Base. Added cdk-nag to app.ts and more run commends to package.json

Author: vlasonfa

lib/base/app.ts

@@ -2,6 +2,7 @@
 import 'dotenv/config'
 import 'source-map-support/register';
 import * as cdk from 'aws-cdk-lib';
+import * as nag from "cdk-nag";
 import * as config from "./lib/config/baseConfig";
 import {BaseCommonStack} from "./lib/common-stack";
 import {BaseSingleNodeStack} from "./lib/single-node-stack";
@@ -48,3 +49,12 @@ new BaseHANodesStack(app, "base-ha-nodes", {
   heartBeatDelayMin: config.haNodeConfig.heartBeatDelayMin,
   numberOfNodes: config.haNodeConfig.numberOfNodes
 });
+
+// Security Check
+cdk.Aspects.of(app).add(
+  new nag.AwsSolutionsChecks({
+      verbose: false,
+      reports: true,
+      logIgnores: false,
+  })
+);

lib/base/lib/constructs/base-node-security-group.ts

@@ -1,6 +1,7 @@
 import * as cdk from "aws-cdk-lib";
 import * as cdkConstructs from 'constructs';
 import * as ec2 from "aws-cdk-lib/aws-ec2";
+import * as nag from "cdk-nag";
 
 export interface BaseNodeSecurityGroupConstructProps {
     vpc: cdk.aws_ec2.IVpc;
@@ -35,5 +36,20 @@ export interface BaseNodeSecurityGroupConstructProps {
       sg.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.udpRange(13001, 65535), "All outbound connections except 13000");
 
       this.securityGroup = sg
+
+      /**
+      * cdk-nag suppressions
+      */
+
+      nag.NagSuppressions.addResourceSuppressions(
+        this,
+        [
+            {
+                id: "AwsSolutions-EC23",
+                reason: "Ethereum requires wildcard inbound for specific ports",
+            },
+        ],
+        true
+      );
     }
   }

lib/base/package.json

@@ -9,7 +9,10 @@
     "cdk_deploy_common": "cdk deploy base-common",
     "cdk_synth_single_node": "cdk synth base-single-node",
     "cdk_deploy_single_node": "cdk deploy base-single-node",
-    "cdk_destroy_single_node": "cdk destroy base-single-node"
+    "cdk_destroy_single_node": "cdk destroy base-single-node",
+    "cdk_synth_ha_nodes": "cdk synth base-ha-nodes",
+    "cdk_deploy_ha_nodes": "cdk deploy base-ha-nodes",
+    "cdk_destroy_ha_nodes": "cdk destroy base-ha-nodes"
   },
   "dependencies": {
     "@types/node": "^20.10.0"