updates to release v1.0.3

- Library upgrades to address security vulnerabilities.
- Fix an issue with sample workflow configurations where textract workflow was missing before any entity based detection workflow.
- Upgrade AWS Lambda runtimes to Python 3.12, Nodejs 20, and Java 21.
 - Update AWS SDK and AWS CDK versions.

Author: tabdunabi

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.3] - 2023-12-07
+
+### Updated
+
+- Library upgrades to address security vulnerabilities.
+- Fix an issue with sample workflow configurations where `textract` workflow was missing before any `entity` based detection workflow.
+- Upgrade AWS Lambda runtimes to Python 3.12, Nodejs 20, and Java 21.
+- Update AWS SDK and AWS CDK versions.
+
 ## [1.0.2] - 2023-11-09
 
 ### Updated

README.md

@@ -62,9 +62,9 @@ There are two options for deployment into your AWS account:
 
 Following are pre-requisites to build and deploy locally:
 
-- [Nodejs 18.x](https://nodejs.org/en)
-- [CDK v2.36.0](https://github.com/aws/aws-cdk)
-- [Python 3.11](https://www.python.org/)
+- [Nodejs 20.x](https://nodejs.org/en)
+- [CDK v2.113.0](https://github.com/aws/aws-cdk)
+- [Python 3.12](https://www.python.org/)
   - _Note: normal python installations should include support for `ensurepip` and `pip`; however, if running in an environment without these packages you will need to manually install them (e.g. a minimal docker image). See [pip's installation guide](https://pip.pypa.io/en/stable/installation/) for details._
 - [Java 17](https://aws.amazon.com/corretto/)
 - [Maven](https://maven.apache.org/)

deployment/build-s3-dist.sh

@@ -188,4 +188,13 @@ echo "--------------------------------------------------------------------------
 
 echo "---------------------------------------"
 echo "Executing Build Complete"
-echo "---------------------------------------"
+echo "---------------------------------------"
+echo "---------------------------------------"
+echo "Printing cdk-nag reports"
+echo "---------------------------------------"
+cd $source_dir/infrastructure/cdk.out
+for csv in `find . -name "*.csv"`; do
+    echo -e "File: $csv"
+    echo "---------------------------------------"
+    cat $csv | perl -pe 's/((?<=,)|(?<=^)),/ ,/g;' | column -t -s, | less -S    
+done

source/infrastructure/cdk.json

@@ -1,7 +1,9 @@
 {
   "app": "../pre-build-jars.sh && npx ts-node --prefer-ts-exts bin/dus.ts",
   "watch": {
-    "include": ["**"],
+    "include": [
+      "**"
+    ],
     "exclude": [
       "README.md",
       "cdk*.json",
@@ -15,23 +17,55 @@
     ]
   },
   "context": {
-    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
-    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
-    "@aws-cdk/core:stackRelativeExports": true,
-    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
-    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
-    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
     "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
     "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
-    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
     "@aws-cdk/aws-iam:minimizePolicies": true,
-    "@aws-cdk/core:target-partitions": ["aws", "aws-cn", "aws-us-gov"],
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
     "solution_id": "SO0281",
     "solution_name": "enhanced-document-understanding-on-aws",
-    "solution_version": "v1.0.1",
+    "solution_version": "v1.0.3",
     "app_namespace": "app.idp",
     "app_registry_name": "enhanced-document-understanding",
     "application_type": "AWS-Solutions",
     "application_trademark_name": "Enhanced Document Understanding on AWS"
   }
-}
+}

source/infrastructure/lib/layers/node-user-agent.ts

@@ -17,14 +17,17 @@ import { Construct } from 'constructs';
 import * as path from 'path';
 import { getCommandsForNodejsDockerBuild } from '../utils/asset-bundling';
 import { getNodejsLayerLocalBundling, LayerProps } from '../utils/common-utils';
-import { COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME } from '../utils/constants';
+import { COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME, GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME } from '../utils/constants';
 
 /**
  * A class the defines the user-agent layer Construct for Node runtimes
  */
 export class NodeUserAgentLayer extends lambda.LayerVersion {
     constructor(scope: Construct, id: string, props: LayerProps) {
-        const compatibleRuntimes = props.compatibleRuntimes ?? [lambda.Runtime.NODEJS_18_X];
+        const compatibleRuntimes = props.compatibleRuntimes ?? [
+            GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME,
+            COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME
+        ];
 
         for (const runtime of compatibleRuntimes) {
             if (runtime && runtime.family !== lambda.RuntimeFamily.NODEJS) {

source/infrastructure/lib/s3web/static-site.ts

@@ -107,6 +107,7 @@ export class StaticWebsite extends Construct {
                 defaultRootObject: 'login.html'
             }
         });
+        cloudfrontToS3.cloudFrontLoggingBucket?.node.addDependency(bucketPolicyUpdateCustomResource);
 
         const cloudfrontFunction = cloudfrontToS3.node
             .tryFindChild('SetHttpSecurityHeaders')

source/infrastructure/lib/utils/constants.ts

@@ -110,12 +110,12 @@ export const DEFAULT_WORKFLOW_CONFIG_NAME = 'default';
 
 export const SFN_TASK_TIMEOUT_MINS = 120;
 export const LAMBDA_TIMEOUT_MINS = 15;
-export const COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME: lambda.Runtime = lambda.Runtime.NODEJS_18_X;
+export const COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME: lambda.Runtime = lambda.Runtime.NODEJS_20_X;
 export const GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME: lambda.Runtime = lambda.Runtime.NODEJS_18_X;
-export const COMMERCIAL_REGION_LAMBDA_PYTHON_RUNTIME: lambda.Runtime = lambda.Runtime.PYTHON_3_11;
-export const GOV_CLOUD_REGION_LAMBDA_PYTHON_RUNTIME: lambda.Runtime = lambda.Runtime.PYTHON_3_9;
-export const COMMERCIAL_REGION_LAMBDA_JAVA_RUNTIME: lambda.Runtime = lambda.Runtime.JAVA_17;
-export const GOV_CLOUD_REGION_LAMBDA_JAVA_RUNTIME: lambda.Runtime = lambda.Runtime.JAVA_11;
+export const COMMERCIAL_REGION_LAMBDA_PYTHON_RUNTIME: lambda.Runtime = lambda.Runtime.PYTHON_3_12;
+export const GOV_CLOUD_REGION_LAMBDA_PYTHON_RUNTIME: lambda.Runtime = lambda.Runtime.PYTHON_3_10;
+export const COMMERCIAL_REGION_LAMBDA_JAVA_RUNTIME: lambda.Runtime = lambda.Runtime.JAVA_21;
+export const GOV_CLOUD_REGION_LAMBDA_JAVA_RUNTIME: lambda.Runtime = lambda.Runtime.JAVA_17;
 
 export const S3_UPLOAD_PREFIX = 'initial';
 export const S3_REDACTED_PREFIX = 'redacted';

source/infrastructure/lib/utils/lambda-aspect.ts

@@ -22,7 +22,15 @@ import { NodeUserAgentLayer } from '../layers/node-user-agent';
 import { PythonUserAgentLayer } from '../layers/python-user-agent';
 import { AwsNodeSdkLibLayer, Boto3SdkLibLayer } from '../layers/runtime-libs';
 import { NodejsSharedLibLayer } from '../layers/shared-lib';
-import { CloudwatchNamespace } from '../utils/constants';
+import {
+    COMMERCIAL_REGION_LAMBDA_JAVA_RUNTIME,
+    COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME,
+    COMMERCIAL_REGION_LAMBDA_PYTHON_RUNTIME,
+    CloudwatchNamespace,
+    GOV_CLOUD_REGION_LAMBDA_JAVA_RUNTIME,
+    GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME,
+    GOV_CLOUD_REGION_LAMBDA_PYTHON_RUNTIME
+} from '../utils/constants';
 
 export interface LambdaAspectProps {
     /**
@@ -147,7 +155,7 @@ export class LambdaAspects extends Construct implements cdk.IAspect {
             this.nodejsUserAgentLayer = new NodeUserAgentLayer(this, 'NodeUserAgentLayer', {
                 entry: '../lambda/layers/aws-node-user-agent-config',
                 description: 'This layer configures AWS Node SDK initialization to send user-agent information',
-                compatibleRuntimes: [lambda.Runtime.NODEJS_18_X]
+                compatibleRuntimes: [GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME, COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME]
             });
         }
 
@@ -164,12 +172,7 @@ export class LambdaAspects extends Construct implements cdk.IAspect {
             this.pythonUserAgentLayer = new PythonUserAgentLayer(this, 'PythonUserAgentLayer', {
                 entry: '../lambda/layers/custom_boto3_init',
                 description: 'This layer configures AWS Python SDK initialization to send user-agent information',
-                compatibleRuntimes: [
-                    lambda.Runtime.PYTHON_3_8,
-                    lambda.Runtime.PYTHON_3_9,
-                    lambda.Runtime.PYTHON_3_10,
-                    lambda.Runtime.PYTHON_3_11
-                ]
+                compatibleRuntimes: [GOV_CLOUD_REGION_LAMBDA_PYTHON_RUNTIME, COMMERCIAL_REGION_LAMBDA_PYTHON_RUNTIME]
             });
         }
 
@@ -186,7 +189,7 @@ export class LambdaAspects extends Construct implements cdk.IAspect {
             this.javaUserAgentLayer = new JavaUserAgentLayer(this, 'JavaUserAgentLayer', {
                 entry: '../lambda/layers/custom-java-sdk-config',
                 description: 'This layer configures AWS Java SDK initialization to send user-agent information',
-                compatibleRuntimes: [lambda.Runtime.JAVA_11, lambda.Runtime.JAVA_17]
+                compatibleRuntimes: [GOV_CLOUD_REGION_LAMBDA_JAVA_RUNTIME, COMMERCIAL_REGION_LAMBDA_JAVA_RUNTIME]
             });
         }
 
@@ -204,7 +207,7 @@ export class LambdaAspects extends Construct implements cdk.IAspect {
                 entry: '../lambda/layers/common-node-lib',
                 description:
                     'This layer contains shared libraries and functions across all lambda functions to be bundled with the lambda function',
-                compatibleRuntimes: [lambda.Runtime.NODEJS_18_X]
+                compatibleRuntimes: [GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME, COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME]
             });
         }
 
@@ -221,7 +224,7 @@ export class LambdaAspects extends Construct implements cdk.IAspect {
             this.awsNodeSdkLibLayer = new AwsNodeSdkLibLayer(this, 'AwsNodeSdkLayer', {
                 entry: '../lambda/layers/aws-sdk-lib',
                 description: 'AWS Node SDK to be bundled with lambda functions',
-                compatibleRuntimes: [lambda.Runtime.NODEJS_18_X]
+                compatibleRuntimes: [GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME, COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME]
             });
         }
 
@@ -238,12 +241,7 @@ export class LambdaAspects extends Construct implements cdk.IAspect {
             this.boto3SdkLibLayer = new Boto3SdkLibLayer(this, 'Boto3Layer', {
                 entry: '../lambda/layers/aws_boto3',
                 description: 'Boto3 layer to be bundled with python lambda functions',
-                compatibleRuntimes: [
-                    lambda.Runtime.PYTHON_3_8,
-                    lambda.Runtime.PYTHON_3_9,
-                    lambda.Runtime.PYTHON_3_10,
-                    lambda.Runtime.PYTHON_3_11
-                ]
+                compatibleRuntimes: [GOV_CLOUD_REGION_LAMBDA_PYTHON_RUNTIME, COMMERCIAL_REGION_LAMBDA_PYTHON_RUNTIME]
             });
         }
 

source/infrastructure/lib/utils/lambda-runtimes.ts

@@ -45,7 +45,7 @@ export abstract class LambdaRuntimeCommand {
 export class PythonRuntimeCommand extends LambdaRuntimeCommand {
     public getLambdaRuntime(): string {
         let runtime: string;
-        if (GOV_CLOUD_REGION_LAMBDA_PYTHON_RUNTIME === COMMERCIAL_REGION_LAMBDA_PYTHON_RUNTIME) {
+        if (GOV_CLOUD_REGION_LAMBDA_PYTHON_RUNTIME.name === COMMERCIAL_REGION_LAMBDA_PYTHON_RUNTIME.name) {
             runtime = COMMERCIAL_REGION_LAMBDA_PYTHON_RUNTIME.name;
         } else {
             runtime = cdk.Fn.conditionIf(
@@ -64,7 +64,7 @@ export class PythonRuntimeCommand extends LambdaRuntimeCommand {
 export class NodejsRuntimeCommand extends LambdaRuntimeCommand {
     public getLambdaRuntime(): string {
         let runtime: string;
-        if (GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME === COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME) {
+        if (GOV_CLOUD_REGION_LAMBDA_NODE_RUNTIME.name === COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME.name) {
             runtime = COMMERCIAL_REGION_LAMBDA_NODE_RUNTIME.name;
         } else {
             runtime = cdk.Fn.conditionIf(
@@ -84,7 +84,7 @@ export class NodejsRuntimeCommand extends LambdaRuntimeCommand {
 export class JavaRuntimeCommand extends LambdaRuntimeCommand {
     public getLambdaRuntime(): string {
         let runtime: string;
-        if (GOV_CLOUD_REGION_LAMBDA_JAVA_RUNTIME === COMMERCIAL_REGION_LAMBDA_JAVA_RUNTIME) {
+        if (GOV_CLOUD_REGION_LAMBDA_JAVA_RUNTIME.name === COMMERCIAL_REGION_LAMBDA_JAVA_RUNTIME.name) {
             runtime = COMMERCIAL_REGION_LAMBDA_JAVA_RUNTIME.name;
         } else {
             runtime = cdk.Fn.conditionIf(