Implement applyCfnGuardSuppressions function to suppress cfn guard

kris-szlapa · kris-szlapa · commit 056d65299747 · 2025-07-28T22:19:47.000Z
diff --git a/packages/cdk/bin/EpsAssistMeApp.ts b/packages/cdk/bin/EpsAssistMeApp.ts
@@ -2,7 +2,7 @@
 import {App, Aspects, Tags} from "aws-cdk-lib"
 import {AwsSolutionsChecks} from "cdk-nag"
 import {EpsAssistMeStack} from "../stacks/EpsAssistMeStack"
-import {addCfnGuardMetadata} from "./utils/appUtils"
+import {applyCfnGuardSuppressions} from "./utils/appUtils"
 
 const app = new App()
 
@@ -18,8 +18,6 @@ const stackName = app.node.tryGetContext("stackName")
 const version = app.node.tryGetContext("versionNumber")
 const commit = app.node.tryGetContext("commitId")
 
-console.log("CDK context:", {accountId, stackName, version, commit})
-
 Aspects.of(app).add(new AwsSolutionsChecks({verbose: true}))
 
 Tags.of(app).add("cdkApp", "EpsAssistMe")
@@ -38,36 +36,6 @@ const EpsAssistMe = new EpsAssistMeStack(app, "EpsAssistMeStack", {
   commitId: commit
 })
 
-// Run a synth to add cross region lambdas and roles
-app.synth()
-
-// S3 Bucket: StorageDocsBucketDocs0C9A9D9E
-// CDK-Path: EpsAssistMeStack/Storage/DocsBucket/Docs/Resource
-addCfnGuardMetadata(EpsAssistMe, "Storage/DocsBucket", "Docs",
-  ["S3_BUCKET_REPLICATION_ENABLED"]
-)
-
-// S3 Bucket Policy: StorageDocsBucketDocsPolicy8F1C9E94
-// CDK-Path: EpsAssistMeStack/Storage/DocsBucket/Docs/Policy/Resource
-addCfnGuardMetadata(EpsAssistMe, "Storage/DocsBucket/Docs", "Policy",
-  ["S3_BUCKET_SSL_REQUESTS_ONLY"]
-)
+applyCfnGuardSuppressions(EpsAssistMe)
 
-// Lambda Function: CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F
-// CDK-Path: EpsAssistMeStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler
-addCfnGuardMetadata(EpsAssistMe, "Custom::S3AutoDeleteObjectsCustomResourceProvider", "Handler",
-  ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC"]
-)
-
-// Suppress Lambda DLQ and VPC checks for application Lambda functions
-addCfnGuardMetadata(EpsAssistMe, "FunctionsCreateIndexFunctionepsam-CreateIndexFunction", "Resource",
-  ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC"]
-)
-addCfnGuardMetadata(EpsAssistMe, "FunctionsSlackBotLambdaepsam-SlackBotFunction", "Resource",
-  ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC"]
-)
-
-// Finally run synth again with force to include the added metadata
-app.synth({
-  force: true
-})
+app.synth()
diff --git a/packages/cdk/bin/utils/appUtils.ts b/packages/cdk/bin/utils/appUtils.ts
@@ -1,76 +1,58 @@
 import {Stack, CfnResource} from "aws-cdk-lib"
 import {IConstruct} from "constructs"
 
-/**
- * Adds cfn-guard metadata to suppress rules on a resource.
- */
-export const addCfnGuardMetadata = (
-  stack: Stack,
-  path: string,
-  childPath?: string,
-  suppressedRules: Array<string> = []
-) => {
-  console.log(`🔍 Looking for construct at path: ${path}${childPath ? "/" + childPath : ""}`)
-
-  const parent = stack.node.tryFindChild(path)
-  if (!parent) {
-    console.warn(`❌ Could not find path /${stack.stackName}/${path}`)
-    // List available children for debugging
-    console.log("Available children:", stack.node.children.map(c => c.node.id))
-    return
-  }
-
-  let target: IConstruct
-
-  if (childPath) {
-    const child = parent.node.tryFindChild(childPath)
-    if (!child) {
-      console.warn(`❌ Could not find path /${stack.stackName}/${path}/${childPath}`)
-      // List available children for debugging
-      console.log("Available children of parent:", parent.node.children.map(c => c.node.id))
-      return
+const findResourcesByPattern = (construct: IConstruct, patterns: Array<string>): Array<CfnResource> => {
+  const matches: Array<CfnResource> = []
+  const seen = new Set<string>()
+
+  const search = (node: IConstruct): void => {
+    if (node instanceof CfnResource) {
+      for (const pattern of patterns) {
+        if (node.logicalId.includes(pattern) && !seen.has(node.logicalId)) {
+          matches.push(node)
+          seen.add(node.logicalId)
+          break
+        }
+      }
+    }
+    for (const child of node.node.children) {
+      search(child)
     }
-    target = child
-  } else {
-    target = parent
   }
 
-  let cfnResource: CfnResource | undefined
+  search(construct)
+  return matches
+}
 
-  if (target instanceof CfnResource) {
-    cfnResource = target
-  } else if ("defaultChild" in target.node && target.node.defaultChild) {
-    const defaultChild = target.node.defaultChild
-    if (defaultChild instanceof CfnResource) {
-      cfnResource = defaultChild
+const addSuppressions = (resources: Array<CfnResource>, rules: Array<string>): void => {
+  resources.forEach(resource => {
+    if (!resource.cfnOptions.metadata) {
+      resource.cfnOptions.metadata = {}
     }
-  }
 
-  if (!cfnResource) {
-    console.warn(`⚠️ Target at ${path}${childPath ? "/" + childPath : ""} is not a CfnResource`)
-    console.log(`Target type: ${target.constructor.name}`)
-    if ("defaultChild" in target.node && target.node.defaultChild) {
-      console.log(`Default child type: ${target.node.defaultChild.constructor.name}`)
-    }
-    return
-  }
+    const existing = resource.cfnOptions.metadata.guard?.SuppressedRules || []
+    const combined = [...new Set([...existing, ...rules])]
 
-  // Initialize metadata if it doesn't exist
-  if (!cfnResource.cfnOptions.metadata) {
-    cfnResource.cfnOptions.metadata = {}
-  }
+    resource.cfnOptions.metadata.guard = {SuppressedRules: combined}
+  })
+}
 
-  // Preserve existing guard metadata and merge with new rules
-  const existingGuard = cfnResource.cfnOptions.metadata.guard || {}
-  const existingSuppressed = existingGuard.SuppressedRules || []
-  const allSuppressedRules = [...new Set([...existingSuppressed, ...suppressedRules])]
+export const applyCfnGuardSuppressions = (stack: Stack): void => {
+  // Lambda suppressions
+  const lambdaResources = findResourcesByPattern(stack, [
+    "Handler", "Function", "CreateIndex", "SlackBot", "CustomResourceProvider"
+  ])
+  addSuppressions(lambdaResources, ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK"])
 
-  cfnResource.cfnOptions.metadata = {
-    ...cfnResource.cfnOptions.metadata,
-    guard: {
-      SuppressedRules: allSuppressedRules
-    }
-  }
+  // S3 bucket suppressions
+  const bucketResources = findResourcesByPattern(stack, ["Bucket", "Docs", "Storage"])
+  addSuppressions(bucketResources, ["S3_BUCKET_REPLICATION_ENABLED", "S3_BUCKET_LOGGING_ENABLED"])
+
+  // S3 policy suppressions
+  const policyResources = findResourcesByPattern(stack, ["Policy", "BucketPolicy"])
+  addSuppressions(policyResources, ["S3_BUCKET_SSL_REQUESTS_ONLY"])
 
-  console.log(`✅ Suppressed rules for ${cfnResource.logicalId}: [${allSuppressedRules.join(", ")}]`)
+  // API Gateway suppressions
+  const stageResources = findResourcesByPattern(stack, ["Stage", "DeploymentStage"])
+  addSuppressions(stageResources, ["API_GW_CACHE_ENABLED_AND_ENCRYPTED"])
 }
