Remove obsolete NAG suppression paths

kris-szlapa · kris-szlapa · commit 13f56b45dbe5 · 2025-07-25T02:46:21.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -1,4 +1,4 @@
-/* eslint-disable max-len */
+/* eslint-disable @typescript-eslint/no-unused-vars */
 import {Stack} from "aws-cdk-lib"
 import {NagPackSuppression, NagSuppressions} from "cdk-nag"
 
@@ -33,18 +33,6 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // Suppress API Gateway validation warning
-  safeAddNagSuppression(
-    stack,
-    "/EpsAssistMeStack/EpsAssistApiGateway/ApiGateway/Resource",
-    [
-      {
-        id: "AwsSolutions-APIG2",
-        reason: "Validation is handled within Lambda; request validation is intentionally omitted."
-      }
-    ]
-  )
-
   // Suppress API Gateway validation warning for Apis construct
   safeAddNagSuppression(
     stack,
@@ -70,12 +58,9 @@ export const nagSuppressions = (stack: Stack) => {
   )
 
   // Suppress unauthenticated API route warnings
-  safeAddNagSuppressionGroup(
+  safeAddNagSuppression(
     stack,
-    [
-      "/EpsAssistMeStack/EpsAssistApiGateway/ApiGateway/Default/slack/ask-eps/POST/Resource",
-      "/EpsAssistMeStack/Apis/EpsAssistApiGateway/ApiGateway/Default/slack/ask-eps/POST/Resource"
-    ],
+    "/EpsAssistMeStack/Apis/EpsAssistApiGateway/ApiGateway/Default/slack/ask-eps/POST/Resource",
     [
       {
         id: "AwsSolutions-APIG4",
@@ -108,18 +93,6 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // Suppress missing WAF on API stage
-  safeAddNagSuppression(
-    stack,
-    "/EpsAssistMeStack/EpsAssistApiGateway/ApiGateway/DeploymentStage.prod/Resource",
-    [
-      {
-        id: "AwsSolutions-APIG3",
-        reason: "WAF not in current scope; may be added later."
-      }
-    ]
-  )
-
   // Suppress missing WAF on API stage for Apis construct
   safeAddNagSuppression(
     stack,
@@ -286,7 +259,6 @@ export const nagSuppressions = (stack: Stack) => {
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {
   try {
     NagSuppressions.addResourceSuppressionsByPath(stack, path, suppressions)
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
   } catch (err) {
     console.log(`Could not find path ${path}`)
   }
