Update .travis.yml environment role (#17)

* Update .travis.yml environment role + add build status to role + add cfn-lint checks + update publisher role + clean up code as per pre-commit rules * Removed unused mappings and condition parameters
aws-samples · Mar 24, 2020 · 3d46a87 · 3d46a87
1 parent 0494571
commit 3d46a87
Show file tree

Hide file tree

Showing 13 changed files with 26 additions and 31 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1 @@
-.idea
+.idea
diff --git a/.travis.yml b/.travis.yml
@@ -8,13 +8,16 @@ before_script:
   - pip install -r requirements.txt
 
 script:
+  - cfn-lint templates/main.template
   - |
     if [ $TRAVIS_PULL_REQUEST == true ] && [ $TRAVIS_BRANCH != "master" ]; then
       VERSION="v$(cat templates/main.template | shyaml get-value Metadata.Version)"
       git tag $VERSION
     fi
 
 before_deploy:
+  - mkdir -p ~/.aws
+  - cat >> ~/.aws/config <<<"[profile publisher]"$'\n'"credential_source=Environment"$'\n'"role_arn=${ROLE_ARN}"$'\n'"duration_seconds=900"
   - VERSION="v$(cat templates/main.template | shyaml get-value Metadata.Version)"
   - if [ -z "$TRAVIS_TAG" ]; then git tag $VERSION; fi
   - zip -r "$VERSION.zip" -@ < ci/include.lst
@@ -29,7 +32,7 @@ deploy:
       branch: master
       condition: type != pull_request
   - provider: script
-    script: aws s3 cp ./$VERSION.zip s3://$CFN_BUCKET/aws-waf-workshop/$VERSION/aws-waf-workshop.zip
+    script: aws s3 --profile publisher cp ./$VERSION.zip s3://$CFN_BUCKET/aws-waf-workshop/$VERSION/aws-waf-workshop.zip > /dev/null 2>&1
     skip_cleanup: true
     on:
       tags: true

diff --git a/LICENSE b/LICENSE
@@ -12,4 +12,3 @@ FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
 # AWS WAF workshop
 
+[![Build Status](https://travis-ci.org/aws-samples/aws-waf-classic-workshop.svg?branch=master)](https://travis-ci.org/aws-samples/aws-waf-classic-workshop)
+
 > :warning: **This workshop uses AWS WAF Classic**
 
 A workshop about [AWS WAF](https://aws.amazon.com/waf/) and the [WAF Security Automations Solution](https://aws.amazon.com/solutions/aws-waf-security-automations/)
@@ -9,7 +11,7 @@ A workshop about [AWS WAF](https://aws.amazon.com/waf/) and the [WAF Security Au
 
 This workshop introduces AWS WAF and the AWS WAF Security Automations solution.
 
-The AWS WAF enables customers to create rules to block common attack patterns, administered via APIs. 
+The AWS WAF enables customers to create rules to block common attack patterns, administered via APIs.
 The Security Automation Solution extends WAF by deploying a set of preconfigured rules to protect applications. These rules can be customised for your application.
 
 ## Learning Objectives
@@ -21,7 +23,7 @@ The Security Automation Solution extends WAF by deploying a set of preconfigured
 ## Prerequisites
 
 To complete this workshop you will require the following:
-* An AWS Account. 
+* An AWS Account.
     * If you don’t already have an AWS account, create one at <https://aws.amazon.com> by following the on-screen instructions
 * Your access to the AWS account must have IAM permissions to launch AWS CloudFormation templates that create IAM roles.
 

diff --git a/docs/step-0.md b/docs/step-0.md
@@ -4,7 +4,7 @@ In this step, you will deploy two CloudFormation templates required for the work
 
 You will deploy the [WAF Security Automations Solution](https://aws.amazon.com/solutions/aws-waf-security-automations/) and a sample Web Application. The Sample Web Application template contains an EC2 instance containing the [OWASP Juice Shop](https://www2.owasp.org/www-project-juice-shop/). It is exposed by an Application Load Balancer. The sample Web Application will be protected by the WAF. The OWASP Juice Shop is an example web application containing many common vulnerabilities found in Web Applications.
 
-> **Note**  
+> **Note**
 You are responsible for the cost of the AWS services used while running these CloudFormation stacks. There is no additional cost for using them. For full details, see the pricing pages for each AWS service you will be using in these CloudFormation stacks. Prices are subject to change.
 
 ## Deploy the WAF Security Automations Solution
@@ -23,7 +23,7 @@ Step by step instructions:
   * Leave all other parameters set to their default values.
 * Check the box at the bottom allowing AWS CloudFormation to create IAM resources with custom names.
 * Click the orange "Create stack" button at the bottom-right of the page to deploy the stack into your account.
- 
+
 ## Deploy the sample Web App
 
 |Region|Launch Template|
@@ -40,4 +40,4 @@ Step by step instructions:
 * On the final page, check the box at the bottom allowing AWS CloudFormation to create IAM resources with custom names.
 * Click the orange "Create stack" button at the bottom-right of the page to deploy the stack into your account.
 
-# [Next step](step-1.md)
+# [Next step](step-1.md)
diff --git a/docs/step-1.md b/docs/step-1.md
@@ -27,7 +27,7 @@ SQL Injection and XSS are two common attacks. The AWS WAF Security Automation So
 
 Access the `site-url` endpoint and include bad signatures to the requests. You can use, for example:
 
-* SQL Injection: `<your-endpoint>/?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1'`
+* SQL Injection: `<your-endpoint>/?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1'` <!-- pragma: allowlist secret -->
 * XSS: `<your-endpoint>/?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>`
 
 Optional Extension - Try and find an input form on the juice site to perform a XSS attack. See if your WAF blocks the malicious request.
@@ -38,7 +38,7 @@ If you bypass the WAF by accessing the EC2 instance directly, you will see the a
 HTTP floods are a type of denial-of-service attack where an application receives a large volume of requests intended to exhaust the resources of an application, preventing it from handling requests from legitimate users.
 We will demonstrate functionality provided by the Security Automation Solution to detect this type of attack and block the responsible IP address in AWS WAF.
 
-Rather than execute an HTTP Flood attack on our sample application, we can simulate one by providing an example log file. This will be processed by the Security Automation Solution. 
+Rather than execute an HTTP Flood attack on our sample application, we can simulate one by providing an example log file. This will be processed by the Security Automation Solution.
 
 * Go to the CloudFormation Console, and inspect the WAF Automation stack's `Outputs` tab to find the value defined for `WafLogBucket`. Note this name. You will need it next.
 * Download [this file](files/waf-access-log-sample.gz) to your machine.
@@ -51,7 +51,7 @@ Rather than execute an HTTP Flood attack on our sample application, we can simul
     * To upload the file to the S3 bucket via the console, navigate to the [S3 Console page](https://s3.console.aws.amazon.com/s3/)
     * Select the bucket you noted in the previous step.
     * Select `upload`, then select the `waf-access-log-sample.gz` file.
-* The lambda function is triggered by the creation of a new file in the S3 Bucket. Wait a few seconds while the log parser function processes the new WAF log file. 
+* The lambda function is triggered by the creation of a new file in the S3 Bucket. Wait a few seconds while the log parser function processes the new WAF log file.
 * Check if the file `<stack_name>-waf_log_out.json` was added to the same bucket
 * Check the [AWS WAF console](https://console.aws.amazon.com/wafv2/home?#/webacls) (you may need to change the filter to WAF resources in your chosen region) to see if `HTTP Flood` rule contains any IP listed.
 

diff --git a/docs/step-2.md b/docs/step-2.md
@@ -14,7 +14,7 @@ The HTTP Flood log parser comes with some extensions points, they are:
 * Ignored Suffixes: requests accessing this type of resource will not count to request threshold. By default, this list is empty.
 * URI List: use this to define a custom request threshold and block period for specifics URLs. By default, this list is empty.
 
-The goal now is to apply customisations and check how it affects the log parser behavior. 
+The goal now is to apply customisations and check how it affects the log parser behavior.
 
 
 ### 2.1.2 Customising the HTTP Log Parser

diff --git a/docs/step-3.md b/docs/step-3.md
@@ -6,6 +6,6 @@
 * Create an automation ([like this one](https://www.imperva.com/blog/imperva-integration-with-aws-security-hub-expanding-customer-security-visibility/)) to ingest AWS WAF Alert to AWS Security Hub. More info about AWS Security Hub custom providers [here](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-custom-providers.html)
 
 
-## 3.2 Play with the OWASP Juice Shop. 
+## 3.2 Play with the OWASP Juice Shop.
 
-* The sample application you deployed is the OWASP Juice Shop. It intentionally contains common web vulnerabilities. WAF automatically protects against some of these vulnerabilities, such as SQL Injection and Cross Site Scriptting. There is an [accompanying book by Ben Kimminitch](https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/) that explains further. Try exploring the site to test out some other vulnerabilities. Access your EC2 resource directly (bypassing the ALB) to test your attacks without the WAF protection.
+* The sample application you deployed is the OWASP Juice Shop. It intentionally contains common web vulnerabilities. WAF automatically protects against some of these vulnerabilities, such as SQL Injection and Cross Site Scriptting. There is an [accompanying book by Ben Kimminitch](https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/) that explains further. Try exploring the site to test out some other vulnerabilities. Access your EC2 resource directly (bypassing the ALB) to test your attacks without the WAF protection.
diff --git a/requirements.txt b/requirements.txt
@@ -1,2 +1,3 @@
 awscli>=1.16.244
 shyaml==0.6.1
+cfn-lint==0.29.0
diff --git a/templates/instance.template b/templates/instance.template
@@ -3,7 +3,7 @@ Description: set up a launch configuration and attach to ASG
 Metadata: {}
 Parameters:
   TheAmi:
-    Type: String
+    Type: AWS::EC2::Image::Id
   WebSecurityGroup:
     Type: String
   ALBSecurityGroup:
@@ -16,8 +16,6 @@ Parameters:
     Type: String
   TheWebPort:
     Type: Number
-Mappings: {}
-Conditions: {}
 Resources:
   TheRolePolicies:
     Type: AWS::IAM::Policy

diff --git a/templates/main.template b/templates/main.template
@@ -1,7 +1,7 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Workshop about AWS WAF and WAF Security Automations Solution (uksb-1q1gt3g5d)
 Metadata:
-  Version: '1.0'
+  Version: '2.0'
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label:

diff --git a/templates/network.template b/templates/network.template
@@ -4,14 +4,16 @@ Metadata: {}
 Parameters:
   TheVpcRange:
     Type: String
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
   TheSubnetRange:
     Type: String
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
   TheOtherSubnetRange:
     Type: String
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
   ThePublicIp:
     Type: String
-Mappings: {}
-Conditions: {}
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
 Resources:
   TheVpc:
     Type: AWS::EC2::VPC
@@ -57,17 +59,11 @@ Resources:
         - Key: Name
           Value: !Sub '${AWS::StackName}-RouteTable'
   TheSubnetRouteTableAssociation:
-    DependsOn:
-      - TheRouteTable
-      - TheSubnet
     Type: AWS::EC2::SubnetRouteTableAssociation
     Properties:
       RouteTableId: !Ref 'TheRouteTable'
       SubnetId: !Ref 'TheSubnet'
   TheOtherSubnetRouteTableAssociation:
-    DependsOn:
-      - TheRouteTable
-      - TheSubnet
     Type: AWS::EC2::SubnetRouteTableAssociation
     Properties:
       RouteTableId: !Ref 'TheRouteTable'
@@ -84,9 +80,6 @@ Resources:
       InternetGatewayId: !Ref 'TheGateway'
       VpcId: !Ref 'TheVpc'
   TheRoute:
-    DependsOn:
-      - TheRouteTable
-      - TheGateway
     Type: AWS::EC2::Route
     Properties:
       DestinationCidrBlock: !Ref 'ThePublicIp'

diff --git a/templates/security.template b/templates/security.template
@@ -4,12 +4,11 @@ Metadata: {}
 Parameters:
   ThePublicIp:
     Type: String
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
   TheVpcId:
     Type: String
   TheWebPort:
     Type: Number
-Mappings: {}
-Conditions: {}
 Resources:
   TheWebServerAccessSecurityGroup:
     Type: AWS::EC2::SecurityGroup