Replace PythonFunction with a custom bundling strategy

Author: kris-szlapa

.tool-versions

@@ -1,5 +1,5 @@
 nodejs 22.12.0
-python 3.12.7
+python 3.13.3
 poetry 1.8.3
 shellcheck 0.10.0
 direnv 2.32.2

Makefile

@@ -83,14 +83,15 @@ cdk-deploy: guard-stack_name
 		--context commitId=$$COMMIT_ID \
 		--context logRetentionInDays=$$LOG_RETENTION_IN_DAYS
 
-cdk-synth:
+cdk-synth: download-get-secrets-layer
 	npx cdk synth \
+		--quiet \
 		--app "npx ts-node --prefer-ts-exts packages/cdk/bin/EpsAssistMeApp.ts" \
 		--context accountId=undefined \
 		--context stackName=epsam \
 		--context versionNumber=undefined \
 		--context commitId=undefined \
-		-context logRetentionInDays=30
+		--context logRetentionInDays=30
 
 cdk-diff:
 	npx cdk diff \

packages/cdk/bin/EpsAssistMeApp.ts

@@ -18,16 +18,13 @@ const accountId = app.node.tryGetContext("accountId")
 const stackName = app.node.tryGetContext("stackName")
 const version = app.node.tryGetContext("versionNumber")
 const commit = app.node.tryGetContext("commitId")
-// Retrieve new context values
-const logRetentionInDays = app.node.tryGetContext("logRetentionInDays")
-const logLevel = app.node.tryGetContext("logLevel")
 
 Aspects.of(app).add(new AwsSolutionsChecks({verbose: true}))
 
 Tags.of(app).add("cdkApp", "EpsAssistMe")
-Tags.of(app).add("stackName", stackName ?? "unknown")
-Tags.of(app).add("version", version ?? "dev")
-Tags.of(app).add("commit", commit ?? "none")
+Tags.of(app).add("stackName", stackName)
+Tags.of(app).add("version", version)
+Tags.of(app).add("commit", commit)
 
 new EpsAssistMeStack(app, "EpsAssistMeStack", {
   env: {
@@ -36,7 +33,5 @@ new EpsAssistMeStack(app, "EpsAssistMeStack", {
   },
   stackName: stackName,
   version: version,
-  commitId: commit,
-  logRetentionInDays: parseInt(logRetentionInDays),
-  logLevel: logLevel
+  commitId: commit
 })

packages/cdk/nagSuppressions.ts

@@ -1,12 +1,14 @@
+/* eslint-disable max-len */
 import {Stack} from "aws-cdk-lib"
 import {NagPackSuppression, NagSuppressions} from "cdk-nag"
 
 export const nagSuppressions = (stack: Stack) => {
+  // Suppress wildcard log permissions for SlackBot
   safeAddNagSuppressionGroup(
     stack,
     [
-      "/EpsAssistMeStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/DefaultPolicy/Resource",
-      "/EpsAssistMeStack/SlackBotLambda/SlackBotFunctionPutLogsPolicy/Resource"
+      "/EpsAssistMeStack/SlackBotLambda/SlackBotFunctionPutLogsPolicy/Resource",
+      "/EpsAssistMeStack/SlackBotLambda/LambdaPutLogsManagedPolicy/Resource"
     ],
     [
       {
@@ -16,9 +18,25 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
+  // Suppress wildcard log permissions for CreateIndex Lambda
+  safeAddNagSuppressionGroup(
+    stack,
+    [
+      "/EpsAssistMeStack/CreateIndexFunction/CreateIndexFunctionPutLogsPolicy/Resource",
+      "/EpsAssistMeStack/CreateIndexFunction/LambdaPutLogsManagedPolicy/Resource"
+    ],
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Wildcard permissions are required for log stream access under known paths."
+      }
+    ]
+  )
+
+  // Suppress API Gateway validation warning
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/EpsAssistApiGateway/RestApi/Resource",
+    "/EpsAssistMeStack/EpsAssistApiGateway/ApiGateway/Resource",
     [
       {
         id: "AwsSolutions-APIG2",
@@ -27,9 +45,10 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
+  // Suppress AWS managed policy warning for default CDK log retention resource
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/Resource",
+    "/EpsAssistMeStack/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource",
     [
       {
         id: "AwsSolutions-IAM4",
@@ -38,10 +57,11 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
+  // Suppress unauthenticated API Gateway route warnings
   safeAddNagSuppressionGroup(
     stack,
     [
-      "/EpsAssistMeStack/EpsAssistApiGateway/RestApi/Default/slack/ask-eps/POST/Resource"
+      "/EpsAssistMeStack/EpsAssistApiGateway/ApiGateway/Default/slack/ask-eps/POST/Resource"
     ],
     [
       {
@@ -55,7 +75,7 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // 🔒 Suppress missing S3 access logs (AwsSolutions-S1)
+  // Suppress missing S3 access logs (AwsSolutions-S1)
   safeAddNagSuppression(
     stack,
     "/EpsAssistMeStack/EpsAssistDocsBucket/Resource",
@@ -82,10 +102,10 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // 🛡️ Suppress lack of WAF on API Gateway stage
+  // Suppress lack of WAF on API Gateway stage
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/EpsAssistApiGateway/RestApi/DeploymentStage.prod/Resource",
+    "/EpsAssistMeStack/EpsAssistApiGateway/ApiGateway/DeploymentStage.prod/Resource",
     [
       {
         id: "AwsSolutions-APIG3",
@@ -94,7 +114,7 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // ⚠️ Suppress non-latest Lambda runtime
+  // Suppress non-latest Lambda runtime
   safeAddNagSuppression(
     stack,
     "/EpsAssistMeStack/SlackBotLambda/SlackBotFunction/Resource",
@@ -110,13 +130,15 @@ export const nagSuppressions = (stack: Stack) => {
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {
   try {
     NagSuppressions.addResourceSuppressionsByPath(stack, path, suppressions)
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
   } catch (err) {
     console.log(`Could not find path ${path}`)
   }
 }
 
-const safeAddNagSuppressionGroup = (stack: Stack, paths: string[], suppressions: Array<NagPackSuppression>) => {
-  for (const path of paths) {
-    safeAddNagSuppression(stack, path, suppressions)
+// Apply the same nag suppression to multiple resources
+const safeAddNagSuppressionGroup = (stack: Stack, path: Array<string>, suppressions: Array<NagPackSuppression>) => {
+  for (const p of path) {
+    safeAddNagSuppression(stack, p, suppressions)
   }
 }