[AEA-4684] resolving cfn-guard issues

Author: Orkastrated

.github/workflows/cdk_release_code.yml

@@ -85,12 +85,10 @@ jobs:
           --arg VERSION_NUMBER "${{ inputs.VERSION_NUMBER }}" \
           --arg COMMIT_ID "${{ inputs.COMMIT_ID }}" \
           --arg logRetentionInDays "${{ inputs.LOG_RETENTION_IN_DAYS }}" \
-          --argjson allowAutoDeleteObjects "true" \
           '.context += {
             "VERSION_NUMBER": $VERSION_NUMBER,
             "COMMIT_ID": $COMMIT_ID,
-            "logRetentionInDays": $logRetentionInDays,
-            "allowAutoDeleteObjects": $allowAutoDeleteObjects}' \
+            "logRetentionInDays": $logRetentionInDays}' \
           .build/cdk.json > .build/cdk.new.json
           mv .build/cdk.new.json .build/cdk.json
 

Makefile

@@ -82,7 +82,6 @@ cdk-synth:
 		--app "npx ts-node --prefer-ts-exts packages/cdk/bin/VpcResourcesApp.ts" \
 		--context VERSION_NUMBER=undefined \
 		--context COMMIT_ID=undefined \
-		--context allowAutoDeleteObjects=true \
 		--context logRetentionInDays=30
 
 cdk-diff:

cdk.json

@@ -0,0 +1,75 @@
+{
+  "watch": {
+    "include": [
+      "packages/**"
+    ],
+    "exclude": [
+      "**/README.md",
+      "**/cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "**/tsconfig.json",
+      "**/package*.json",
+      "**/yarn.lock",
+      "**/node_modules",
+      "**/tests*",
+      "**/lib",
+      "**/coverage",
+      "**/jest.config.ts",
+      "**/jest.debug.config.ts"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false
+  }
+}

packages/cdk/bin/VpcResourcesApp.ts

@@ -2,6 +2,7 @@ import {App, Aspects, Tags} from "aws-cdk-lib"
 import {AwsSolutionsChecks} from "cdk-nag"
 
 import {VpcResourcesStack} from "../stacks/VpcResourcesStack"
+import {addCfnGuardMetadata} from "./utils/appUtils"
 
 const app = new App()
 /* Required Context:
@@ -18,10 +19,12 @@ Tags.of(app).add("version", version)
 Tags.of(app).add("commit", commit)
 Tags.of(app).add("cdkApp", "VpcResourcesApp")
 
-new VpcResourcesStack(app, "VpcResourcesStack", {
+const VpcResources = new VpcResourcesStack(app, "VpcResourcesStack", {
   env: {
     region: "eu-west-2"
   },
   stackName: "vpc-resources",
   version: version
 })
+
+addCfnGuardMetadata(VpcResources, "Custom::VpcRestrictDefaultSGCustomResourceProvider", "Handler")

packages/cdk/bin/utils/appUtils.ts

@@ -0,0 +1,37 @@
+import {Stack, CfnResource} from "aws-cdk-lib"
+
+// function which adds metadata to ignore things which fail cfn-guard
+export const addCfnGuardMetadata = (stack: Stack, path: string, childPath: string) => {
+  const provider = stack.node.tryFindChild(path)
+  if (provider === undefined) {
+    return
+  }
+  const lambda = provider.node.tryFindChild(childPath) as CfnResource
+  const role = provider.node.tryFindChild("Role") as CfnResource
+  if (lambda !== undefined) {
+    lambda.cfnOptions.metadata = (
+      {
+        ...lambda.cfnOptions.metadata,
+        guard: {
+          SuppressedRules: [
+            "LAMBDA_DLQ_CHECK",
+            "LAMBDA_INSIDE_VPC",
+            "LAMBDA_CONCURRENCY_CHECK"
+          ]
+        }
+      }
+    )
+  }
+  if (role !== undefined) {
+    role.cfnOptions.metadata = (
+      {
+        ...role.cfnOptions.metadata,
+        guard: {
+          SuppressedRules: [
+            "IAM_NO_INLINE_POLICY_CHECK"
+          ]
+        }
+      }
+    )
+  }
+}

packages/cdk/stacks/VpcResourcesStack.ts

@@ -1,12 +1,18 @@
 import {
   App,
   CfnOutput,
+  CfnResource,
   Fn,
   RemovalPolicy,
   Stack,
   StackProps
 } from "aws-cdk-lib"
-import {FlowLogDestination, IpAddresses, Vpc} from "aws-cdk-lib/aws-ec2"
+import {
+  CfnSubnet,
+  FlowLogDestination,
+  IpAddresses,
+  Vpc
+} from "aws-cdk-lib/aws-ec2"
 import {Role, ServicePrincipal} from "aws-cdk-lib/aws-iam"
 import {Key} from "aws-cdk-lib/aws-kms"
 import {LogGroup} from "aws-cdk-lib/aws-logs"
@@ -55,6 +61,30 @@ export class VpcResourcesStack extends Stack {
       }
     })
 
+    // Add cfn-guard suppressions
+    for (const subnet of vpc.publicSubnets) {
+      const cfnSubnet = subnet.node.defaultChild as CfnSubnet
+      cfnSubnet.cfnOptions.metadata = {
+        guard:
+        {
+          SuppressedRules:[
+            "SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED"
+          ]
+        }
+      }
+
+      const cfnSubnetAsChild = vpc.node.tryFindChild(subnet.node.id) as CfnResource
+      const cfnDefaultRoute = cfnSubnetAsChild.node.tryFindChild("DefaultRoute") as CfnResource
+      cfnDefaultRoute.cfnOptions.metadata = {
+        guard:
+        {
+          SuppressedRules:[
+            "NO_UNRESTRICTED_ROUTE_TO_IGW"
+          ]
+        }
+      }
+    }
+
     //Outputs
 
     //Exports