1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
"""Unit tests for networkfirewall-supported APIs."""
import boto3
from moto import mock_aws
@mock_aws
def test_create_firewall():
client = boto3.client("network-firewall", region_name="us-east-1")
firewall = client.create_firewall(
FirewallName="test-firewall",
FirewallPolicyArn="arn:aws:network-firewall:ap-southeast-1:123456789012:firewall-policy/test-policy",
DeleteProtection=False,
SubnetChangeProtection=False,
)["Firewall"]
assert firewall["FirewallName"] == "test-firewall"
assert "FirewallArn" in firewall
assert firewall["DeleteProtection"] is False
assert firewall["SubnetChangeProtection"] is False
assert firewall["FirewallPolicyChangeProtection"] is True
@mock_aws
def test_describe_logging_configuration():
client = boto3.client("network-firewall", region_name="eu-west-1")
firewall = client.create_firewall(
FirewallName="test-firewall",
FirewallPolicyArn="arn:aws:network-firewall:ap-southeast-1:123456789012:firewall-policy/test-policy",
)["Firewall"]
logging_config = {
"LogDestinationConfigs": [
{
"LogDestinationType": "S3",
"LogDestination": {
"bucketName": "DOC-EXAMPLE-BUCKET",
"prefix": "alerts",
},
"LogType": "FLOW",
},
{
"LogDestinationType": "CloudWatchLogs",
"LogDestination": {"logGroup": "alert-log-group"},
"LogType": "ALERT",
},
]
}
# Create a logging configuration
client.update_logging_configuration(
FirewallArn=firewall["FirewallArn"], LoggingConfiguration=logging_config
)
# Describe the logging configuration
resp = client.describe_logging_configuration(FirewallArn=firewall["FirewallArn"])
assert resp["FirewallArn"] == firewall["FirewallArn"]
assert len(resp["LoggingConfiguration"]["LogDestinationConfigs"]) == 2
log_dest_configs = resp["LoggingConfiguration"]["LogDestinationConfigs"]
assert log_dest_configs[0]["LogDestinationType"] == "S3"
assert log_dest_configs[0]["LogType"] == "FLOW"
assert log_dest_configs[1]["LogDestinationType"] == "CloudWatchLogs"
assert log_dest_configs[1]["LogType"] == "ALERT"
@mock_aws
def test_describe_logging_configuration_no_config_set():
client = boto3.client("network-firewall", region_name="eu-west-1")
firewall = client.create_firewall(
FirewallName="test-firewall",
FirewallPolicyArn="arn:aws:network-firewall:ap-southeast-1:123456789012:firewall-policy/test-policy",
)["Firewall"]
resp = client.describe_logging_configuration(FirewallArn=firewall["FirewallArn"])
assert resp["FirewallArn"] == firewall["FirewallArn"]
assert resp["LoggingConfiguration"] == {}
@mock_aws
def test_update_logging_configuration():
client = boto3.client("network-firewall", region_name="ap-southeast-1")
firewall = client.create_firewall(
FirewallName="test-firewall",
FirewallPolicyArn="arn:aws:network-firewall:ap-southeast-1:123456789012:firewall-policy/test-policy",
)["Firewall"]
logging_config = {
"LogDestinationConfigs": [
{
"LogDestinationType": "S3",
"LogDestination": {
"bucketName": "DOC-EXAMPLE-BUCKET",
"prefix": "alerts",
},
"LogType": "FLOW",
}
]
}
resp = client.update_logging_configuration(
FirewallArn=firewall["FirewallArn"], LoggingConfiguration=logging_config
)
assert resp["FirewallArn"] == firewall["FirewallArn"]
assert resp["FirewallName"] == "test-firewall"
assert len(resp["LoggingConfiguration"]["LogDestinationConfigs"]) == 1
assert resp["LoggingConfiguration"] == logging_config
@mock_aws
def test_list_firewalls():
client = boto3.client("network-firewall", region_name="ap-southeast-1")
for i in range(5):
client.create_firewall(
FirewallName=f"test-firewall-{i}",
FirewallPolicyArn="arn:aws:network-firewall:ap-southeast-1:123456789012:firewall-policy/test-policy",
VpcId=f"vpc-1234567{i}",
)
# List all firewalls
resp = client.list_firewalls()
assert len(resp["Firewalls"]) == 5
assert resp["Firewalls"][0]["FirewallName"] == "test-firewall-0"
assert "FirewallArn" in resp["Firewalls"][0]
# List firewalls with a specific VPC ID
resp = client.list_firewalls(VpcIds=["vpc-12345671"])
assert len(resp["Firewalls"]) == 1
assert resp["Firewalls"][0]["FirewallName"] == "test-firewall-1"
@mock_aws
def test_describe_firewall():
client = boto3.client("network-firewall", region_name="ap-southeast-1")
firewall = client.create_firewall(
FirewallName="test-firewall",
FirewallPolicyArn="arn:aws:network-firewall:ap-southeast-1:123456789012:firewall-policy/test-policy",
VpcId="vpc-12345678",
SubnetMappings=[{"SubnetId": "subnet-12345678"}],
DeleteProtection=False,
SubnetChangeProtection=False,
FirewallPolicyChangeProtection=False,
Description="Test firewall",
Tags=[{"Key": "Name", "Value": "test-firewall"}],
)["Firewall"]
# Describe the firewall using the ARN
resp = client.describe_firewall(FirewallArn=firewall["FirewallArn"])
assert resp["Firewall"]["FirewallName"] == "test-firewall"
assert resp["Firewall"]["VpcId"] == "vpc-12345678"
assert resp["Firewall"]["SubnetMappings"] == [{"SubnetId": "subnet-12345678"}]
assert resp["Firewall"]["DeleteProtection"] is False
assert resp["Firewall"]["SubnetChangeProtection"] is False
assert resp["Firewall"]["FirewallPolicyChangeProtection"] is False
assert resp["Firewall"]["Description"] == "Test firewall"
assert resp["Firewall"]["Tags"] == [{"Key": "Name", "Value": "test-firewall"}]
assert resp["UpdateToken"] == "1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
# Describe the firewall using the name
resp_name = client.describe_firewall(FirewallName="test-firewall")
assert resp_name["Firewall"]["FirewallName"] == "test-firewall"
|
