Adding Suricata Rule Validation

[durkinza]

As a developer, I would like to know if a IaC deployment is invalid so the code can be re-worked/fixed before I submit it to a CI/CD pipeline for deployment.

Currently there is know way to know if a provided Suricata rule string is valid until it is deployed and the rule is parsed by the AWS Network Firewall.
If the rules could be parsed and validated in CDK, this would provide some additional assurance that the deployment process will work as expected and the stack will not be rejected or the firewall will fail to parse the rules.

Some issues with local validation:
The parser that is used in this library may not be the same parser used by AWS Network Firewall, and thus this library may not align with all issues seen by the AWS Network Firewall during deployment.
The parser will likely need to be a dependency for this library and creates a new dependency on a 3rd party library.
If the parser is unused (e.g. The CDK code does not use plain suricata rules) then the validation dependency is only bloat to the package size.

Would the addition of an integrated validation tool be worth the possible inaccuracy of reports, or should this effort be something a CI/CD pipeline is responsible for checking independently and before passing the rules to this library?