Updated FMS AWS solution runtime issues.

[ssreedh]

We are using https://aws.amazon.com/solutions/implementations/automations-for-aws-firewall-manager/ . we have taken the latest version.

Issue 1-->We are noticing that when we remove an OU from the parameter store the FMS policy is getting removed from the target accounts but the retrofitted changes still continuing in the removed OU's existing WebACLs.(is it because the policy is already allocated to resources ?) How can we make this workflow working by parameter store removal events.
file1.json
file2.json

Issue 2--> First time when we deploy the solution it doesn't create any WAF polices/rules ? is this expected ? We could see the policy json file there in the manifest bucket. Every time we must manually update the s3 object to get the policy build. Can we modify the code to read from repository directory itself of the code commit -code pipeline deployment we use.?

Issue 3--
Please refer the attached Policy json files which we have been using in our production environment.
File1 --> Why resource type 'AWS::AppSync::GraphQLApi' is not supported ? n this case regional policy doesn't get build in FMS console.
file2 --> why the WAF global policy is not getting build using file 2. I am trying to get the 'Retrofit' option enabled under Web ACL Management . But Firewall manager failed to build the policy. Can you give Woking example of the policy.

Issue 4 --
When manually enable in web console--by Web ACL Management checkbox to 'default' for check box 'Manage UnAssociated Web ACLs and selected retrofit existing WebACLs , I could see that it works and created FM managed WebACLs in target accounts with no resource allocated whereas as expected modified the existing WebACLs to add FM managed rule group into it .
Question is --> This will be charged twice as existing WebAcls stay as it is and FMS WebACLS comes additional ?

To Reproduce

Expected behavior

Please complete the following information about the solution:

• Version: [e.g. v2.0.0]

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0134) - The AWS CloudFormation template for deployment of the Automations for AWS Firewall Manager. Version v2.0.0". You can also find the version from releases

• Region: [e.g. us-east-1]
• Was the solution modified from the version published on this repository?
• If the answer to the previous question was yes, are the changes available on GitHub?
• Have you checked your service quotas for the services this solution uses?

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context
Add any other context about the problem here.

[jrgaray27]

Hello,
I will be looking into this today and will reach out once I have more information.

Thanks.

[jrgaray27]

1. I have so far been unable to reproduce this issue with the latest version of the solution (v2.1.0) — more specifically, I have tried setting the OU param to deploy the WAF global policy, then changed the OU param to deploy to a different OU, and finally uploaded a new version of the policy_manifest.json file. Then, after checking the WAF WebACLs created in the original OU, they do not appear to be updated to reflect the new policy_manifest.json configuration. Can you provide me with the exact steps you have taken to observe this issue? Please note that uploading a new policy_manifest.json file to the solution's S3 bucket will trigger automatic updates to the security policies (without changes to the SSM Parameters). Is it possible that you have uploaded to S3 prior to changing/removing the /FMS/OUs SSM parameter? This would likely cause the behavior you're observing.
2. Yes, it is expected that no policies are created upon deployment. This is because you must first specify where the policies described in the policy_manifest.json file should be deployed via the SSM Parameters created by the solution: /FMS/XXX/OUs, /FMS/XXX/Regions, /FMS/DefaultPolicy/Tags. After editing some or all of these parameters, the solution will automatically deploy the security policies. This is done using an EventBridge rule. Modifying the solution to read from a different source file (not S3) would require significant changes to the code in the solution's lambda functions — for ease of use, I would recommend managing the policy_manifest.json in S3. As I mentioned previously, updates to this file in S3 will automatically trigger updates to deployed Firewall Manager policies.
3. The Firewall Manager service does not currently support the AWS::AppSync::GraphQLApi resource type for WAF policies. Regarding "file2", the deployment is not working because the versions you have set for the WAF_GLOBAL rules are invalid. I've created a valid example of versioning in the following file: policy_manifest.json. You can fetch the valid versions of each rule using the list-available-managed-rule-group-versions CLI command as described here.
4. This solution does not modify any existing WAF WebACLs or other security policies that aren't created by the solution. Instead, it will create new security policies and modify/delete them following any changes to the SSM Parameters. This means that any policies deployed by the solution will incur additional cost. If you want to avoid duplicate cost, you should not deploy any policies using the Firewall Manager console that overlap with any policies deployed by the solution. For more information on cost of the solution, refer to the documentation here.