add nag supression

anthony-nhs · anthony-nhs · commit 559d66661693 · 2024-12-03T21:08:43.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -0,0 +1,115 @@
+
+import {Stack} from "aws-cdk-lib"
+import {NagPackSuppression, NagSuppressions} from "cdk-nag"
+
+export const nagSuppressions = (stack: Stack) => {
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/ECRDockerEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM4",
+        reason: "Suppress error for using AWS managed policy. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/AWS679f53fac002430cb0da5b7982bd2287/Resource",
+    [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Suppress error for using not using latest runtime. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/ECREndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/SecretManagerEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/CloudWatchEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/CloudWatchLogsEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/CloudWatchEventsEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/SSMEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+}
+
+const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {
+  try {
+    NagSuppressions.addResourceSuppressionsByPath(stack, path, suppressions)
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  } catch(err){
+    console.log(`Could not find path ${path}`)
+  }
+}
diff --git a/packages/cdk/stacks/VpcResourcesStack.ts b/packages/cdk/stacks/VpcResourcesStack.ts
@@ -22,6 +22,8 @@ import {Key} from "aws-cdk-lib/aws-kms"
 import {LogGroup} from "aws-cdk-lib/aws-logs"
 import {AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId} from "aws-cdk-lib/custom-resources"
 
+import {nagSuppressions} from "../nagSuppressions"
+
 export interface VpcResourcesStackProps extends StackProps{
   readonly version: string
   readonly availabilityZones: [string]
@@ -147,6 +149,8 @@ export class VpcResourcesStack extends Stack {
       exportName: `${props.stackName}:PrivateSubnets`
     })
 
+    nagSuppressions(this)
+
   }
 
   private addInterfaceEndpoint(name: string, awsService: InterfaceVpcEndpointAwsService): void {
