Refactor EpsAssistMeStack and LambdaFunction modules

Author: kris-szlapa

packages/cdk/constructs/LambdaFunction.ts

@@ -25,6 +25,7 @@ export interface LambdaFunctionProps {
   readonly entryPoint: string
   readonly environmentVariables: {[key: string]: string}
   readonly additionalPolicies?: Array<IManagedPolicy>
+  readonly role?: Role
   readonly logRetentionInDays: number
   readonly logLevel: string
 }
@@ -99,15 +100,27 @@ export class LambdaFunction extends Construct {
       ]
     })
 
-    const role = new Role(this, "LambdaRole", {
-      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
-      managedPolicies: [
-        putLogsManagedPolicy,
-        lambdaInsightsLogGroupPolicy,
-        cloudwatchEncryptionKMSPolicy,
-        ...(props.additionalPolicies ?? [])
-      ]
-    })
+    // Role/Policy Aggregation
+    const requiredPolicies: Array<IManagedPolicy> = [
+      putLogsManagedPolicy,
+      lambdaInsightsLogGroupPolicy,
+      cloudwatchEncryptionKMSPolicy,
+      ...(props.additionalPolicies ?? [])
+    ]
+
+    let role: Role
+    if (props.role) {
+      role = props.role
+      // Attach any missing managed policies to the provided role
+      for (const policy of requiredPolicies) {
+        role.addManagedPolicy(policy)
+      }
+    } else {
+      role = new Role(this, "LambdaRole", {
+        assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
+        managedPolicies: requiredPolicies
+      })
+    }
 
     // Define the Lambda function
     const lambdaFunction = new lambda.Function(this, props.functionName, {

packages/cdk/nagSuppressions.ts

@@ -204,7 +204,8 @@ export const nagSuppressions = (stack: Stack) => {
         id: "AwsSolutions-IAM5",
         reason: "SlackBot Lambda needs access to all guardrails to apply content filtering.",
         appliesTo: [
-          "Resource::arn:aws:bedrock:eu-west-2:591291862413:guardrail/*"
+          "Resource::arn:aws:bedrock:eu-west-2:591291862413:guardrail/*",
+          "Resource::arn:aws:bedrock:eu-west-2:123456789012:guardrail/*"
         ]
       }
     ]
@@ -219,11 +220,35 @@ export const nagSuppressions = (stack: Stack) => {
         id: "AwsSolutions-IAM5",
         reason: "Lambda needs to invoke itself for Slack Bolt lazy handlers.",
         appliesTo: [
-          "Resource::arn:aws:lambda:eu-west-2:591291862413:function:*"
+          "Resource::arn:aws:lambda:eu-west-2:591291862413:function:*",
+          "Resource::arn:aws:lambda:eu-west-2:123456789012:function:AmazonBedrock*"
         ]
       }
     ]
   )
+
+  // Suppress secrets without rotation
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/SlackBotTokenSecret/Resource",
+    [
+      {
+        id: "AwsSolutions-SMG4",
+        reason: "Slack bot token rotation is handled manually as part of the Slack app configuration process."
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/SlackBotSigningSecret/Resource",
+    [
+      {
+        id: "AwsSolutions-SMG4",
+        reason: "Slack signing secret rotation is handled manually as part of the Slack app configuration process."
+      }
+    ]
+  )
 }
 
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {