Extract Secrets and SSM resources from stack and update NAG suppressions

kris-szlapa · kris-szlapa · commit c8bc7a82ba85 · 2025-07-25T01:21:49.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -262,7 +262,7 @@ export const nagSuppressions = (stack: Stack) => {
   // Suppress secrets without rotation
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/SlackBotTokenSecret/Resource",
+    "/EpsAssistMeStack/Secrets/SlackBotTokenSecret/Resource",
     [
       {
         id: "AwsSolutions-SMG4",
@@ -273,7 +273,7 @@ export const nagSuppressions = (stack: Stack) => {
 
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/SlackBotSigningSecret/Resource",
+    "/EpsAssistMeStack/Secrets/SlackBotSigningSecret/Resource",
     [
       {
         id: "AwsSolutions-SMG4",
diff --git a/packages/cdk/resources/Secrets.ts b/packages/cdk/resources/Secrets.ts
@@ -0,0 +1,52 @@
+import {Construct} from "constructs"
+import * as cdk from "aws-cdk-lib"
+import * as ssm from "aws-cdk-lib/aws-ssm"
+import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager"
+
+export interface SecretsProps {
+  slackBotToken: string
+  slackSigningSecret: string
+}
+
+export class Secrets extends Construct {
+  public readonly slackBotTokenSecret: secretsmanager.Secret
+  public readonly slackBotSigningSecret: secretsmanager.Secret
+  public readonly slackBotTokenParameter: ssm.StringParameter
+  public readonly slackSigningSecretParameter: ssm.StringParameter
+
+  constructor(scope: Construct, id: string, props: SecretsProps) {
+    super(scope, id)
+
+    // Create secrets in Secrets Manager
+    this.slackBotTokenSecret = new secretsmanager.Secret(this, "SlackBotTokenSecret", {
+      secretName: "/eps-assist/slack/bot-token",
+      description: "Slack Bot OAuth Token for EPS Assist",
+      secretStringValue: cdk.SecretValue.unsafePlainText(JSON.stringify({
+        token: props.slackBotToken
+      }))
+    })
+
+    this.slackBotSigningSecret = new secretsmanager.Secret(this, "SlackBotSigningSecret", {
+      secretName: "/eps-assist/slack/signing-secret",
+      description: "Slack Signing Secret",
+      secretStringValue: cdk.SecretValue.unsafePlainText(JSON.stringify({
+        secret: props.slackSigningSecret
+      }))
+    })
+
+    // Create SSM parameters that reference the secrets
+    this.slackBotTokenParameter = new ssm.StringParameter(this, "SlackBotTokenParameter", {
+      parameterName: "/eps-assist/slack/bot-token/parameter",
+      stringValue: `{{resolve:secretsmanager:${this.slackBotTokenSecret.secretName}}}`,
+      description: "Reference to Slack Bot Token in Secrets Manager",
+      tier: ssm.ParameterTier.STANDARD
+    })
+
+    this.slackSigningSecretParameter = new ssm.StringParameter(this, "SlackSigningSecretParameter", {
+      parameterName: "/eps-assist/slack/signing-secret/parameter",
+      stringValue: `{{resolve:secretsmanager:${this.slackBotSigningSecret.secretName}}}`,
+      description: "Reference to Slack Signing Secret in Secrets Manager",
+      tier: ssm.ParameterTier.STANDARD
+    })
+  }
+}
diff --git a/packages/cdk/stacks/EpsAssistMeStack.ts b/packages/cdk/stacks/EpsAssistMeStack.ts
@@ -15,12 +15,11 @@ import * as cdk from "aws-cdk-lib"
 import * as iam from "aws-cdk-lib/aws-iam"
 import * as ops from "aws-cdk-lib/aws-opensearchserverless"
 import * as cr from "aws-cdk-lib/custom-resources"
-import * as ssm from "aws-cdk-lib/aws-ssm"
-import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager"
 import {nagSuppressions} from "../nagSuppressions"
 import {Apis} from "../resources/Apis"
 import {Functions} from "../resources/Functions"
 import {Storage} from "../resources/Storage"
+import {Secrets} from "../resources/Secrets"
 
 const EMBEDDING_MODEL = "amazon.titan-embed-text-v2:0"
 const COLLECTION_NAME = "eps-assist-vector-db"
@@ -51,36 +50,10 @@ export class EpsAssistMeStack extends Stack {
       throw new Error("Missing required context variables. Please provide slackBotToken and slackSigningSecret")
     }
 
-    // Create secrets in Secrets Manager
-    const slackBotTokenSecret = new secretsmanager.Secret(this, "SlackBotTokenSecret", {
-      secretName: "/eps-assist/slack/bot-token",
-      description: "Slack Bot OAuth Token for EPS Assist",
-      secretStringValue: cdk.SecretValue.unsafePlainText(JSON.stringify({
-        token: slackBotToken
-      }))
-    })
-
-    const slackBotSigningSecret = new secretsmanager.Secret(this, "SlackBotSigningSecret", {
-      secretName: "/eps-assist/slack/signing-secret",
-      description: "Slack Signing Secret",
-      secretStringValue: cdk.SecretValue.unsafePlainText(JSON.stringify({
-        secret: slackSigningSecret
-      }))
-    })
-
-    // Create SSM parameters that reference the secrets
-    const slackBotTokenParameter = new ssm.StringParameter(this, "SlackBotTokenParameter", {
-      parameterName: "/eps-assist/slack/bot-token/parameter",
-      stringValue: `{{resolve:secretsmanager:${slackBotTokenSecret.secretName}}}`,
-      description: "Reference to Slack Bot Token in Secrets Manager",
-      tier: ssm.ParameterTier.STANDARD
-    })
-
-    const slackSigningSecretParameter = new ssm.StringParameter(this, "SlackSigningSecretParameter", {
-      parameterName: "/eps-assist/slack/signing-secret/parameter",
-      stringValue: `{{resolve:secretsmanager:${slackBotSigningSecret.secretName}}}`,
-      description: "Reference to Slack Signing Secret in Secrets Manager",
-      tier: ssm.ParameterTier.STANDARD
+    // Create Secrets construct
+    const secrets = new Secrets(this, "Secrets", {
+      slackBotToken,
+      slackSigningSecret
     })
 
     // Create an IAM policy to invoke Bedrock models and access titan v1 embedding model
@@ -272,16 +245,16 @@ export class EpsAssistMeStack extends Stack {
       logRetentionInDays,
       logLevel,
       createIndexFunctionRole,
-      slackBotTokenParameter,
-      slackSigningSecretParameter,
+      slackBotTokenParameter: secrets.slackBotTokenParameter,
+      slackSigningSecretParameter: secrets.slackSigningSecretParameter,
       guardrailId: GUARD_RAIL_ID,
       guardrailVersion: GUARD_RAIL_VERSION,
       collectionId: osCollection.attrId,
       knowledgeBaseId: bedrockkb.attrKnowledgeBaseId,
       region,
       account,
-      slackBotTokenSecret,
-      slackBotSigningSecret
+      slackBotTokenSecret: secrets.slackBotTokenSecret,
+      slackBotSigningSecret: secrets.slackBotSigningSecret
     })
 
     // Define OpenSearchServerless access policy to access the index and collection

Original file line number	Diff line number	Diff line change
`@@ -262,7 +262,7 @@ export const nagSuppressions = (stack: Stack) => {`
`262`	`262`	`// Suppress secrets without rotation`
`263`	`263`	`safeAddNagSuppression(`
`264`	`264`	`stack,`
`265`		`- "/EpsAssistMeStack/SlackBotTokenSecret/Resource",`
	`265`	`+ "/EpsAssistMeStack/Secrets/SlackBotTokenSecret/Resource",`
`266`	`266`	`[`
`267`	`267`	`{`
`268`	`268`	`id: "AwsSolutions-SMG4",`
`@@ -273,7 +273,7 @@ export const nagSuppressions = (stack: Stack) => {`
`273`	`273`
`274`	`274`	`safeAddNagSuppression(`
`275`	`275`	`stack,`
`276`		`- "/EpsAssistMeStack/SlackBotSigningSecret/Resource",`
	`276`	`+ "/EpsAssistMeStack/Secrets/SlackBotSigningSecret/Resource",`
`277`	`277`	`[`
`278`	`278`	`{`
`279`	`279`	`id: "AwsSolutions-SMG4",`