durkinza / cdk-networkfirewall-l2 Goto Github PK

The README covers detailed steps of each portion of the Firewall documentation, but it fails to provide an easy to view example of what the firewall setup could look like.

Having an example/quickstart section that shows the basic setup of a firewall would be helpful to people that are looking at using this package.

The example only needs to represent the setup code for the Network Firewall, and any immediate dependencies such as the Firewall Policy class. But it doesn't need to show the whole CDK project structure.
The example could represent one of the two "opinionated" approaches that is described in the README, or possibly use the integration test example that is already written.

As a developer, I would like to know if a IaC deployment is invalid so the code can be re-worked/fixed before I submit it to a CI/CD pipeline for deployment.

Currently there is know way to know if a provided Suricata rule string is valid until it is deployed and the rule is parsed by the AWS Network Firewall.
If the rules could be parsed and validated in CDK, this would provide some additional assurance that the deployment process will work as expected and the stack will not be rejected or the firewall will fail to parse the rules.

Some issues with local validation:
The parser that is used in this library may not be the same parser used by AWS Network Firewall, and thus this library may not align with all issues seen by the AWS Network Firewall during deployment.
The parser will likely need to be a dependency for this library and creates a new dependency on a 3rd party library.
If the parser is unused (e.g. The CDK code does not use plain suricata rules) then the validation dependency is only bloat to the package size.

Would the addition of an integrated validation tool be worth the possible inaccuracy of reports, or should this effort be something a CI/CD pipeline is responsible for checking independently and before passing the rules to this library?