// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`Firewall Automation for Network Traffic on AWS NetworkFirewallAutomationStack Snapshot test 1`] = ` { "AWSTemplateFormatVersion": "2010-09-09", "Conditions": { "CreateDefaultRouteFirewallRT": { "Fn::And": [ { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "TransitGatewayRTIdForDefaultRoute", }, "", ], }, ], }, { "Condition": "CreateTransitGatewayAttachment", }, ], }, "CreateTransitGatewayAttachment": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "ExistingTransitGateway", }, "", ], }, ], }, "CreateTransitGatewayRTAssociation": { "Fn::And": [ { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "TransitGatewayRouteTableIdForAssociation", }, "", ], }, ], }, { "Condition": "CreateTransitGatewayAttachment", }, ], }, "LoggingInCloudWatch": { "Fn::Equals": [ { "Ref": "logDestinationType", }, "CloudWatchLogs", ], }, "LoggingInS3": { "Fn::Equals": [ { "Ref": "logDestinationType", }, "S3", ], }, "NotLoggingConfigureManually": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "logDestinationType", }, "ConfigureManually", ], }, ], }, }, "Mappings": { "Send": { "AnonymousUsage": { "Data": "Yes", }, "ParameterKey": { "UniqueId": "Solutions/network-firewall-automation/UUID", }, }, "SolutionMapping": { "CodeCommitRepo": { "Name": "network-firewall-config-repo-", }, "Log": { "Level": "info", }, "Metrics": { "URL": "https://metrics.awssolutionsbuilder.com/generic", }, "Route": { "QuadZero": "0.0.0.0/0", }, "Solution": { "Identifier": "SO0108", "Version": "v1.0.2", }, "TransitGatewayAttachment": { "ApplianceMode": "enable", }, "Version": { "Latest": "latest", }, }, }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "VPC Configuration", }, "Parameters": [ "cidrBlock", ], }, { "Label": { "default": "Transit Gateway Configuration", }, "Parameters": [ "ExistingTransitGateway", "TransitGatewayRouteTableIdForAssociation", "TransitGatewayRTIdForDefaultRoute", ], }, { "Label": { "default": "Firewall Logging Configuration", }, "Parameters": [ "logDestinationType", "logType", "LogRetentionPeriod", ], }, ], "ParameterLabels": { "ExistingTransitGateway": { "default": "Provide the existing AWS Transit Gateway ID you wish to attach to the Inspection VPC", }, "LogRetentionPeriod": { "default": "Select the log retention period for Network Firewall Logs.", }, "TransitGatewayRTIdForDefaultRoute": { "default": "Provide the AWS Transit Gateway Route Table to receive 0.0.0.0/0 route to the Inspection VPC TGW Attachment.", }, "TransitGatewayRouteTableIdForAssociation": { "default": "Provide AWS Transit Gateway Route Table to be associated with the Inspection VPC TGW Attachment.", }, "cidrBlock": { "default": "Provide the CIDR block for the Inspection VPC", }, "logDestinationType": { "default": "Select the type of log destination for the Network Firewall", }, "logType": { "default": "Select the type of log to send to the defined log destination.", }, }, }, }, "Outputs": { "ArtifactBucketforCodePipeline": { "Description": "Artifact bucket name configured for the CodePipeline.", "Value": { "Ref": "NetworkFirewallCodePipelineArtifactsBucketF2569455", }, }, "CloudWatchLogGroupforFirewallLogs": { "Description": "CloudWatch Log Group used as the log destination for Firewall Logs.", "Value": { "Fn::If": [ "LoggingInCloudWatch", { "Ref": "CloudWatchLogGroup", }, "NotConfigured", ], }, }, "CodeBuildsourcecodebucket": { "Description": "Code Build source code bucket", "Value": { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, }, "FirewallSubnet1ID": { "Description": "Subnet 1 associated with Network Firewall.", "Value": { "Ref": "NetworkFirewallSubnet1", }, }, "FirewallSubnet2ID": { "Description": "Subnet 2 associated with Network Firewall.", "Value": { "Ref": "NetworkFirewallSubnet2", }, }, "InspectionVPCID": { "Description": "Inspection VPC ID to create Network Firewall.", "Value": { "Ref": "VPC", }, }, "NetworkFirewallAvailabilityZone1": { "Description": "Availability Zone configured for Network Firewall subnet 1", "Value": { "Fn::GetAtt": [ "NetworkFirewallSubnet1", "AvailabilityZone", ], }, }, "NetworkFirewallAvailabilityZone2": { "Description": "Availability Zone configured for Network Firewall subnet 2", "Value": { "Fn::GetAtt": [ "NetworkFirewallSubnet2", "AvailabilityZone", ], }, }, "S3BucketforFirewallLogs": { "Description": "S3 Bucket used as the log destination for Firewall Logs.", "Value": { "Fn::If": [ "LoggingInS3", { "Ref": "Logs6819BB44", }, "NotConfigured", ], }, }, "TransitGatewaySubnet1ID": { "Description": "Subnet 1 associated with Transit Gateway.", "Value": { "Ref": "VPCTGWSubnet1", }, }, "TransitGatewaySubnet2ID": { "Description": "Subnet 1 associated with Transit Gateway.", "Value": { "Ref": "VPCTGWSubnet2", }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "ExistingTransitGateway": { "Default": "", "Description": "Existing AWS Transit Gateway id.", "Type": "String", }, "LogRetentionPeriod": { "AllowedValues": [ "1", "3", "5", "7", "14", "30", "60", "90", "120", "150", "180", "365", "400", "545", "731", "1827", "3653", ], "Default": 90, "Description": "Log retention period in days.", "Type": "Number", }, "TransitGatewayRTIdForDefaultRoute": { "Default": "", "Description": "Existing AWS Transit Gateway route table id. Example: Spoke VPC Route Table. Format: tgw-rtb-4e5f6g7h", "Type": "String", }, "TransitGatewayRouteTableIdForAssociation": { "Default": "", "Description": "Existing AWS Transit Gateway route table id. Example: Firewall Route Table. Format: tgw-rtb-0a1b2c3d", "Type": "String", }, "cidrBlock": { "AllowedPattern": "^(?:[0-9]{1,3}.){3}[0-9]{1,3}[/]([0-9]?[0-6]?|[1][7-9])$", "Default": "192.168.1.0/26", "Description": "CIDR Block for VPC. Must be /26 or larger CIDR block.", "Type": "String", }, "logDestinationType": { "AllowedValues": [ "S3", "CloudWatchLogs", "ConfigureManually", ], "Default": "CloudWatchLogs", "Description": "The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket or a CloudWatch log group.", "Type": "String", }, "logType": { "AllowedValues": [ "ALERT", "FLOW", "EnableBoth", ], "Default": "FLOW", "Description": "The type of log to send. Alert logs report traffic that matches a StatefulRule with an action setting that sends an alert log message. Flow logs are standard network traffic flow logs.", "Type": "String", }, }, "Resources": { "BuildProject097C5DB7": { "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "EncryptionKey": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "LOG_LEVEL", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "SolutionMapping", "Log", "Level", ], }, }, { "Name": "VPC_ID", "Type": "PLAINTEXT", "Value": { "Ref": "VPC", }, }, { "Name": "SUBNET_IDS", "Type": "PLAINTEXT", "Value": { "Fn::Join": [ "", [ { "Ref": "NetworkFirewallSubnet1", }, ",", { "Ref": "NetworkFirewallSubnet2", }, ], ], }, }, { "Name": "LOG_TYPE", "Type": "PLAINTEXT", "Value": { "Ref": "logType", }, }, { "Name": "LOG_DESTINATION_TYPE", "Type": "PLAINTEXT", "Value": { "Ref": "logDestinationType", }, }, { "Name": "S3_LOG_BUCKET_NAME", "Type": "PLAINTEXT", "Value": { "Fn::If": [ "LoggingInS3", { "Ref": "Logs6819BB44", }, "NotConfigured", ], }, }, { "Name": "CLOUDWATCH_LOG_GROUP_NAME", "Type": "PLAINTEXT", "Value": { "Fn::If": [ "LoggingInCloudWatch", { "Ref": "CloudWatchLogGroup", }, "NotConfigured", ], }, }, { "Name": "VPC_TGW_ATTACHMENT_AZ_1", "Type": "PLAINTEXT", "Value": { "Fn::GetAtt": [ "NetworkFirewallSubnet1", "AvailabilityZone", ], }, }, { "Name": "VPC_TGW_ATTACHMENT_AZ_2", "Type": "PLAINTEXT", "Value": { "Fn::GetAtt": [ "NetworkFirewallSubnet2", "AvailabilityZone", ], }, }, { "Name": "VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_1", "Type": "PLAINTEXT", "Value": { "Ref": "VPCTGWRouteTable1", }, }, { "Name": "VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_2", "Type": "PLAINTEXT", "Value": { "Ref": "VPCTGWRouteTable2", }, }, { "Name": "CODE_BUILD_SOURCE_CODE_S3_KEY", "Type": "PLAINTEXT", "Value": "network-firewall-automation/v1.0.2", }, { "Name": "STACK_ID", "Type": "PLAINTEXT", "Value": { "Ref": "AWS::StackId", }, }, { "Name": "SSM_PARAM_FOR_UUID", "Type": "PLAINTEXT", "Value": { "Fn::Join": [ "", [ "/", { "Fn::FindInMap": [ "Send", "ParameterKey", "UniqueId", ], }, ], ], }, }, { "Name": "SEND_ANONYMOUS_METRICS", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "Send", "AnonymousUsage", "Data", ], }, }, { "Name": "SOLUTION_ID", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "SolutionMapping", "Solution", "Identifier", ], }, }, { "Name": "METRICS_URL", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "SolutionMapping", "Metrics", "URL", ], }, }, { "Name": "TRANSIT_GATEWAY_ATTACHMENT_ID", "Type": "PLAINTEXT", "Value": { "Fn::If": [ "CreateTransitGatewayAttachment", { "Ref": "VPCTGWATTACHMENT", }, "", ], }, }, { "Name": "TRANSIT_GATEWAY_ATTACHMENT_APPLIANCE_MODE", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "SolutionMapping", "TransitGatewayAttachment", "ApplianceMode", ], }, }, { "Name": "CUSTOM_SDK_USER_AGENT", "Type": "PLAINTEXT", "Value": { "Fn::Join": [ "", [ "AwsSolution/", { "Fn::FindInMap": [ "SolutionMapping", "Solution", "Identifier", ], }, "/", { "Fn::FindInMap": [ "SolutionMapping", "Solution", "Version", ], }, ], ], }, }, ], "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "BuildProjectRoleAA92C755", "Arn", ], }, "Source": { "BuildSpec": { "Fn::Join": [ "", [ "{ "version": "0.2", "phases": { "install": { "runtime-versions": { "nodejs": "16" }, "commands": [ "export current=$(pwd)", "export sourceCodeKey=$CODE_BUILD_SOURCE_CODE_S3_KEY" ] }, "pre_build": { "commands": [ "cd $current", "pwd; ls -ltr", "echo 'Download Network Firewall Solution Package'", "aws s3 cp s3://", { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, "/$sourceCodeKey/network-firewall-automation.zip $current || true", "if [ -f $current/network-firewall-automation.zip ];then exit 0;else echo \\"Copy file to s3 bucket\\"; aws s3 cp s3://solutions-", { "Ref": "AWS::Region", }, "/$sourceCodeKey/network-firewall-automation.zip s3://", { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, "/$sourceCodeKey/network-firewall-automation.zip --copy-props none; aws s3 cp s3://", { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, "/$sourceCodeKey/network-firewall-automation.zip $current; fi;", "unzip -o $current/network-firewall-automation.zip -d $current", "pwd; ls -ltr" ] }, "build": { "commands": [ "echo \\"Validating the firewall config\\"", "node build.js" ] } }, "artifacts": { "files": "**/*" } }", ], ], }, "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "BuildProjectRoleAA92C755": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "BuildProjectRoleDefaultPolicy3E9F248C": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:eu-west-1:1234:log-group:/aws/codebuild/", { "Ref": "BuildProject097C5DB7", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:eu-west-1:1234:log-group:/aws/codebuild/", { "Ref": "BuildProject097C5DB7", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:eu-west-1:1234:report-group/", { "Ref": "BuildProject097C5DB7", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "BuildProjectRoleDefaultPolicy3E9F248C", "Roles": [ { "Ref": "BuildProjectRoleAA92C755", }, ], }, "Type": "AWS::IAM::Policy", }, "CloudWatchLogGroup": { "Condition": "LoggingInCloudWatch", "Properties": { "KmsKeyId": { "Fn::GetAtt": [ "KMSKeyForNetworkFirewallBuckets73A57817", "Arn", ], }, "RetentionInDays": { "Ref": "LogRetentionPeriod", }, }, "Type": "AWS::Logs::LogGroup", }, "CloudWatchLogsForNetworkFirewallBucketPolicy611AC31C": { "Condition": "LoggingInS3", "DeletionPolicy": "Retain", "Properties": { "Bucket": { "Ref": "Logs6819BB44", }, "PolicyDocument": { "Statement": [ { "Action": "s3:GetObject", "Condition": { "Bool": { "aws:SecureTransport": false, }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "Logs6819BB44", "Arn", ], }, "/*", ], ], }, { "Fn::GetAtt": [ "Logs6819BB44", "Arn", ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", "UpdateReplacePolicy": "Retain", }, "CodeBuildStageSourceCodeBucketPolicyF19BA2A0": { "DeletionPolicy": "Retain", "Properties": { "Bucket": { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, "PolicyDocument": { "Statement": [ { "Action": "s3:GetObject", "Condition": { "Bool": { "aws:SecureTransport": false, }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CodeBuildStagesSourceCodeBucketFA98E7C7", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CodeBuildStagesSourceCodeBucketFA98E7C7", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", "UpdateReplacePolicy": "Retain", }, "CodeBuildStagesSourceCodeBucketFA98E7C7": { "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "Source Code bucket bucket does not require logging configuration", }, { "id": "W51", "reason": "Source Code bucket is private and does not require a bucket policy", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, "SSEAlgorithm": "aws:kms", }, }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "DefaultRouteSpokeVPCTGWRouteTable": { "Condition": "CreateDefaultRouteFirewallRT", "DeletionPolicy": "Retain", "Properties": { "DestinationCidrBlock": { "Fn::FindInMap": [ "SolutionMapping", "Route", "QuadZero", ], }, "TransitGatewayAttachmentId": { "Ref": "VPCTGWATTACHMENT", }, "TransitGatewayRouteTableId": { "Ref": "TransitGatewayRTIdForDefaultRoute", }, }, "Type": "AWS::EC2::TransitGatewayRoute", }, "DeployProject1CF7CB79": { "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "EncryptionKey": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "LOG_LEVEL", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "SolutionMapping", "Log", "Level", ], }, }, { "Name": "VPC_ID", "Type": "PLAINTEXT", "Value": { "Ref": "VPC", }, }, { "Name": "SUBNET_IDS", "Type": "PLAINTEXT", "Value": { "Fn::Join": [ "", [ { "Ref": "NetworkFirewallSubnet1", }, ",", { "Ref": "NetworkFirewallSubnet2", }, ], ], }, }, { "Name": "LOG_TYPE", "Type": "PLAINTEXT", "Value": { "Ref": "logType", }, }, { "Name": "LOG_DESTINATION_TYPE", "Type": "PLAINTEXT", "Value": { "Ref": "logDestinationType", }, }, { "Name": "S3_LOG_BUCKET_NAME", "Type": "PLAINTEXT", "Value": { "Fn::If": [ "LoggingInS3", { "Ref": "Logs6819BB44", }, "NotConfigured", ], }, }, { "Name": "CLOUDWATCH_LOG_GROUP_NAME", "Type": "PLAINTEXT", "Value": { "Fn::If": [ "LoggingInCloudWatch", { "Ref": "CloudWatchLogGroup", }, "NotConfigured", ], }, }, { "Name": "VPC_TGW_ATTACHMENT_AZ_1", "Type": "PLAINTEXT", "Value": { "Fn::GetAtt": [ "NetworkFirewallSubnet1", "AvailabilityZone", ], }, }, { "Name": "VPC_TGW_ATTACHMENT_AZ_2", "Type": "PLAINTEXT", "Value": { "Fn::GetAtt": [ "NetworkFirewallSubnet2", "AvailabilityZone", ], }, }, { "Name": "VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_1", "Type": "PLAINTEXT", "Value": { "Ref": "VPCTGWRouteTable1", }, }, { "Name": "VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_2", "Type": "PLAINTEXT", "Value": { "Ref": "VPCTGWRouteTable2", }, }, { "Name": "CODE_BUILD_SOURCE_CODE_S3_KEY", "Type": "PLAINTEXT", "Value": "network-firewall-automation/v1.0.2", }, { "Name": "STACK_ID", "Type": "PLAINTEXT", "Value": { "Ref": "AWS::StackId", }, }, { "Name": "SSM_PARAM_FOR_UUID", "Type": "PLAINTEXT", "Value": { "Fn::Join": [ "", [ "/", { "Fn::FindInMap": [ "Send", "ParameterKey", "UniqueId", ], }, ], ], }, }, { "Name": "SEND_ANONYMOUS_METRICS", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "Send", "AnonymousUsage", "Data", ], }, }, { "Name": "SOLUTION_ID", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "SolutionMapping", "Solution", "Identifier", ], }, }, { "Name": "METRICS_URL", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "SolutionMapping", "Metrics", "URL", ], }, }, { "Name": "TRANSIT_GATEWAY_ATTACHMENT_ID", "Type": "PLAINTEXT", "Value": { "Fn::If": [ "CreateTransitGatewayAttachment", { "Ref": "VPCTGWATTACHMENT", }, "", ], }, }, { "Name": "TRANSIT_GATEWAY_ATTACHMENT_APPLIANCE_MODE", "Type": "PLAINTEXT", "Value": { "Fn::FindInMap": [ "SolutionMapping", "TransitGatewayAttachment", "ApplianceMode", ], }, }, { "Name": "CUSTOM_SDK_USER_AGENT", "Type": "PLAINTEXT", "Value": { "Fn::Join": [ "", [ "AwsSolution/", { "Fn::FindInMap": [ "SolutionMapping", "Solution", "Identifier", ], }, "/", { "Fn::FindInMap": [ "SolutionMapping", "Solution", "Version", ], }, ], ], }, }, ], "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DeployProjectRole588C8C1D", "Arn", ], }, "Source": { "BuildSpec": { "Fn::Join": [ "", [ "{ "version": "0.2", "phases": { "install": { "runtime-versions": { "nodejs": "16" }, "commands": [ "export current=$(pwd)", "export sourceCodeKey=$CODE_BUILD_SOURCE_CODE_S3_KEY" ] }, "pre_build": { "commands": [ "cd $current", "pwd; ls -ltr", "echo 'Download Network Firewall Solution Package'", "aws s3 cp s3://", { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, "/$sourceCodeKey/network-firewall-automation.zip $current", "unzip -o $current/network-firewall-automation.zip -d $current", "pwd; ls -ltr" ] }, "build": { "commands": [ "echo \\"Initiating Network Firewall Automation\\"", "node index.js" ] }, "post_build": { "commands": [] } }, "artifacts": { "files": "**/*" } }", ], ], }, "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "DeployProjectRole588C8C1D": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DeployProjectRoleDefaultPolicy52AEA98B": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:eu-west-1:1234:log-group:/aws/codebuild/", { "Ref": "DeployProject1CF7CB79", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:eu-west-1:1234:log-group:/aws/codebuild/", { "Ref": "DeployProject1CF7CB79", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:eu-west-1:1234:report-group/", { "Ref": "DeployProject1CF7CB79", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DeployProjectRoleDefaultPolicy52AEA98B", "Roles": [ { "Ref": "DeployProjectRole588C8C1D", }, ], }, "Type": "AWS::IAM::Policy", }, "FirewallSubnetRouteTable": { "DeletionPolicy": "Retain", "Properties": { "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-FirewallSubnetRouteTable", ], ], }, }, ], "VpcId": { "Ref": "VPC", }, }, "Type": "AWS::EC2::RouteTable", "UpdateReplacePolicy": "Retain", }, "FlowLog": { "Properties": { "DeliverLogsPermissionArn": { "Fn::GetAtt": [ "RoleFlowLogsCA794118", "Arn", ], }, "LogGroupName": { "Ref": "AWS::StackName", }, "ResourceId": { "Ref": "VPC", }, "ResourceType": "VPC", "TrafficType": "ALL", }, "Type": "AWS::EC2::FlowLog", }, "KMSKeyForNetworkFirewallBuckets73A57817": { "DeletionPolicy": "Retain", "Properties": { "Description": "This key will be used for encrypting the vpc flow logs and firewall logs.", "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::1234:root", ], ], }, }, "Resource": "*", }, { "Action": "kms:GenerateDataKey*", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com", }, "Resource": "*", }, { "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*", ], "Effect": "Allow", "Principal": { "Service": { "Fn::Join": [ "", [ "logs.", { "Ref": "AWS::Region", }, ".amazonaws.com", ], ], }, }, "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, "LogGroupFlowLogs": { "Properties": { "KmsKeyId": { "Fn::GetAtt": [ "KMSKeyForNetworkFirewallBuckets73A57817", "Arn", ], }, "LogGroupName": { "Ref": "AWS::StackName", }, "RetentionInDays": { "Ref": "LogRetentionPeriod", }, }, "Type": "AWS::Logs::LogGroup", }, "Logs6819BB44": { "Condition": "LoggingInS3", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "Logs bucket does not require logging configuration", }, { "id": "W51", "reason": "Logs bucket is private and does not require a bucket policy", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Fn::GetAtt": [ "KMSKeyForNetworkFirewallBuckets73A57817", "Arn", ], }, "SSEAlgorithm": "aws:kms", }, }, ], }, "LifecycleConfiguration": { "Rules": [ { "ExpirationInDays": { "Ref": "LogRetentionPeriod", }, "Status": "Enabled", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "NetworkFirewallCodePipelineA72E3ADD": { "DependsOn": [ "NetworkFirewallCodePipelineRoleDefaultPolicyF0142ABD", "NetworkFirewallCodePipelineRoleDDD28B15", ], "Properties": { "ArtifactStore": { "EncryptionKey": { "Id": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, "Type": "KMS", }, "Location": { "Ref": "NetworkFirewallCodePipelineArtifactsBucketF2569455", }, "Type": "S3", }, "RoleArn": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineRoleDDD28B15", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "main", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "NetworkFirewallCodeRepositoryF7BA0495", "Name", ], }, }, "Name": "Source", "OutputArtifacts": [ { "Name": "SourceArtifact", }, ], "RoleArn": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "BuildProject097C5DB7", }, }, "InputArtifacts": [ { "Name": "SourceArtifact", }, ], "Name": "CodeBuild", "OutputArtifacts": [ { "Name": "BuildArtifact", }, ], "RoleArn": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRole2A3E8726", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Validation", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "DeployProject1CF7CB79", }, }, "InputArtifacts": [ { "Name": "BuildArtifact", }, ], "Name": "CodeDeploy", "RoleArn": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRole6EA7639D", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Deployment", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060": { "DeletionPolicy": "Delete", "Properties": { "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::1234:root", ], ], }, }, "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Delete", }, "NetworkFirewallCodePipelineArtifactsBucketEncryptionKeyAlias1704A536": { "DeletionPolicy": "Delete", "Properties": { "AliasName": { "Fn::Join": [ "", [ "alias/", { "Ref": "AWS::StackName", }, "-artifactBucket-EncryptionKeyAlias", ], ], }, "TargetKeyId": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, }, "Type": "AWS::KMS::Alias", "UpdateReplacePolicy": "Delete", }, "NetworkFirewallCodePipelineArtifactsBucketF2569455": { "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "This S3 bucket is used as the destination for 'NetworkFirewallCodePipelineArtifactsBucket'", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, "SSEAlgorithm": "aws:kms", }, }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "NetworkFirewallCodePipelineArtifactsBucketPolicyA1DE12F9": { "Properties": { "Bucket": { "Ref": "NetworkFirewallCodePipelineArtifactsBucketF2569455", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRole6EA7639D": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::1234:root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRoleDefaultPolicyAB6FC4F9": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DeployProject1CF7CB79", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRoleDefaultPolicyAB6FC4F9", "Roles": [ { "Ref": "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRole6EA7639D", }, ], }, "Type": "AWS::IAM::Policy", }, "NetworkFirewallCodePipelineEventsRole94323A48": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "NetworkFirewallCodePipelineEventsRoleDefaultPolicy5835E037": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:eu-west-1:1234:", { "Ref": "NetworkFirewallCodePipelineA72E3ADD", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "NetworkFirewallCodePipelineEventsRoleDefaultPolicy5835E037", "Roles": [ { "Ref": "NetworkFirewallCodePipelineEventsRole94323A48", }, ], }, "Type": "AWS::IAM::Policy", }, "NetworkFirewallCodePipelineRoleDDD28B15": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "NetworkFirewallCodePipelineRoleDefaultPolicyF0142ABD": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRole2A3E8726", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRole6EA7639D", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "NetworkFirewallCodePipelineRoleDefaultPolicyF0142ABD", "Roles": [ { "Ref": "NetworkFirewallCodePipelineRoleDDD28B15", }, ], }, "Type": "AWS::IAM::Policy", }, "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::1234:root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "NetworkFirewallCodePipelineSourceCodePipelineActionRoleDefaultPolicyB01603D9": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketF2569455", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", "Arn", ], }, }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NetworkFirewallCodeRepositoryF7BA0495", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "NetworkFirewallCodePipelineSourceCodePipelineActionRoleDefaultPolicyB01603D9", "Roles": [ { "Ref": "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750", }, ], }, "Type": "AWS::IAM::Policy", }, "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRole2A3E8726": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::1234:root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRoleDefaultPolicyA4A71A44": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "BuildProject097C5DB7", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRoleDefaultPolicyA4A71A44", "Roles": [ { "Ref": "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRole2A3E8726", }, ], }, "Type": "AWS::IAM::Policy", }, "NetworkFirewallCodeRepositoryF7BA0495": { "DeletionPolicy": "Retain", "Properties": { "Code": { "S3": { "Bucket": "solutions-eu-west-1", "Key": { "Fn::Join": [ "", [ "network-firewall-automation/", { "Fn::FindInMap": [ "SolutionMapping", "Version", "Latest", ], }, "/network-firewall-configuration.zip", ], ], }, }, }, "RepositoryDescription": "This repository is created by the AWS Network Firewall solution for AWS Transit Gateway, to store and trigger changes to the network firewall rules and configurations.", "RepositoryName": { "Fn::Join": [ "", [ { "Fn::FindInMap": [ "SolutionMapping", "CodeCommitRepo", "Name", ], }, { "Ref": "AWS::StackName", }, ], ], }, }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "NetworkFirewallCodeRepositoryMyTestStackNetworkFirewallCodePipelineD8BFDC90mainEventRule334BD2D0": { "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "main", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "NetworkFirewallCodeRepositoryF7BA0495", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:eu-west-1:1234:", { "Ref": "NetworkFirewallCodePipelineA72E3ADD", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "NetworkFirewallCodePipelineEventsRole94323A48", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "NetworkFirewallSubnet1": { "DeletionPolicy": "Retain", "Properties": { "AvailabilityZone": { "Fn::Select": [ "0", { "Fn::GetAZs": "", }, ], }, "CidrBlock": { "Fn::Select": [ 0, { "Fn::Cidr": [ { "Fn::GetAtt": [ "VPC", "CidrBlock", ], }, 4, "4", ], }, ], }, "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-FirewallSubnet1", ], ], }, }, ], "VpcId": { "Ref": "VPC", }, }, "Type": "AWS::EC2::Subnet", "UpdateReplacePolicy": "Retain", }, "NetworkFirewallSubnet1RouteTableAssociation": { "DeletionPolicy": "Retain", "Properties": { "RouteTableId": { "Ref": "FirewallSubnetRouteTable", }, "SubnetId": { "Ref": "NetworkFirewallSubnet1", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", "UpdateReplacePolicy": "Retain", }, "NetworkFirewallSubnet2": { "DeletionPolicy": "Retain", "Properties": { "AvailabilityZone": { "Fn::Select": [ "1", { "Fn::GetAZs": "", }, ], }, "CidrBlock": { "Fn::Select": [ 1, { "Fn::Cidr": [ { "Fn::GetAtt": [ "VPC", "CidrBlock", ], }, 4, "4", ], }, ], }, "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-FirewallSubnet2", ], ], }, }, ], "VpcId": { "Ref": "VPC", }, }, "Type": "AWS::EC2::Subnet", "UpdateReplacePolicy": "Retain", }, "NetworkFirewallSubnet2RouteTableAssociation": { "DeletionPolicy": "Retain", "Properties": { "RouteTableId": { "Ref": "FirewallSubnetRouteTable", }, "SubnetId": { "Ref": "NetworkFirewallSubnet2", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", "UpdateReplacePolicy": "Retain", }, "RoleFlowLogsCA794118": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "RoleFlowLogsDefaultPolicyD1F03EF4": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogGroups", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "LogGroupFlowLogs", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "RoleFlowLogsDefaultPolicyD1F03EF4", "Roles": [ { "Ref": "RoleFlowLogsCA794118", }, ], }, "Type": "AWS::IAM::Policy", }, "TGWRoute": { "Condition": "CreateTransitGatewayAttachment", "DependsOn": [ "VPCTGWATTACHMENT", ], "Properties": { "DestinationCidrBlock": { "Fn::FindInMap": [ "SolutionMapping", "Route", "QuadZero", ], }, "RouteTableId": { "Ref": "FirewallSubnetRouteTable", }, "TransitGatewayId": { "Ref": "ExistingTransitGateway", }, }, "Type": "AWS::EC2::Route", }, "VPC": { "DeletionPolicy": "Retain", "Properties": { "CidrBlock": { "Ref": "cidrBlock", }, "Tags": [ { "Key": "created-by", "Value": "network-firewall-automation", }, { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-Inspection-VPC", ], ], }, }, ], }, "Type": "AWS::EC2::VPC", "UpdateReplacePolicy": "Retain", }, "VPCTGWATTACHMENT": { "Condition": "CreateTransitGatewayAttachment", "DeletionPolicy": "Retain", "Properties": { "SubnetIds": [ { "Ref": "VPCTGWSubnet1", }, { "Ref": "VPCTGWSubnet2", }, ], "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-Inspection-VPC-Attachment", ], ], }, }, ], "TransitGatewayId": { "Ref": "ExistingTransitGateway", }, "VpcId": { "Ref": "VPC", }, }, "Type": "AWS::EC2::TransitGatewayAttachment", }, "VPCTGWRouteTable1": { "DeletionPolicy": "Retain", "Properties": { "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-TGWSubnetRouteTable1", ], ], }, }, ], "VpcId": { "Ref": "VPC", }, }, "Type": "AWS::EC2::RouteTable", "UpdateReplacePolicy": "Retain", }, "VPCTGWRouteTable2": { "DeletionPolicy": "Retain", "Properties": { "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-TGWSubnetRouteTable2", ], ], }, }, ], "VpcId": { "Ref": "VPC", }, }, "Type": "AWS::EC2::RouteTable", "UpdateReplacePolicy": "Retain", }, "VPCTGWRouteTableAssociation": { "Condition": "CreateTransitGatewayRTAssociation", "DeletionPolicy": "Retain", "Properties": { "TransitGatewayAttachmentId": { "Ref": "VPCTGWATTACHMENT", }, "TransitGatewayRouteTableId": { "Ref": "TransitGatewayRouteTableIdForAssociation", }, }, "Type": "AWS::EC2::TransitGatewayRouteTableAssociation", }, "VPCTGWSubnet1": { "DeletionPolicy": "Retain", "Properties": { "AvailabilityZone": { "Fn::Select": [ "0", { "Fn::GetAZs": "", }, ], }, "CidrBlock": { "Fn::Select": [ 2, { "Fn::Cidr": [ { "Fn::GetAtt": [ "VPC", "CidrBlock", ], }, 4, "4", ], }, ], }, "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-VPCTGWSubnet1", ], ], }, }, ], "VpcId": { "Ref": "VPC", }, }, "Type": "AWS::EC2::Subnet", "UpdateReplacePolicy": "Retain", }, "VPCTGWSubnet1RouteTableAssociation": { "DeletionPolicy": "Retain", "Properties": { "RouteTableId": { "Ref": "VPCTGWRouteTable1", }, "SubnetId": { "Ref": "VPCTGWSubnet1", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", "UpdateReplacePolicy": "Retain", }, "VPCTGWSubnet2": { "DeletionPolicy": "Retain", "Properties": { "AvailabilityZone": { "Fn::Select": [ "1", { "Fn::GetAZs": "", }, ], }, "CidrBlock": { "Fn::Select": [ 3, { "Fn::Cidr": [ { "Fn::GetAtt": [ "VPC", "CidrBlock", ], }, 4, "4", ], }, ], }, "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-VPCTGWSubnet2", ], ], }, }, ], "VpcId": { "Ref": "VPC", }, }, "Type": "AWS::EC2::Subnet", "UpdateReplacePolicy": "Retain", }, "VPCTGWSubnet2RouteTableAssociation": { "DeletionPolicy": "Retain", "Properties": { "RouteTableId": { "Ref": "VPCTGWRouteTable2", }, "SubnetId": { "Ref": "VPCTGWSubnet2", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", "UpdateReplacePolicy": "Retain", }, "buildStageIAMPolicyB31D4B98": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "network-firewall:CreateFirewallPolicy", "network-firewall:CreateRuleGroup", ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:stateful-rulegroup/*", }, { "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:firewall-policy/*", }, { "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:stateless-rulegroup/*", }, ], }, { "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ { "Fn::Sub": [ "arn:\${AWS::Partition}:s3:::\${CodeBucketName}/\${KeyName}/*", { "CodeBucketName": "solutions-eu-west-1", "KeyName": "network-firewall-automation", }, ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, "/*", ], ], }, }, { "Action": [ "ssm:PutParameter", "ssm:GetParameter", ], "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:\${AWS::Partition}:ssm:\${AWS::Region}:\${AWS::AccountId}:parameter/\${ParameterKey}-*", { "ParameterKey": { "Fn::FindInMap": [ "Send", "ParameterKey", "UniqueId", ], }, }, ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "buildStageIAMPolicyB31D4B98", "Roles": [ { "Ref": "BuildProjectRoleAA92C755", }, ], }, "Type": "AWS::IAM::Policy", }, "deployStageFirewallLoggingCWPolicyD4098456": { "Condition": "LoggingInCloudWatch", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for describe APIs", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", ], "Effect": "Allow", "Resource": "*", }, { "Action": "logs:DescribeLogGroups", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:logs:*:\${AWS::AccountId}:log-group:*", }, }, ], "Version": "2012-10-17", }, "PolicyName": "deployStageFirewallLoggingCWPolicyD4098456", "Roles": [ { "Ref": "DeployProjectRole588C8C1D", }, ], }, "Type": "AWS::IAM::Policy", }, "deployStageFirewallLoggingPolicy15AD5CD5": { "Condition": "NotLoggingConfigureManually", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for these actions.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "deployStageFirewallLoggingPolicy15AD5CD5", "Roles": [ { "Ref": "DeployProjectRole588C8C1D", }, ], }, "Type": "AWS::IAM::Policy", }, "deployStageFirewallLoggingS3Policy8F79BDD2": { "Condition": "LoggingInS3", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutBucketPolicy", "s3:GetBucketPolicy", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "Logs6819BB44", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "deployStageFirewallLoggingS3Policy8F79BDD2", "Roles": [ { "Ref": "DeployProjectRole588C8C1D", }, ], }, "Type": "AWS::IAM::Policy", }, "deployStageFirewallPolicy72BE60BE": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for describe APIs", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "network-firewall:CreateFirewall", "network-firewall:UpdateFirewallDeleteProtection", "network-firewall:DeleteRuleGroup", "network-firewall:DescribeLoggingConfiguration", "network-firewall:UpdateFirewallDescription", "network-firewall:CreateRuleGroup", "network-firewall:DescribeFirewall", "network-firewall:DeleteFirewallPolicy", "network-firewall:UpdateRuleGroup", "network-firewall:DescribeRuleGroup", "network-firewall:ListRuleGroups", "network-firewall:UpdateSubnetChangeProtection", "network-firewall:UpdateFirewallPolicyChangeProtection", "network-firewall:AssociateFirewallPolicy", "network-firewall:DescribeFirewallPolicy", "network-firewall:UpdateFirewallPolicy", "network-firewall:DescribeResourcePolicy", "network-firewall:CreateFirewallPolicy", "network-firewall:UpdateLoggingConfiguration", "network-firewall:TagResource", ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:stateful-rulegroup/*", }, { "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:firewall-policy/*", }, { "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:firewall/*", }, { "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:stateless-rulegroup/*", }, ], }, { "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ { "Fn::Sub": [ "arn:\${AWS::Partition}:s3:::\${CodeBucketName}/\${KeyName}/*", { "CodeBucketName": "solutions-eu-west-1", "KeyName": "network-firewall-automation", }, ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", }, "/*", ], ], }, ], }, { "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "ec2:CreateRoute", "ec2:DeleteRoute", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ec2:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":route-table/", { "Ref": "VPCTGWRouteTable1", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ec2:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":route-table/", { "Ref": "VPCTGWRouteTable2", }, ], ], }, ], }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:aws:iam::\${AWS::AccountId}:role/aws-service-role/network-firewall.amazonaws.com/AWSServiceRoleForNetworkFirewall", }, }, ], "Version": "2012-10-17", }, "PolicyName": "deployStageFirewallPolicy72BE60BE", "Roles": [ { "Ref": "DeployProjectRole588C8C1D", }, ], }, "Type": "AWS::IAM::Policy", }, "deployStageModifyTransitGatewayAttachmentPolicy993566C2": { "Condition": "CreateTransitGatewayAttachment", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:ModifyTransitGatewayVpcAttachment", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ec2:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":transit-gateway-attachment/", { "Ref": "VPCTGWATTACHMENT", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "deployStageModifyTransitGatewayAttachmentPolicy993566C2", "Roles": [ { "Ref": "DeployProjectRole588C8C1D", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `;