Update backet stack resources

kris-szlapa · kris-szlapa · commit 3261e11eedfd · 2025-07-19T01:08:42.000Z
diff --git a/packages/cdk/stacks/EpsAssistMeStack.ts b/packages/cdk/stacks/EpsAssistMeStack.ts
@@ -10,10 +10,9 @@ import {
   Bucket,
   BucketEncryption,
   BlockPublicAccess,
-  CfnBucket,
-  CfnBucketPolicy
+  ObjectOwnership
 } from "aws-cdk-lib/aws-s3"
-import {CfnFunction} from "aws-cdk-lib/aws-lambda"
+import * as AWSCDK from "aws-cdk-lib/aws-s3"
 import {Key} from "aws-cdk-lib/aws-kms"
 import {PolicyStatement} from "aws-cdk-lib/aws-iam"
 import {
@@ -59,13 +58,14 @@ export class EpsAssistMeStack extends Stack {
       encryption: BucketEncryption.KMS,
       encryptionKey: cloudWatchLogsKmsKey,
       removalPolicy: RemovalPolicy.DESTROY,
-      autoDeleteObjects: true,
       blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
-      versioned: true
+      versioned: true,
+      objectLockEnabled: true,
+      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED
     })
 
-    // Add S3 replication and logging
-    const accessLogBucketCfn = accessLogBucket.node.defaultChild as CfnBucket
+    // Replication config via escape hatch
+    const accessLogBucketCfn = accessLogBucket.node.defaultChild as AWSCDK.CfnBucket
     accessLogBucketCfn.replicationConfiguration = {
       role: `arn:aws:iam::${account}:role/account-resources-s3-replication-role`,
       rules: [{
@@ -77,24 +77,25 @@ export class EpsAssistMeStack extends Stack {
         deleteMarkerReplication: {status: "Disabled"}
       }]
     }
-    accessLogBucketCfn.loggingConfiguration = {
-      destinationBucketName: accessLogBucket.bucketName,
-      logFilePrefix: "self-logs/"
-    }
 
-    new CfnBucketPolicy(this, "AccessLogsBucketStrictTLSOnly", {
-      bucket: accessLogBucket.bucketName,
+    // TLS-only policy (strictly compliant for cfn-guard)
+    new AWSCDK.CfnBucketPolicy(this, "AccessLogsBucketTlsPolicy", {
+      bucket: accessLogBucketCfn.ref,
       policyDocument: {
         Version: "2012-10-17",
-        Statement: [{
-          Action: "s3:*",
-          Effect: "Deny",
-          Principal: "*",
-          Resource: "*",
-          Condition: {
-            Bool: {"aws:SecureTransport": false}
+        Statement: [
+          {
+            Action: "s3:*",
+            Effect: "Deny",
+            Principal: "*",
+            Resource: "*",
+            Condition: {
+              Bool: {
+                "aws:SecureTransport": false
+              }
+            }
           }
-        }]
+        ]
       }
     })
 
@@ -103,14 +104,16 @@ export class EpsAssistMeStack extends Stack {
       encryptionKey: cloudWatchLogsKmsKey,
       encryption: BucketEncryption.KMS,
       removalPolicy: RemovalPolicy.DESTROY,
-      autoDeleteObjects: true,
       blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
       versioned: true,
+      objectLockEnabled: true,
+      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED,
       serverAccessLogsBucket: accessLogBucket,
       serverAccessLogsPrefix: "s3-access-logs/"
     })
 
-    const kbDocsBucketCfn = kbDocsBucket.node.defaultChild as CfnBucket
+    // Replication config via escape hatch
+    const kbDocsBucketCfn = kbDocsBucket.node.defaultChild as AWSCDK.CfnBucket
     kbDocsBucketCfn.replicationConfiguration = {
       role: `arn:aws:iam::${account}:role/account-resources-s3-replication-role`,
       rules: [{
@@ -123,19 +126,24 @@ export class EpsAssistMeStack extends Stack {
       }]
     }
 
-    new CfnBucketPolicy(this, "KbDocsBucketStrictTLSOnly", {
-      bucket: kbDocsBucket.bucketName,
+    // TLS-only policy (strictly compliant for cfn-guard)
+    new AWSCDK.CfnBucketPolicy(this, "KbDocsTlsPolicy", {
+      bucket: kbDocsBucketCfn.ref,
       policyDocument: {
         Version: "2012-10-17",
-        Statement: [{
-          Action: "s3:*",
-          Effect: "Deny",
-          Principal: "*",
-          Resource: "*",
-          Condition: {
-            Bool: {"aws:SecureTransport": false}
+        Statement: [
+          {
+            Action: "s3:*",
+            Effect: "Deny",
+            Principal: "*",
+            Resource: "*",
+            Condition: {
+              Bool: {
+                "aws:SecureTransport": false
+              }
+            }
           }
-        }]
+        ]
       }
     })
 
@@ -175,6 +183,7 @@ export class EpsAssistMeStack extends Stack {
       type: "VECTORSEARCH"
     })
 
+    // OpenSearch encryption policy (AWS-owned key)
     new ops.CfnSecurityPolicy(this, "OsEncryptionPolicy", {
       name: "eps-assist-encryption-policy",
       type: "encryption",
@@ -184,16 +193,19 @@ export class EpsAssistMeStack extends Stack {
       })
     })
 
+    // OpenSearch network policy (allow public access for demo purposes)
     new ops.CfnSecurityPolicy(this, "OsNetworkPolicy", {
       name: "eps-assist-network-policy",
       type: "network",
-      policy: JSON.stringify([{
-        Rules: [
-          {ResourceType: "collection", Resource: ["collection/eps-assist-vector-db"]},
-          {ResourceType: "dashboard", Resource: ["collection/eps-assist-vector-db"]}
-        ],
-        AllowFromPublic: true
-      }])
+      policy: JSON.stringify([
+        {
+          Rules: [
+            {ResourceType: "collection", Resource: ["collection/eps-assist-vector-db"]},
+            {ResourceType: "dashboard", Resource: ["collection/eps-assist-vector-db"]}
+          ],
+          AllowFromPublic: true
+        }
+      ])
     })
 
     // ==== Lambda Function: CreateIndex ====
@@ -208,32 +220,22 @@ export class EpsAssistMeStack extends Stack {
       additionalPolicies: []
     })
 
-    // Add cfn-guard suppressions for CreateIndex Lambda
-    const createIndexLambdaCfn = createIndexFunction.function.node.defaultChild as CfnFunction
-    createIndexLambdaCfn.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "LAMBDA_DLQ_CHECK",
-          "LAMBDA_INSIDE_VPC",
-          "LAMBDA_CONCURRENCY_CHECK"
-        ]
-      }
-    }
-
-    // ==== OpenSearch Access Policy ====
+    // Access policy for Bedrock + Lambda to use the collection and index
     new ops.CfnAccessPolicy(this, "OsAccessPolicy", {
       name: "eps-assist-access-policy",
       type: "data",
-      policy: JSON.stringify([{
-        Rules: [
-          {ResourceType: "collection", Resource: ["collection/*"], Permission: ["aoss:*"]},
-          {ResourceType: "index", Resource: ["index/*/*"], Permission: ["aoss:*"]}
-        ],
-        Principal: [
-          `arn:aws:iam::${account}:role/${createIndexFunction.function.role?.roleName}`,
-          `arn:aws:iam::${account}:root`
-        ]
-      }])
+      policy: JSON.stringify([
+        {
+          Rules: [
+            {ResourceType: "collection", Resource: ["collection/*"], Permission: ["aoss:*"]},
+            {ResourceType: "index", Resource: ["index/*/*"], Permission: ["aoss:*"]}
+          ],
+          Principal: [
+            `arn:aws:iam::${account}:role/${createIndexFunction.function.role?.roleName}`,
+            `arn:aws:iam::${account}:root`
+          ]
+        }
+      ])
     })
 
     // ==== Trigger Vector Index Creation ====
@@ -302,6 +304,7 @@ export class EpsAssistMeStack extends Stack {
       }
     })
 
+    // Attach S3 data source to Knowledge Base
     new CfnDataSource(this, "EpsKbDataSource", {
       name: "eps-assist-kb-ds",
       knowledgeBaseId: kb.attrKnowledgeBaseId,
@@ -330,6 +333,7 @@ export class EpsAssistMeStack extends Stack {
       SLACK_SIGNING_SECRET: slackSigningSecret
     }
 
+    // SlackBot Lambda function
     const slackBotLambda = new LambdaFunction(this, "SlackBotLambda", {
       stackName: props.stackName,
       functionName: `${props.stackName}-SlackBotFunction`,
@@ -341,34 +345,6 @@ export class EpsAssistMeStack extends Stack {
       additionalPolicies: []
     })
 
-    const slackBotLambdaCfn = slackBotLambda.function.node.defaultChild as CfnFunction
-    slackBotLambdaCfn.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "LAMBDA_DLQ_CHECK",
-          "LAMBDA_INSIDE_VPC",
-          "LAMBDA_CONCURRENCY_CHECK"
-        ]
-      }
-    }
-
-    // AwsCustomResource internal Lambda handler suppression
-    const customResourceHandler = this.node
-      .tryFindChild("VectorIndex")
-      ?.node.tryFindChild("CustomResourceProvider")
-      ?.node.tryFindChild("Handler")
-    const customResourceHandlerCfn = customResourceHandler?.node.defaultChild as CfnFunction
-    if (customResourceHandlerCfn) {
-      customResourceHandlerCfn.cfnOptions.metadata = {
-        guard: {
-          SuppressedRules: [
-            "LAMBDA_DLQ_CHECK",
-            "LAMBDA_INSIDE_VPC"
-          ]
-        }
-      }
-    }
-
     // ==== API Gateway + Slack Route ====
     const apiGateway = new RestApiGateway(this, "EpsAssistApiGateway", {
       stackName: props.stackName,
@@ -378,54 +354,19 @@ export class EpsAssistMeStack extends Stack {
       truststoreVersion: "unused"
     })
 
+    // API Route
     const slackRoute = apiGateway.api.root.addResource("slack").addResource("ask-eps")
     slackRoute.addMethod("POST", new LambdaIntegration(slackBotLambda.function, {
       credentialsRole: apiGateway.role
     }))
 
     apiGateway.role.addManagedPolicy(slackBotLambda.executionPolicy)
 
+    // Output the SlackBot API endpoint
     new CfnOutput(this, "SlackBotEndpoint", {
       value: `https://${apiGateway.api.domainName?.domainName}/slack/ask-eps`
     })
 
-    // ==== Suppressions for CDK-generated Lambda handlers ====
-    // Suppress CDK-generated S3 AutoDeleteObjects handler
-    const customS3Handler = Stack.of(this).node
-      .tryFindChild("Custom::S3AutoDeleteObjectsCustomResourceProvider")
-      ?.node.tryFindChild("Handler")
-
-    const customS3HandlerCfn = customS3Handler?.node.defaultChild as CfnFunction
-
-    if (customS3HandlerCfn) {
-      customS3HandlerCfn.cfnOptions.metadata = {
-        guard: {
-          SuppressedRules: [
-            "LAMBDA_DLQ_CHECK",
-            "LAMBDA_INSIDE_VPC"
-          ]
-        }
-      }
-    }
-
-    // Suppress AWS679f... CDK-generated unnamed Lambda (e.g., AwsCustomResource)
-    for (const construct of this.node.findAll()) {
-      const fn = construct.node.defaultChild
-      if (
-        fn instanceof CfnFunction &&
-        fn.logicalId.startsWith("AWS679f")
-      ) {
-        fn.cfnOptions.metadata = {
-          guard: {
-            SuppressedRules: [
-              "LAMBDA_DLQ_CHECK",
-              "LAMBDA_INSIDE_VPC"
-            ]
-          }
-        }
-      }
-    }
-
     // ==== Final CDK Nag Suppressions ====
     nagSuppressions(this)
   }
