Replace hardcoded account ID with variable in NAG suppressions

kris-szlapa · kris-szlapa · commit b8e25d8b29c1 · 2025-08-14T16:50:01.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -4,6 +4,7 @@ import {NagPackSuppression, NagSuppressions} from "cdk-nag"
 
 export const nagSuppressions = (stack: Stack) => {
   const stackName = stack.node.tryGetContext("stackName") || "epsam"
+  const account = Stack.of(stack).account
   // Suppress granular wildcard on log stream for SlackBot Lambda
   safeAddNagSuppression(
     stack,
@@ -98,10 +99,8 @@ export const nagSuppressions = (stack: Stack) => {
           "Action::bedrock:Delete*",
           "Resource::<StorageDocsBucketepsamDocsF25F63F1.Arn>/*",
           "Resource::<StorageDocsBucketepsampr16Docs240CC945.Arn>/*",
-          "Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",
-          "Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*",
-          "Resource::arn:aws:aoss:eu-west-2:undefined:collection/*",
-          "Resource::arn:aws:aoss:eu-west-2:591291862413:collection/*",
+          `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`,
+          `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
           "Resource::*"
         ]
       }
@@ -117,10 +116,8 @@ export const nagSuppressions = (stack: Stack) => {
         id: "AwsSolutions-IAM5",
         reason: "Lambda needs access to all OpenSearch collections and indexes to create and manage indexes.",
         appliesTo: [
-          "Resource::arn:aws:aoss:eu-west-2:undefined:collection/*",
-          "Resource::arn:aws:aoss:eu-west-2:undefined:index/*",
-          "Resource::arn:aws:aoss:eu-west-2:591291862413:collection/*",
-          "Resource::arn:aws:aoss:eu-west-2:591291862413:index/*"
+          `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
+          `Resource::arn:aws:aoss:eu-west-2:${account}:index/*`
         ]
       }
     ]
@@ -135,12 +132,9 @@ export const nagSuppressions = (stack: Stack) => {
         id: "AwsSolutions-IAM5",
         reason: "SlackBot Lambda needs access to all guardrails, knowledge bases, and functions for content filtering and self-invocation.",
         appliesTo: [
-          "Resource::arn:aws:lambda:eu-west-2:undefined:function:*",
-          "Resource::arn:aws:lambda:eu-west-2:591291862413:function:*",
-          "Resource::arn:aws:bedrock:eu-west-2:undefined:guardrail/*",
-          "Resource::arn:aws:bedrock:eu-west-2:591291862413:guardrail/*",
-          "Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",
-          "Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*"
+          `Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
+          `Resource::arn:aws:bedrock:eu-west-2:${account}:guardrail/*`,
+          `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`
         ]
       }
     ]
