New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to create stateful firewall rule groups when using strict order #23
Comments
Hello @tbmorris, I have tested your code snippet in a commercial region (us-east-1) and GovCloud (us-gov-west-1) on v1.2.2 and it works as expected to create a STRICT_ORDER rule group. (Note: I did have to remove the colon after the name of your rule group; that is incorrect YAML syntax and was caught in config validation). Please let us know if removing the colon helps. I will keep the issue open for tracking purposes. |
Working config snippet:
|
I wish the error was something that was actually in my code, but the colon was added when I copied the code over. My actual code does not have the colon. |
I guess I should add that in my original code, I had several rules. I shortened the code for the sake of putting it on here, and realized that I may have cut out too much. I apologize for not putting the whole thing out. Here is what just failed for me. In the end, I want to create a stateful firewall rule and add it to the firewall-policy policy. I attached the CodeBuild log with the error that states: Failed resources:361 | AWSAccelerator-NetworkPrepStack-031334266292-us-gov-west-1 | 5:37:28 PM | UPDATE_FAILED | AWS::NetworkFirewall::RuleGroup | WorkloadToSharedServicesNetworkFirewallRuleGroup (WorkloadToSharedServicesNetworkFirewallRuleGroupF03E5CD4) Resource handler returned message: "parameter is invalid, parameter: [STRICT_ORDER] (Service: NetworkFirewall, Status Code: 400, Request ID: 1d8b0d67-1b01-4663-bac3-b373e62d8cd0)" (RequestToken: 2f770aa3-8692-250b-4a12-0b7914ae6901, HandlerErrorCode: InvalidRequest) centralNetworkServices:
delegatedAdminAccount: Network
networkFirewall:
firewalls:
- name: core-network-firewall
region: *HOME_REGION
firewallPolicy: accelerator-policy
subnets:
- Network-Inspection-Firewall-A
- Network-Inspection-Firewall-B
vpc: Network-Inspection
loggingConfiguration:
- destination: s3
type: ALERT
- destination: cloud-watch-logs
type: FLOW
policies:
- name: accelerator-policy
regions:
- *HOME_REGION
firewallPolicy:
statelessDefaultActions: ['aws:forward_to_sfe']
statelessFragmentDefaultActions: ['aws:forward_to_sfe']
# statefulDefaultActions: ['']
# statefulEngineOptions: 'STRICT_ORDER'
statefulRuleGroups:
- name: domain-list-group
# - name: workload-to-shared-services
# - name: explicit-deny
shareTargets:
organizationalUnits:
- Infrastructure
- name: firewall-policy
regions:
- *HOME_REGION
firewallPolicy:
statelessDefaultActions: ['aws:forward_to_sfe']
statelessFragmentDefaultActions: ['aws:forward_to_sfe']
statefulDefaultActions: ['aws:drop_strict']
statefulEngineOptions: 'STRICT_ORDER'
statefulRuleGroups:
# - name: domain-list-group
# - name: workload-to-shared-services
# priority: 1
# - name: explicit-deny
# priority: 100
shareTargets:
organizationalUnits:
- Infrastructure
rules:
- name: workload-to-shared-services
regions:
- *HOME_REGION
capacity: 100
type: STATEFUL
ruleGroup:
rulesSource:
statefulRules:
- action: PASS
header:
destination: 10.0.0.0/24
destinationPort: '80'
direction: FORWARD
protocol: TCP
source: 10.50.0.0/20
sourcePort: Any
ruleOptions:
- keyword: sid
settings: ['1']
# - action: PASS
# header:
# destination: 10.0.0.0/24
# destinationPort: '80'
# direction: FORWARD
# protocol: TCP
# source: 10.50.16.0/20
# sourcePort: Any
# ruleOptions:
# - keyword: sid
# settings: ['2']
# - action: PASS
# header:
# destination: 10.0.0.0/24
# destinationPort: '80'
# direction: FORWARD
# protocol: TCP
# source: 10.50.32.0/20
# sourcePort: Any
# ruleOptions:
# - keyword: sid
# settings: ['3']
statefulRuleOptions: "STRICT_ORDER"
- name: explicit-deny
regions:
- *HOME_REGION
capacity: 10
type: STATEFUL
ruleGroup:
rulesSource:
statefulRules:
- action: DROP
header:
destination: 0.0.0.0/0
destinationPort: ANY
direction: FORWARD
protocol: IP
source: 0.0.0.0/0
sourcePort: ANY
ruleOptions:
- keyword: priority
settings: ['100']
- keyword: sid
settings: ['100']
- name: domain-list-group
regions:
- *HOME_REGION
capacity: 10
type: STATEFUL
ruleGroup:
rulesSource:
rulesSourceList:
generatedRulesType: DENYLIST
# Add/Modify the domain list per business needs.
targets: ['.google.com']
targetTypes: ['TLS_SNI', 'HTTP_HOST']
ruleVariables:
ipSets:
name: HOME_NET
definition:
- 10.0.0.0/16
- 10.1.0.0/16
- 192.168.0.0/16
portSets:
name: HOME_NET
definition:
- '80'
- '443' |
I have tested you latest configuration for the centralNetworkServices in both us-east-1 and us-gov-wesst-1 regions. I was unable to replicate the issue. For reference I have attached the complete network-config.yaml file I used. |
Could not reproduce. Closing issue. |
Sorry for the late response. I have been playing with the code a lot since you posted (plus life happens and I got pulled in other directions). It appears that the issue was not the code itself, but changing the code. The first time I created the firewall rule, I did not have |
Describe the bug
Creating a stateful firewall rule group fails when using strict order.
To Reproduce
Add
statefulRuleOptions: "STRICT_ORDER"
to a stateful firewall rule group in network-config.yaml.Expected behavior
Create a stateful firewall rule group with rule option strict order with no error.
Please complete the following information about the solution:
Additional context
Attached is the CodeBuild error log. I'm sure that I have the correct code because it failed earlier in the Build stage when, I believe, the solution goes through code verification. I changed the code to the snippet above to get past the error, but now it fails at the Network_Prepare stage of Deploy.
firewall-rule-error.txt
The text was updated successfully, but these errors were encountered: