Open SomayaB opened 3 years ago
I'm not sure if this is the right place to say this, or if I need to start a new issue. But the CfnFirewallPolicy
construct is not deployable in its current state. It synthesizes a template that the CloudFormation service will not accept, likely due to an inconsistency in the CloudFormation docs for this resource.
it's also very hard to extract the EndpointId List (with correspondent AZs) out of the CfnFirewall construct
@nicoaws I had to write custom resource to help get around that - it takes the public subnet, looks up az and matches it with the vpc endpoint created by the firewall - this is so you can reference it properly in the route tables. Just invoke it once per subnet/az and save the output for later reference.
My problem at the moment is the creation of the nat gateways in those public subnets.
I initially created 3 subnet groups of type PRIVATE_ISOLATED and would just create the routes manually:
And then tried to add NAT gateway to the Public group. BUT for some reason the SubnetSelector is not iterable. Forgive me i'm new to TS, JS etc so seemed like a deal-breaker in this method - though it was odd. So I am currently going another route.
const pubsubnets = vpc.selectSubnets({
subnetGroupName: 'public'
});
for (let subnet of pubsubnets)
{
new CfnNatGateway(this, 'nat '+subnet.subnetId , {
subnetId: subnet.subnetId
})
}
Type 'SelectedSubnets' must have a '[Symbol.iterator]()' method that returns an iterator.
My current path is to make the public and tgw-attach subnet groups PUBLIC and PRIVATE_WITH_NAT respectively.
However, this requires me to update the default route of the "public" route tables to point to their respective vpce not the igw. I thought this out before going thru the above method and thought this second way would be more involved. Looks like another custom resource. š
Edit: Just remembered that CDK offers a construct that allows you to write simple AWS API call custom resources natively - without having to worry about to creating and testing the lambda. This will be great for latter - since i am just doing deleteroute to igw and addroute to vpce.
Edit: Just remembered that CDK offers a construct that allows you to write simple AWS API call custom resources natively - without having to worry about to creating and testing the lambda. This will be great for latter - since i am just doing deleteroute to igw and addroute to vpce.
@vennemp Any chance you could share the CDK code you created to natively create the custom resource?
I published it on construct hub
https://constructs.dev/packages/cdk-nwfirewall/v/0.0.7?lang=typescript
And then tried to add NAT gateway to the Public group. BUT for some reason the SubnetSelector is not iterable. Forgive me i'm new to TS, JS etc so seemed like a deal-breaker in this method - though it was odd. So I am currently going another route.
const pubsubnets = vpc.selectSubnets({ subnetGroupName: 'public' });
for (let subnet of pubsubnets) { new CfnNatGateway(this, 'nat '+subnet.subnetId , { subnetId: subnet.subnetId }) }
Type 'SelectedSubnets' must have a '[Symbol.iterator]()' method that returns an iterator.
SelectedSubnets is not iterable but it has 2 members that are
readonly subnetIds: string[];
readonly subnets: ISubnet[];
Thank you!
trying to get endpointId with its AZ was a pain to work with. I posted in this related issue earlier.
for anyone looking to sort endpointIds by AZ, and not involve a CustomResource lambda, check out this stackoverflow for details. the idea is to use Fn.join
and Fn.split
to do some sorting.
posting the sorting function below as well.
/** this is actually some voodoo magic here...
* we select firewall subnet from vpc, assuming (hoping...) vpc.availabilityZones are in order of AZs
* this means we require `firewall.attrEndpointIds` to be in order.
* however, `firewall.attrEndpointIds` is not in order for some inexplicable reasons.
* https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-networkfirewall/issues/15
* `firewall.attrEndpointIds` is a List-encoded tokens - https://docs.aws.amazon.com/cdk/v2/guide/tokens.html#tokens_list
* in order to sort `firewall.attrEndpointIds` in order of AZs, we need to use a combination of splits and joins.
* AWS AZs are ordered lexicographically starting at `a`, and "assuming" vpc.availabilityZones are returned in order of AZs
* to sort `firewall.attrEndpointIds` as a List-encoded tokens, the following steps are taken:
* 1. join `firewall.attrEndpointIds` as a string token with `,` as delimiter.
* -> "us-west-2c:vpce-111122223333,us-west-2a:vpce-987654321098,us-west-2b:vpce-012345678901"
* 2. split the resulting string token `azWithFirewallVpcEndpointIds` with `a:` for the first AZ (`b:` and `c:` subsequently).
* -> [ "us-west-2c:vpce-111122223333,us-west-2", "vpce-987654321098,us-west-2b:vpce-012345678901" ]
* 3. select 2nd element as it contains the endpoint ID, along with some extra garbage and store it into var `temp`
* -> "vpce-987654321098,us-west-2b:vpce-012345678901"
* 4. split `temp` by `,` as that was the joined list delimiter
* -> [ "vpce-987654321098", "us-west-2b:vpce-012345678901" ]
* 5. select 1st element as it contains the endpoint ID without any extra garbage now
* -> "vpce-987654321098"
* https://carriagereturn.nl/aws/cloudformation/firewall/endpoint/routing/2022/05/22/firewall-endpoints.html
*/
getFirewallEndpointsInOrder(firewall: fw.CfnFirewall): string[] {
const firewallVpcEndpointIds: string[] = [];
const azWithFirewallVpcEndpointIds = cdk.Fn.join(',', firewall.attrEndpointIds);
const aZs = ['a', 'b', 'c', 'd', 'e', 'f']; // max amount of AZs in AWS (us-east-1)
for (let i = 0; i < this.vpc.availabilityZones.length; i++) {
const temp = cdk.Fn.split(`${aZs[i]}:`, azWithFirewallVpcEndpointIds, 2)[1];
const firewallVpcEndpointId = cdk.Fn.split(',', temp, 2)[0];
firewallVpcEndpointIds.push(firewallVpcEndpointId);
}
return firewallVpcEndpointIds;
}
Add your +1 š to help us prioritize high-level constructs for this service
Overview:
AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you created in Amazon Virtual Private Cloud (Amazon VPC).
AWS Docs
Maturity: CloudFormation Resources Only
See the AWS Construct Library Module Lifecycle doc for more information about maturity levels.
Implementation:
See the CDK API Reference for more implementation details.
Issue list:
This is a šTracking Issue