DO-1532: upgrade waf construct to cdk 2

packages/waf/.gitignore

@@ -0,0 +1,58 @@
+# These are some examples of commonly ignored file patterns.
+# You should customize this list as applicable to your project.
+# Learn more about .gitignore:
+#     https://www.atlassian.com/git/tutorials/saving-changes/gitignore
+
+# Node artifact files
+node_modules/
+dist/
+
+# Compiled Java class files
+*.class
+
+# Compiled Python bytecode
+*.py[cod]
+
+# Log files
+*.log
+
+# Package files
+*.jar
+
+# Maven
+target/
+dist/
+
+# JetBrains IDE
+.idea/
+
+# Unit test reports
+TEST*.xml
+
+# Generated by MacOS
+.DS_Store
+
+# Generated by Windows
+Thumbs.db
+
+# Applications
+*.app
+*.exe
+*.war
+
+# Large media files
+*.mp4
+*.tiff
+*.avi
+*.flv
+*.mov
+*.wmv
+
+!jest.config.js
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+*.d.ts
+*.js

packages/waf/.npmignore

@@ -0,0 +1,11 @@
+*.ts
+!lib/handlers/*.ts
+!*.d.ts
+!*.js
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+# Samples
+sample/

packages/waf/.npmrc

@@ -0,0 +1 @@
+10.1.0

packages/waf/.nvmrc

@@ -0,0 +1 @@
+20.7.0

packages/waf/README.md

@@ -0,0 +1,67 @@
+# Aligent AWS WAF
+
+## Overview
+
+This repository defines a CDK construct for provisioning an AWS Web Application Firewall (WAF) stack. It can be imported and used within CDK application.
+##Example
+The following CDK snippet can be used to provision the an AWS WAF stack.
+
+```
+import 'source-map-support/register';
+const cdk = require('@aws-cdk/core');
+import { WebApplicationFirewall } from '@aligent/cdk-waf';
+import { Stack } from '@aws-cdk/core';
+
+
+import { Environment } from '@aws-cdk/core'
+import { env } from 'node:process';
+
+const preprodEnv: Environment = {account: '<TargetAccountId-Preprod>', region: '<TargetAccountRegion-Preprod>'};
+
+const target = '<TargetAccountIdentifier>';
+const appName = 'WAF';
+
+const defaultAllowedIPv4s = [
+     'a.a.a.a/32', 'b.b.b.b/32',     // Offices
+     'c.c.c.c/32', 'd.d.d.d/32',     // Payment Gateways
+]
+
+const defaultAllowedIPv6s = [
+     '1234:abcd:5678:ef01::/56',     // Offices
+     '1234:ef01:5678:abcd::/56',     // Security Scanner
+]
+
+export const preProductionWafStackProps = {
+env: preprodEnv,
+     activate: true,  // Update this line with either true or false, defining Block mode or Count-only mode, respectively.  
+     allowedIPs: defaultAllowedIPs.concat([
+               'y.y.y.y/32' // AWS NAT GW of preprod vpc
+               // environment-specific comma-separated allow-list comes here
+     ]),
+     allowedUserAgents: [],  // Allowed User-Agent list that would have been blocked by AWS BadBot rule. Case-sensitive. Optional.
+     excludedAwsRules: [],   // The rule to exclude (override) from AWS-managed RuleSet. Optional.
+     associatedLoadBalancerArn: '<ArnOfPreproductionFrontendALB>',
+     wafName: <NAME>
+}
+
+class WAFStack extends Stack {
+  constructor(scope: Construct, id: string, props: preprodEnv) {
+    super(scope, id, props);
+
+    new WebApplicationFirewall(scope, 'waf-stack', prod);
+  }
+}
+
+new WAFStack(scope, envName, preProductionWafStackProps);
+```
+
+## Monitor and activate
+By default, WebACL this stack creates will work in COUNT mode to begin with.After a certain period of monitoring under real traffic and load, apply necessary changes, e.g. IP allow_list or rate limit, to avoid service interruptions before switching to BLOCK mode.
+
+## Local development
+[NPM link](https://docs.npmjs.com/cli/v7/commands/npm-link) can be used to develop the module locally.
+1. Pull this repository locally
+2. `cd` into this repository
+3. run `npm link`
+4. `cd` into the downstream repo (target project, etc) and run `npm link '@aligent/cdk-waf'`
+The downstream repository should now include a symlink to this module. Allowing local changes to be tested before pushing. You may want to update the version notation of the package in the downstream repository's `package.json`.

packages/waf/index.ts

@@ -0,0 +1,3 @@
+import { WebApplicationFirewall, WebApplicationFirewallProps } from "./lib/waf";
+
+export { WebApplicationFirewall, WebApplicationFirewallProps };