../../../types/enums";
 import * as packageJsonObject from "../../../../../package.json";
 
 
@@ -29,8 +29,8 @@ export async function unusedNotificationSlack(
 
 
   const region = process.env.AWS_DEFAULT_REGION || "us-east-1";
-  const policyPrice = Number(await getProductPrice(pricing.PriceRegions[region as general.RegionString],"AWSFMS","WAFv2"));
-  const webAclPrice = Number(await getProductPrice(pricing.PriceRegions[region as general.RegionString] as pricing.PriceRegions,"awswaf",undefined,"Web ACL"));
+  const policyPrice = Number(await getProductPrice(PriceRegions[region as RegionString],"AWSFMS","WAFv2"));
+  const webAclPrice = Number(await getProductPrice(PriceRegions[region as RegionString] as PriceRegions,"awswaf",undefined,"Web ACL"));
 
 
   const totalcost = (allFMSPolicies.length * policyPrice) + (totalWafs * webAclPrice);

lib/lambda/SendUnusedResourceNotification/messengers/teams/notification.ts

@@ -1,14 +1,9 @@
- 
- 
- 
- 
-
 import { IncomingWebhook } from "./IncomingWebhook";
 import { PolicySummary } from "@aws-sdk/client-fms";
 import { AccountWebAcls, FmsPolicy } from "../../../SharedComponents/types/index";
 import * as AdaptiveCards from "adaptivecards";
 import {getProductPrice}  from "../../../../tools/helpers/pricing";
-import { pricing, general } from "../../../../types/enums";
+import { PriceRegions, RegionString } from "../../../../types/enums";
 import * as packageJsonObject from "../../../../../package.json";
 import {addAccount} from "../../helper";
 
@@ -131,8 +126,8 @@ export async function unusedNotificationTeams(AllWAFs: AccountWebAcls[], UniqueU
 
 
   const region = process.env.AWS_DEFAULT_REGION || "us-east-1";
-  const policyPrice = Number(await getProductPrice(pricing.PriceRegions[region as general.RegionString],"AWSFMS","WAFv2"));
-  const webAclPrice = Number(await getProductPrice(pricing.PriceRegions[region as general.RegionString] as pricing.PriceRegions,"awswaf",undefined,"Web ACL"));
+  const policyPrice = Number(await getProductPrice(PriceRegions[region as RegionString],"AWSFMS","WAFv2"));
+  const webAclPrice = Number(await getProductPrice(PriceRegions[region as RegionString] as PriceRegions,"awswaf",undefined,"Web ACL"));
 
   const totalcost = (allFMSPolicies.length * policyPrice) + (totalWafs * webAclPrice);
   const potentialsavings = ((UniqueUnusedFMSPolicies.length)*policyPrice) + ((totalWafs - wafsInUse)*webAclPrice);

lib/tools/helpers/web-application-firewall/quotas-and-capacity.ts

@@ -12,7 +12,7 @@ import {getcurrentManagedRuleGroupVersion} from "./rulegroups";
 /**
  * Service Quota Code for Firewall Manager Total WAF WCU in account & region
  */
-const WCU_QUOTA_CODE = "L-D86ED2F3";
+const WCU_QUOTA_CODE = "L-1E778CA5";
 
 /**
  * Service Quota Code for Firewall Manager policies per organization per Region
@@ -726,4 +726,4 @@ export async function isWcuQuotaReached(deploymentRegion: string, runtimeProps:
     guidanceHelper.getGuidance("noIpReputationList", runtimeProps);
   }
   return wcuLimitReached;
-}
+}

lib/types/config/waf.ts

@@ -86,6 +86,13 @@ export interface WafConfig {
        * Replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy - Default is False
        */
       readonly OverrideCustomerWebACLAssociation?: boolean;
+
+      /**
+       * Automatically remove protections from resources that leave the policy scope and clean up resources that 
+       * Firewall Manager is managing for accounts when those accounts leave policy scope - Default is False
+       */
+      readonly OptimizeUnassociatedWebACL?: boolean;
+
       /**
        * Specifies whether this is for an Amazon CloudFront distribution or for a regional application.
        * A regional application can be
@@ -162,15 +169,15 @@ export type CustomResponseBodies = {
       /**
        * @TJS-pattern [\s\S]*
        */
-      Content: string;
+      content: string;
       /**
        * AWS WAF Content Type
        *
        * The type of content in the payload that you are defining in the Content string.
        *
        * @see https://docs.aws.amazon.com/waf/latest/APIReference/API_CustomResponseBody.html
        */
-      ContentType: CustomResponseBodiesContentType;
+      contentType: CustomResponseBodiesContentType;
     };
   };
 
@@ -392,6 +399,7 @@ export interface ManagedServiceData {
   preProcessRuleGroups: any,
   postProcessRuleGroups: any,
   overrideCustomerWebACLAssociation: boolean,
+  optimizeUnassociatedWebACL?: boolean,
   loggingConfiguration: {
     logDestinationConfigs: string[]
   }
@@ -446,4 +454,4 @@ export interface NotStatementProperty {
  */
 export interface SubVariables {
   [key: string]: string;
-}
+}

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "aws-firewall-factory",
-  "version": "4.6.0",
+  "version": "4.6.1",
   "bin": {
     "firewallfactory": "bin/aws-firewall-factory.js"
   },