forked from cdklabs/cdk-nag
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnag-suppressions.ts
108 lines (105 loc) · 3.68 KB
/
nag-suppressions.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
import { CfnResource, Stack } from 'aws-cdk-lib';
import { IConstruct } from 'constructs';
import { NagPackSuppression } from './models/nag-suppression';
import { NagSuppressionHelper } from './utils/nag-suppression-helper';
/**
* Helper class with methods to add cdk-nag suppressions to cdk resources
*/
export class NagSuppressions {
/**
* Apply cdk-nag suppressions to a Stack and optionally nested stacks
* @param stack The Stack to apply the suppression to
* @param suppressions A list of suppressions to apply to the stack
* @param applyToNestedStacks Apply the suppressions to children stacks (default:false)
*/
static addStackSuppressions(
stack: Stack,
suppressions: NagPackSuppression[],
applyToNestedStacks: boolean = false
): void {
const stacks = applyToNestedStacks
? stack.node.findAll().filter((x): x is Stack => x instanceof Stack)
: [stack];
stacks.forEach((s) => {
NagSuppressionHelper.assertSuppressionsAreValid(s.node.id, suppressions);
let metadata = s.templateOptions.metadata?.cdk_nag ?? {};
metadata = NagSuppressionHelper.addRulesToMetadata(
metadata,
suppressions
);
if (!s.templateOptions.metadata) {
s.templateOptions.metadata = {};
}
s.templateOptions.metadata.cdk_nag = metadata;
});
}
/**
* Add cdk-nag suppressions to a CfnResource and optionally its children
* @param construct The IConstruct to apply the suppression to
* @param suppressions A list of suppressions to apply to the resource
* @param applyToChildren Apply the suppressions to children CfnResources (default:false)
*/
static addResourceSuppressions(
construct: IConstruct,
suppressions: NagPackSuppression[],
applyToChildren: boolean = false
): void {
NagSuppressionHelper.assertSuppressionsAreValid(
construct.node.id,
suppressions
);
const constructs = applyToChildren ? construct.node.findAll() : [construct];
for (const child of constructs) {
const possibleL1 = child.node.defaultChild
? child.node.defaultChild
: child;
if (possibleL1 instanceof CfnResource) {
const resource = possibleL1 as CfnResource;
let metadata = resource.getMetadata('cdk_nag');
metadata = NagSuppressionHelper.addRulesToMetadata(
metadata,
suppressions
);
resource.addMetadata('cdk_nag', metadata);
}
}
}
/**
* Add cdk-nag suppressions to a CfnResource and optionally its children via its path
* @param stack The Stack the construct belongs to
* @param path The path to the construct in the provided stack
* @param suppressions A list of suppressions to apply to the resource
* @param applyToChildren Apply the suppressions to children CfnResources (default:false)
*/
static addResourceSuppressionsByPath(
stack: Stack,
path: string,
suppressions: NagPackSuppression[],
applyToChildren: boolean = false
): void {
let added = false;
for (const child of stack.node.findAll()) {
const fixedPath = path.replace(/^\//, '');
if (
child.node.path === fixedPath ||
child.node.path + '/Resource' === fixedPath
) {
NagSuppressions.addResourceSuppressions(
child,
suppressions,
applyToChildren
);
added = true;
}
}
if (!added) {
throw new Error(
`Suppression path "${path}" did not match any resource. This can occur when a resource does not exist or if a suppression is applied before a resource is created.`
);
}
}
}