Preserve existing guard metadata and merge with new rules

Author: kris-szlapa

packages/cdk/bin/EpsAssistMeApp.ts

@@ -42,27 +42,44 @@ const EpsAssistMe = new EpsAssistMeStack(app, "EpsAssistMeStack", {
 app.synth()
 
 // S3 Bucket: StorageAccessLogsBucketAccessLogs86FA3BBC
-addCfnGuardMetadata(EpsAssistMe, "Storage/AccessLogsBucket/AccessLogs", undefined,
+// CDK-Path: EpsAssistMeStack/Storage/AccessLogsBucket/AccessLogs/Resource
+addCfnGuardMetadata(EpsAssistMe, "Storage/AccessLogsBucket", "AccessLogs",
   ["S3_BUCKET_REPLICATION_ENABLED", "S3_BUCKET_VERSIONING_ENABLED", "S3_BUCKET_LOGGING_ENABLED"]
 )
 
-// S3 Bucket Policy: StorageAccessLogsBucketAccessLogsPolicy523966CD  
-addCfnGuardMetadata(EpsAssistMe, "Storage/AccessLogsBucket/AccessLogs/Policy", undefined,
+// S3 Bucket Policy: StorageAccessLogsBucketAccessLogsPolicy523966CD
+// CDK-Path: EpsAssistMeStack/Storage/AccessLogsBucket/AccessLogs/Policy/Resource
+addCfnGuardMetadata(EpsAssistMe, "Storage/AccessLogsBucket/AccessLogs", "Policy",
   ["S3_BUCKET_SSL_REQUESTS_ONLY"]
 )
 
 // S3 Bucket: StorageDocsBucketDocs0C9A9D9E
-addCfnGuardMetadata(EpsAssistMe, "Storage/DocsBucket/Docs", undefined,
+// CDK-Path: EpsAssistMeStack/Storage/DocsBucket/Docs/Resource
+addCfnGuardMetadata(EpsAssistMe, "Storage/DocsBucket", "Docs",
   ["S3_BUCKET_REPLICATION_ENABLED"]
 )
 
 // S3 Bucket Policy: StorageDocsBucketDocsPolicy8F1C9E94
-addCfnGuardMetadata(EpsAssistMe, "Storage/DocsBucket/Docs/Policy", undefined,
+// CDK-Path: EpsAssistMeStack/Storage/DocsBucket/Docs/Policy/Resource
+addCfnGuardMetadata(EpsAssistMe, "Storage/DocsBucket/Docs", "Policy",
+  ["S3_BUCKET_SSL_REQUESTS_ONLY"]
+)
+
+// S3 Bucket: StorageLoggingBucketLogging36F28A73
+// CDK-Path: EpsAssistMeStack/Storage/LoggingBucket/Logging/Resource
+addCfnGuardMetadata(EpsAssistMe, "Storage/LoggingBucket", "Logging",
+  ["S3_BUCKET_REPLICATION_ENABLED", "S3_BUCKET_LOGGING_ENABLED"]
+)
+
+// S3 Bucket Policy: StorageLoggingBucketLoggingPolicy06AD29F1
+// CDK-Path: EpsAssistMeStack/Storage/LoggingBucket/Logging/Policy/Resource
+addCfnGuardMetadata(EpsAssistMe, "Storage/LoggingBucket/Logging", "Policy",
   ["S3_BUCKET_SSL_REQUESTS_ONLY"]
 )
 
 // Lambda Function: CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F
-addCfnGuardMetadata(EpsAssistMe, "Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", undefined,
+// CDK-Path: EpsAssistMeStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler
+addCfnGuardMetadata(EpsAssistMe, "Custom::S3AutoDeleteObjectsCustomResourceProvider", "Handler",
   ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC"]
 )
 

packages/cdk/bin/utils/appUtils.ts

@@ -60,12 +60,17 @@ export const addCfnGuardMetadata = (
     cfnResource.cfnOptions.metadata = {}
   }
 
+  // Preserve existing guard metadata and merge with new rules
+  const existingGuard = cfnResource.cfnOptions.metadata.guard || {}
+  const existingSuppressed = existingGuard.SuppressedRules || []
+  const allSuppressedRules = [...new Set([...existingSuppressed, ...suppressedRules])]
+
   cfnResource.cfnOptions.metadata = {
     ...cfnResource.cfnOptions.metadata,
     guard: {
-      SuppressedRules: suppressedRules
+      SuppressedRules: allSuppressedRules
     }
   }
 
-  console.log(`✅ Suppressed rules for ${cfnResource.logicalId}: [${suppressedRules.join(", ")}]`)
+  console.log(`✅ Suppressed rules for ${cfnResource.logicalId}: [${allSuppressedRules.join(", ")}]`)
 }