Skip to content

Instantly share code, notes, and snippets.

@mrpackethead

mrpackethead/firewallpolicyexample2.ts

Last active February 19, 2023 06:13
Show Gist options
  • Save mrpackethead/6dff395f15414835e4263dda9e4d90db to your computer and use it in GitHub Desktop.
Save mrpackethead/6dff395f15414835e4263dda9e4d90db to your computer and use it in GitHub Desktop.
Download ZIP
Raw
firewallpolicyexample2.ts
import * as cdk from 'aws-cdk-lib';
import {
aws_ec2 as ec2,
aws_resourcegroups as resourcegroups,
}
from 'aws-cdk-lib'
import { Construct } from 'constructs';
// import * as sqs from 'aws-cdk-lib/aws-sqs';
import * as network from 'raindancers-network'
export class FwconstructtestStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const blueVpc = new network.EnterpriseVpc(this, 'blueEvpc', {
vpc: new ec2.Vpc(this, 'blueVpc', {
ipAddresses: ec2.IpAddresses.cidr('10.10.8.0/22'),
maxAzs: 2,
natGateways: 0,
subnetConfiguration: [
{
name: 'linknet',
cidrMask: 27,
subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
},
{
name: 'bluesubnet',
cidrMask: 24,
subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
}
],
})
})
// Attach to Cloudwan
// blueVpc.attachToCloudWan({
// coreNetworkName: props.corenetwork.coreName as string,
// segmentName: props.blueSegment.segmentName as string
// })
// blueVpc.addRoutes({
// cidr: ['0.0.0.0/0'],
// description: 'defaultroute',
// subnetGroups: [
// 'linknet',
// 'bluesubnet'
// ],
// destination: network.Destination.CLOUDWAN,
// cloudwanName: props.corenetwork.coreName as string,
// })
const addressGroup1 = new network.PrefixList(this, 'list1', {
addressFamily: network.IPAddressFamily.IPV4,
prefixListName: 'pl1',
maxEntries: 10,
})
const tagGroup1 = new network.DynamicTagResourceGroup(this, 'TagGroup1', {
name: 'TagGroup1',
description: 'A Test of Tag Groups'
})
tagGroup1.addTagFilter(
{
key: 'FirewallResourceGroup',
values: ['Group1']
}
)
// Use resource Groups with Instance1 to build a policy
const sampleInstance1 = new ec2.Instance(this, 'A sample Instance 1', {
instanceName: 'sampleinstance1',
vpc: blueVpc.vpc,
vpcSubnets: { subnetGroupName: 'bluesubnet'},
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T4G, ec2.InstanceSize.MICRO),
machineImage: new ec2.AmazonLinuxImage({
generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
cpuType: ec2.AmazonLinuxCpuType.ARM_64,
}),
});
// tag the sampleInstance with a FirewallResourceGroup
cdk.Tags.of(sampleInstance1).add('FirewallResourceGroup', 'Group1')
// Use Prefix Groups wiht Instance 2 to build a policy
const sampleInstance2 = new ec2.Instance(this, 'sample Instance 2', {
instanceName: 'sampleinstance2',
vpc: blueVpc.vpc,
vpcSubnets: { subnetGroupName: 'bluesubnet'},
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T4G, ec2.InstanceSize.MICRO),
machineImage: new ec2.AmazonLinuxImage({
generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
cpuType: ec2.AmazonLinuxCpuType.ARM_64,
}),
});
addressGroup1.addEC2Instance(sampleInstance2)
// building a rule group that demonnstrates using both prefix lists and resoruce groups
const rulegroup = new network.SuricataRuleGroup(this, 'mytestrules', {
ruleGroupName: 'testrules',
capacity: 1000,
description: 'testing the suricata rules',
networkFirewallEngine: {
firewallAccount: '108967544837',
rulesDatabase: new network.StatefulRuleDatabase(this, 'firewallrulesdb') // this still needs to be sorted so it runs multiaccount.
}
})
rulegroup.addRule({ // security groups
name: 'verygoodcom',
action: network.StatefulAction.PASS,
protocol: network.FWProtocol.TLS,
source: addressGroup1,
destination: '0.0.0.0/0',
srcPort: 'any',
destPort: 'any',
direction: network.Direction.OUTBOUND,
fqdn: 'verygood.com'
})
rulegroup.addRule({
name: 'verygoodcom',
action: network.StatefulAction.PASS,
protocol: network.FWProtocol.TLS,
source: tagGroup1,
destination: '0.0.0.0/0',
srcPort: 'any',
destPort: 'any',
direction: network.Direction.OUTBOUND,
fqdn: 'verygood.com'
})
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment