fix it

Author: anthony-nhs

Makefile

@@ -102,15 +102,14 @@ cdk-synth:
 	npx cdk synth \
 		--quiet \
 		--app "npx ts-node --prefer-ts-exts packages/cdk/bin/EpsAssistMeApp.ts" \
-		--context accountId=undefined \
+		--context accountId=123456789012 \
 		--context stackName=epsam \
 		--context versionNumber=undefined \
 		--context commitId=undefined \
 		--context logRetentionInDays=30 \
 		--context slackBotToken=dummy \
 		--context slackSigningSecret=dummy \
 		--context cfnDriftDetectionGroup=dummy
-	./scripts/fix_cfn_guard.sh
 
 cdk-diff:
 	npx cdk diff \

packages/cdk/bin/utils/appUtils.ts

@@ -10,7 +10,7 @@ const findResourcesByPattern = (construct: IConstruct, patterns: Array<string>):
   const search = (node: IConstruct): void => {
     if (node instanceof CfnResource) {
       for (const pattern of patterns) {
-        if (node.logicalId.includes(pattern) && !seen.has(node.logicalId)) {
+        if (node.node.id.includes(pattern) && !seen.has(node.logicalId)) {
           matches.push(node)
           seen.add(node.logicalId)
           break
@@ -63,23 +63,9 @@ export const applyCfnGuardSuppressions = (stack: Stack): void => {
   // Suppress all cfn-guard checks for all Lambda functions (including implicit CDK-generated ones)
   const allLambdas = findResourcesByType(stack, "AWS::Lambda::Function")
   addSuppressions(allLambdas, ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK"])
-
-  // Suppress S3 bucket guard checks
-  const bucketResources = findResourcesByPattern(stack, ["Bucket", "Docs", "Storage"])
-  addSuppressions(
-    bucketResources,
-    [
-      "S3_BUCKET_REPLICATION_ENABLED",
-      "S3_BUCKET_LOGGING_ENABLED",
-      "S3_BUCKET_DEFAULT_LOCK_ENABLED"
-    ]
-  )
-
-  // Suppress S3 policy guard checks
-  const policyResources = findResourcesByPattern(stack, ["Policy", "BucketPolicy"])
-  addSuppressions(policyResources, ["S3_BUCKET_SSL_REQUESTS_ONLY"])
-
-  // Suppress API Gateway stage guard checks
-  const stageResources = findResourcesByPattern(stack, ["Stage", "DeploymentStage"])
-  addSuppressions(stageResources, ["API_GW_CACHE_ENABLED_AND_ENCRYPTED"])
+  const permissionResources = findResourcesByPattern(stack, [
+    "ApiPermission.Test.EpsAssistMeStackApisEpsAssistApiGateway1E1CF19C.POST..slack.events",
+    "AllowBucketNotificationsToEpsAssistMeStackFunctionsSyncKnowledgeBaseFunctionepsamSyncKnowledgeBaseFunction94D011F3"
+  ])
+  addSuppressions(permissionResources, ["LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED"])
 }

packages/cdk/constructs/S3Bucket.ts

@@ -4,7 +4,9 @@ import {
   Bucket,
   BucketEncryption,
   BlockPublicAccess,
-  ObjectOwnership
+  ObjectOwnership,
+  CfnBucket,
+  CfnBucketPolicy
 } from "aws-cdk-lib/aws-s3"
 import {Key} from "aws-cdk-lib/aws-kms"
 
@@ -38,6 +40,32 @@ export class S3Bucket extends Construct {
       objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED
     })
 
+    const cfnBucket = bucket.node.defaultChild as CfnBucket
+    cfnBucket.cfnOptions.metadata = {
+      ...cfnBucket.cfnOptions.metadata,
+      guard: {
+        SuppressedRules: [
+          "S3_BUCKET_REPLICATION_ENABLED",
+          "S3_BUCKET_VERSIONING_ENABLED",
+          "S3_BUCKET_DEFAULT_LOCK_ENABLED",
+          "S3_BUCKET_LOGGING_ENABLED"
+        ]
+      }
+    }
+
+    const policy = bucket.policy!
+    const cfnBucketPolicy = policy.node.defaultChild as CfnBucketPolicy
+    cfnBucketPolicy.cfnOptions.metadata = (
+      {
+        ...cfnBucketPolicy.cfnOptions.metadata,
+        guard: {
+          SuppressedRules: [
+            "S3_BUCKET_SSL_REQUESTS_ONLY"
+          ]
+        }
+      }
+    )
+
     this.kmsKey = kmsKey
     this.bucket = bucket
   }