feat: release v1.1.0 - add support for lambda

Author: van-vothanh

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Dynamic Object and Rule Extensions for AWS Network Firewall Solution Release Changelog
 
+## [1.1.0] - 2022-05-12
+### Added
+- Support for lambda reference
+
 ## [1.0.0] - 2022-01-20
 ### Added
 - All files, initial version

README.md

@@ -19,7 +19,7 @@ The solution provides a RESTful interface with CRUD APIs for managing rule bundl
 *Request Orchestration*
 
 
-1. The API gateway provides the primary interface for the  customer to interact with this solution, including endpoints to manage the domain entities include Rule/Object/RuleBundle, as well as list Audit info. Please refer to [implementation guide](https://docs.aws.amazon.com/solutions/latest/dynamic-object-and-rule-extensions-for-aws-network-firewall/welcome.html)  for information on updating the Data.
+1. The API gateway provides the primary interface for the  customer to interact with this solution, including endpoints to manage the domain entities include Rule/Object/RuleBundle, as well as list Audit info. Please refer to implementation guide Appendix C: API schema and sample requests for information on updating the Metadata.
 2. Request is forwarded to the Lambda function which coordinates the handling of the request.
 3. *Optional* - based on configuration value enableOpa. When enableOpa=ture, Lambda triggers ECS-hosted OPA cluster to exercise validation on the request based on context, e.g, is the requester allowed to perform the Create Object action? 
 4. Lambda issues request data from DynamoDB to read from or write to domain entity tables
@@ -91,6 +91,21 @@ Upon successfully cloning the repository into your local development environment
 * cli tools zip tar gzip    
 
 
+## Configuration
+| Configuration | Description | Default value| Value type|
+| ----------- | ----------- | ----------- | ----------- |
+| networkFirewallRuleGroupNamePattern |	Allowed Network Firewall rule group pattern	|default-anfwconfig-rule-*|	string |
+| defaultAggregatorName	| AWS Config aggregator name used by this solution, when creating a new rule group. If no aggregator is provided, defaultAggregator will be assigned to the rule group |	org-replicator |	string |
+|ruleResolutionInterval|	The interval rules are resolved and applied into Network Firewall	|10 mins |	integer, min value 5, max value 60|
+| failureNotificationTargetEmails| The email addresses for sending notifications. Once rule resolution failure happens, customer can add their email to the SNS topic manually later on |	[] |	list of strings
+| apiGatewayType | The type of API gateway	|private |	edge \| private
+| enableOpa* |	(OPA specific configuration) Enable OPA cluster to validate rule and object mutation requests |	false	| true \| false
+|certificateArn*|	(OPA specific configuration) ACM certification for the ALB	used when enableOpa is set to true	|
+|crossAccountConfigReadOnlyRole**|	AWS IAM read-only role in the account in which the AWS config is activated	|NULL, target at solution installation account|	string
+|crossAccountNetworkFirewallReadWriteRole**| 	AWS IAM read/write role account in which the AWS network firewall instance is setup| 	NULL, target at solution installation account	| string|
+|objectExtensionSecOpsAdminRole**| 	Customer specified AWS IAM role in solution account which to be used to access solution API| 	arn:aws:iam::<solution-account>:role/ObjectExtensionSecOpsAdminRole-<solution-region>	| ARN|
+
+
 ## Running Unit Tests
 
 The `/source/run-all-tests.sh` script is the centralized script for running all unit, integration, and snapshot tests for both the CDK project as well as any associated Lambda functions or other source code packages.
@@ -103,6 +118,15 @@ chmod +x ./run-unit-tests.sh
 
 ***
 
+## API schema and examples
+### API schema document
+1. generate api doc  `cd source; npm run doc:firewall-config-api`
+2. the api document is located in [source/lambda/firewall-config-api/doc/index.html](source/lambda/firewall-config-api/doc/index.html)
+
+### API usage example
+see more in [API-Usage-example.md](source/doc/API-Usage-example.md)
+
+
 ## Building and Deploy the solution
 1. Clone the solution source code from its GitHub repository.
 2. Open the terminal and navigate to the folder created in step 1.
@@ -137,7 +161,7 @@ Notice for data retention and audit purpose the following 2 types of resource wi
 
 
 ## Collection of operational metrics
-This solution collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/dynamic-object-and-rule-extensions-for-aws-network-firewall/collection-of-operational-metrics.html).
+This solution collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](deep link into the documentation with specific information about the metrics and how to opt-out).
 
 ***
 

source/.versionrc

@@ -39,6 +39,14 @@
     {
       "filename": "lambda/shared-types/package-lock.json",
       "type": "json"
+    },
+    {
+      "filename": "lambda/operational-metrics-collector/package.json",
+      "type": "json"
+    },
+    {
+      "filename": "lambda/operational-metrics-collector/package-lock.json",
+      "type": "json"
     }
   ],
     "types": [

source/bin/cdk-solution.ts

@@ -14,38 +14,38 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 */
-import "source-map-support/register";
-import * as cdk from "@aws-cdk/core";
-import { FirewallObjectExtensionSolutionStack } from "../lib/cdk-solution-stack";
+import 'source-map-support/register';
+import * as cdk from '@aws-cdk/core';
+import { FirewallObjectExtensionSolutionStack } from '../lib/cdk-solution-stack';
 
 const app = new cdk.App();
-const SOLUTION_ID = process.env["SOLUTION_ID"]
-  ? process.env["SOLUTION_ID"]
-  : "SO0196";
-const VERSION = process.env["VERSION"] ? process.env["VERSION"] : "v1.0.0";
+const SOLUTION_ID = process.env['SOLUTION_ID']
+    ? process.env['SOLUTION_ID']
+    : 'SO0196';
+const VERSION = process.env['VERSION'] ? process.env['VERSION'] : 'v1.1.0';
 
 const solutionProperty = {
-  description: `(${SOLUTION_ID}) - The AWS CDK template for deployment of the Dynamic Object and Rule Extensions for AWS Network Firewall solution, version: (Version ${VERSION})`,
-  solutionId: SOLUTION_ID,
-  version: VERSION,
+    description: `(${SOLUTION_ID}) - The AWS CDK template for deployment of the Dynamic Object and Rule Extensions for AWS Network Firewall solution, version: (Version ${VERSION})`,
+    solutionId: SOLUTION_ID,
+    version: VERSION,
 };
 
-if (app.node.tryGetContext("account") && app.node.tryGetContext("region")) {
-  new FirewallObjectExtensionSolutionStack(
-    app,
-    "FirewallObjectExtensionSolutionStack",
-    {
-      ...solutionProperty,
-      env: {
-        account: app.node.tryGetContext("account"),
-        region: app.node.tryGetContext("region"),
-      },
-    }
-  );
+if (app.node.tryGetContext('account') && app.node.tryGetContext('region')) {
+    new FirewallObjectExtensionSolutionStack(
+        app,
+        'FirewallObjectExtensionSolutionStack',
+        {
+            ...solutionProperty,
+            env: {
+                account: app.node.tryGetContext('account'),
+                region: app.node.tryGetContext('region'),
+            },
+        }
+    );
 } else {
-  new FirewallObjectExtensionSolutionStack(
-    app,
-    "FirewallObjectExtensionSolutionStack",
-    { ...solutionProperty }
-  );
+    new FirewallObjectExtensionSolutionStack(
+        app,
+        'FirewallObjectExtensionSolutionStack',
+        { ...solutionProperty }
+    );
 }

source/doc/API-Usage-example.md

@@ -0,0 +1,28 @@
+## Before you begin
+ensure that:
+
+You are using Postman version 9.xx.x or higher, and
+You can access the API gateway endpoint from your host (running Postman)
+
+
+# Load collection to postman
+1. Using Postman, navigate to Import -> Select file and select `NetworkFirewallObjectExtension-API.postman_collection.json` from /source/doc.
+2. Setup environment variables
+To set up the environment variables, from the left hand panel, navigate to Environments -> Create Environment, and add the following variables:
+
+| Variable name| Description |
+| -----------  | ----------- |
+| ff-rest-api  | API gateway ID for this solution   |
+| access_key   | AccessKeyId        |
+| secret_key   | SecretAccessKey        |
+| session_token   | SessionToken      |
+
+For example, the default role to access this solution's API gate, assuming it is in ap-southeast-2, is arn:aws:iam::<region>:role/ObjectExtensionSecOpsAdminRole-ap-southeast-2.
+
+To return the new credential values, run the following command (assuming your current credentials have the assume-role access).
+```
+aws sts assume-role --role-arn arn:aws:iam::<region>:role/ObjectExtensionSecOpsAdminRole-ap-southeast-2 --role-session-name IntegrationTestAdminSession --duration-second 3600
+```
+(assume your current credential have the assume role access) will return the new credential values.
+
+For more information about API schema please refer to [API schema and example](source/README.md)