Add command to enable WAF logging (#145)

gradle.properties

@@ -16,4 +16,4 @@
 
 group=com.nike
 artifactId=cerberus-lifecycle-cli
-version=4.12.2
+version=4.13.0

gradle/dependencies.gradle

@@ -19,7 +19,7 @@ allprojects {
         jcenter()
     }
 
-    def awsSDKVersion = '1.11.269'
+    def awsSDKVersion = '1.11.739'
 
     //noinspection GroovyAssignabilityCheck
     dependencies {
@@ -38,6 +38,8 @@ allprojects {
         compile group: 'com.amazonaws', name: 'aws-java-sdk-rds', version: awsSDKVersion
         compile group: 'com.amazonaws', name: 'aws-encryption-sdk-java', version: '1.3.1'
         compile group: 'com.amazonaws', name: 'aws-java-sdk-athena', version: awsSDKVersion
+        compile group: 'com.amazonaws', name: 'aws-java-sdk-waf', version: awsSDKVersion
+        compile group: 'com.amazonaws', name: 'aws-java-sdk-kinesis', version: awsSDKVersion
 
         compile 'com.nike:vault-client:1.4.1'
         compile 'com.squareup.okhttp3:okhttp:3.3.1'

src/main/java/com/nike/cerberus/cli/CerberusRunner.java

@@ -213,6 +213,7 @@ private void registerAllCommands() {
         registerCommand(new GenerateCertificateFilesCommand());
         registerCommand(new CreateVpcCommand());
         registerCommand(new CreateWafCommand());
+        registerCommand(new CreateWafLoggingCommand());
         registerCommand(new CreateDatabaseCommand());
         registerCommand(new CreateRoute53Command());
         registerCommand(new CreateSecurityGroupsCommand());

src/main/java/com/nike/cerberus/cli/EnvironmentConfigToArgsMapper.java

@@ -150,6 +150,9 @@ public static List<String> getArgsForCommand(EnvironmentConfig environmentConfig
             case CreateWafCommand.COMMAND_NAME:
                 args = getCreateWafCommandArgs(environmentConfig);
                 break;
+            case CreateWafLoggingCommand.COMMAND_NAME:
+                args = getCreateWafLoggingCommandArgs(environmentConfig);
+                break;
             case GenerateCertificateFilesCommand.COMMAND_NAME:
                 args = getGenerateCertificatesCommandArgs(environmentConfig);
                 break;
@@ -348,6 +351,12 @@ private static List<String> getCreateWafCommandArgs(EnvironmentConfig config) {
                 .build();
     }
 
+    private static List<String> getCreateWafLoggingCommandArgs(EnvironmentConfig config) {
+        return ArgsBuilder.create()
+                .addAll(getGlobalTags(config))
+                .build();
+    }
+
     private static List<String> getGenerateCertificatesCommandArgs(EnvironmentConfig config) {
         ArgsBuilder args = ArgsBuilder.create()
                 .addOption(GenerateCertificateFilesCommandParametersDelegate.BASE_DOMAIN_LONG_ARG, config.getBaseDomainName())

src/main/java/com/nike/cerberus/client/aws/KinesisFirehoseAwsClientFactory.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2020 Nike, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.nike.cerberus.client.aws;
+
+import com.amazonaws.regions.Regions;
+import com.amazonaws.services.kinesisfirehose.AmazonKinesisFirehoseClient;
+import com.amazonaws.services.kinesisfirehose.AmazonKinesisFirehoseClientBuilder;
+import com.nike.cerberus.service.AwsClientFactory;
+
+public class KinesisFirehoseAwsClientFactory extends AwsClientFactory<AmazonKinesisFirehoseClient> {
+
+    @Override
+    public AmazonKinesisFirehoseClient getClient(Regions region) {
+        if (!clients.containsKey(region)) {
+            clients.put(region, createClient(region));
+        }
+        return clients.get(region);
+    }
+
+    private AmazonKinesisFirehoseClient createClient(Regions region) {
+        return (AmazonKinesisFirehoseClient) AmazonKinesisFirehoseClientBuilder.standard()
+                .withRegion(region)
+                .withCredentials(getAWSCredentialsProviderChain())
+                .build();
+    }
+
+}

src/main/java/com/nike/cerberus/client/aws/WafAwsClientFactory.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2020 Nike, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.nike.cerberus.client.aws;
+
+import com.amazonaws.regions.Regions;
+import com.amazonaws.services.waf.AWSWAFRegionalClient;
+import com.amazonaws.services.waf.AWSWAFRegionalClientBuilder;
+import com.nike.cerberus.service.AwsClientFactory;
+
+public class WafAwsClientFactory extends AwsClientFactory<AWSWAFRegionalClient> {
+
+    @Override
+    public AWSWAFRegionalClient getClient(Regions region) {
+        if (!clients.containsKey(region)) {
+            clients.put(region, createClient(region));
+        }
+        return clients.get(region);
+    }
+
+    private AWSWAFRegionalClient createClient(Regions region) {
+        return (AWSWAFRegionalClient) AWSWAFRegionalClientBuilder.standard()
+                .withRegion(region)
+                .withCredentials(getAWSCredentialsProviderChain())
+                .build();
+    }
+
+}

src/main/java/com/nike/cerberus/command/core/CreateWafLoggingCommand.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2020 Nike, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.nike.cerberus.command.core;
+
+import com.beust.jcommander.Parameter;
+import com.beust.jcommander.Parameters;
+import com.beust.jcommander.ParametersDelegate;
+import com.nike.cerberus.command.Command;
+import com.nike.cerberus.domain.cloudformation.CloudFormationParametersDelegate;
+import com.nike.cerberus.operation.Operation;
+import com.nike.cerberus.operation.core.CreateWafLoggingOperation;
+
+import static com.nike.cerberus.command.core.CreateWafCommand.COMMAND_NAME;
+
+/**
+ * Command to create the WAF logging for Cerberus.
+ */
+@Parameters(commandNames = COMMAND_NAME,
+        commandDescription = "Create the Web Application Firewall (WAF) logging.")
+public class CreateWafLoggingCommand implements Command {
+
+    public static final String COMMAND_NAME = "create-waf-logging";
+
+    @ParametersDelegate
+    private CloudFormationParametersDelegate cloudFormationParametersDelegate = new CloudFormationParametersDelegate();
+
+    @Parameter(names = {"--skip-stack-creation", "-s"}, description = "Skips WAF logging stack creation.")
+    private boolean skipStackCreation;
+
+    public boolean isSkipStackCreation() {
+        return skipStackCreation;
+    }
+
+    public CloudFormationParametersDelegate getCloudFormationParametersDelegate() {
+        return cloudFormationParametersDelegate;
+    }
+
+    @Override
+    public String getCommandName() {
+        return COMMAND_NAME;
+    }
+
+    @Override
+    public Class<? extends Operation<?>> getOperationClass() {
+        return CreateWafLoggingOperation.class;
+    }
+
+}

src/main/java/com/nike/cerberus/domain/cloudformation/WafLoggingOutputs.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2020 Nike, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.nike.cerberus.domain.cloudformation;
+
+/**
+ * Represents the WAF logging stack outputs.
+ */
+public class WafLoggingOutputs {
+    private String kinesisFirehoseDeliveryStreamARN;
+
+    private String kinesisFirehoseDeliveryStreamName;
+
+    public String getKinesisFirehoseDeliveryStreamName() {
+        return kinesisFirehoseDeliveryStreamName;
+    }
+
+    public void setKinesisFirehoseDeliveryStreamName(String kinesisFirehoseDeliveryStreamName) {
+        this.kinesisFirehoseDeliveryStreamName = kinesisFirehoseDeliveryStreamName;
+    }
+
+    public String getKinesisFirehoseDeliveryStreamARN() {
+        return kinesisFirehoseDeliveryStreamARN;
+    }
+
+    public void setKinesisFirehoseDeliveryStreamARN(String kinesisFirehoseDeliveryStreamARN) {
+        this.kinesisFirehoseDeliveryStreamARN = kinesisFirehoseDeliveryStreamARN;
+    }
+}

src/main/java/com/nike/cerberus/domain/cloudformation/WafLoggingParameters.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2020 Nike, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.nike.cerberus.domain.cloudformation;
+
+/**
+ * Represents the WAF logging stack inputs.
+ */
+public class WafLoggingParameters {
+    private String environmentName;
+
+    public String getEnvironmentName() {
+        return environmentName;
+    }
+
+    public WafLoggingParameters setEnvironmentName(String environmentName) {
+        this.environmentName = environmentName;
+        return this;
+    }
+}

src/main/java/com/nike/cerberus/domain/cloudformation/WafOutputs.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019 Nike, Inc.
+ * Copyright (c) 2020 Nike, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,17 +21,27 @@
  */
 public class WafOutputs {
 
-    private Integer autoBlockIPSetID;
+    private String autoBlockIPSetID;
 
     private String manualBlockIPSetID;
 
     private String whitelistIPSetID;
 
-    public Integer getAutoBlockIPSetID() {
+    private String webAclID;
+
+    public String getWebAclID() {
+        return webAclID;
+    }
+
+    public void setWebAclID(String webAclID) {
+        this.webAclID = webAclID;
+    }
+
+    public String getAutoBlockIPSetID() {
         return autoBlockIPSetID;
     }
 
-    public WafOutputs setAutoBlockIPSetID(Integer autoBlockIPSetID) {
+    public WafOutputs setAutoBlockIPSetID(String autoBlockIPSetID) {
         this.autoBlockIPSetID = autoBlockIPSetID;
         return this;
     }

src/main/java/com/nike/cerberus/domain/environment/Stack.java

@@ -42,6 +42,7 @@ public class Stack implements Comparable<Stack> {
     public static final Stack WAF = new Stack("web-app-firewall", "web-app-firewall.yaml", false);
     public static final Stack ROUTE53 = new Stack("route53", "route53.yaml", false);
     public static final Stack AUDIT = new Stack("audit", "audit.yaml", false);
+    public static final Stack WAF_LOGGING = new Stack("waf-logging", "waf-logging.yaml", false);
 
     public static final ImmutableList<Stack> ALL_STACKS = ImmutableList.of(
             IAM_ROLES,
@@ -53,7 +54,8 @@ public class Stack implements Comparable<Stack> {
             CMS,
             WAF,
             ROUTE53,
-            AUDIT
+            AUDIT,
+            WAF_LOGGING
     );
 
     public static final ImmutableList<String> ALL_STACK_NAMES = ImmutableList.copyOf(ALL_STACKS.stream().map(Stack::getName).collect(Collectors.toList()));

src/main/java/com/nike/cerberus/module/CerberusModule.java

@@ -23,13 +23,15 @@
 import com.amazonaws.services.ec2.AmazonEC2Client;
 import com.amazonaws.services.elasticloadbalancingv2.AmazonElasticLoadBalancingClient;
 import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient;
+import com.amazonaws.services.kinesisfirehose.AmazonKinesisFirehoseClient;
 import com.amazonaws.services.kms.AWSKMSClient;
 import com.amazonaws.services.lambda.AWSLambdaClient;
 import com.amazonaws.services.rds.AmazonRDSClient;
 import com.amazonaws.services.route53.AmazonRoute53Client;
 import com.amazonaws.services.s3.AmazonS3Client;
 import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
 import com.amazonaws.services.sns.AmazonSNSClient;
+import com.amazonaws.services.waf.AWSWAFRegionalClient;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.PropertyNamingStrategy;
@@ -46,6 +48,8 @@
 import com.google.inject.name.Names;
 import com.google.inject.util.Providers;
 import com.nike.cerberus.client.aws.AthenaAwsClientFactory;
+import com.nike.cerberus.client.aws.KinesisFirehoseAwsClientFactory;
+import com.nike.cerberus.client.aws.WafAwsClientFactory;
 import com.nike.cerberus.command.CerberusCommand;
 import com.nike.cerberus.command.ProxyDelegate;
 import com.nike.cerberus.domain.environment.RegionDeserializer;
@@ -125,6 +129,8 @@ private void bindAwsClientFactories() {
         bind(new TypeLiteral<AwsClientFactory<AmazonElasticLoadBalancingClient>>() {}).toInstance(new AwsClientFactory<AmazonElasticLoadBalancingClient>() {});
         bind(new TypeLiteral<AwsClientFactory<AmazonRDSClient>>() {}).toInstance(new AwsClientFactory<AmazonRDSClient>() {});
         bind(new TypeLiteral<AwsClientFactory<AmazonAthenaClient>>() {}).toInstance(new AthenaAwsClientFactory());
+        bind(new TypeLiteral<AwsClientFactory<AWSWAFRegionalClient>>() {}).toInstance(new WafAwsClientFactory() {});
+        bind(new TypeLiteral<AwsClientFactory<AmazonKinesisFirehoseClient>>() {}).toInstance(new KinesisFirehoseAwsClientFactory() {});
     }
 
     /**

src/main/java/com/nike/cerberus/operation/core/CreateAlbLogAthenaDbAndTableOperation.java

@@ -35,6 +35,9 @@
 
 import static com.nike.cerberus.module.CerberusModule.ENV_NAME;
 
+/**
+ * Creates the Athena database and table for ALB log for Cerberus
+ */
 public class CreateAlbLogAthenaDbAndTableOperation implements Operation<CreateAlbLogAthenaDbAndTableCommand> {
 
     private final Logger log = LoggerFactory.getLogger(getClass());