Skip to content

Commit

Permalink
fix(aws-s3-sqs): Added logic to suppress cfn_nag warnings for S3 buck…
Browse files Browse the repository at this point in the history 
…et notifications.
  • Loading branch information
@danielmatuki
danielmatuki committed Nov 25, 2020
1 parent 1089629 commit bc37eed
Show file tree
Hide file tree
Showing 7 changed files with 205 additions and 5 deletions.
38 changes: 37 additions & 1 deletion source/patterns/@aws-solutions-constructs/aws-s3-sqs/lib/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ import * as sqs from '@aws-cdk/aws-sqs';
import * as s3 from '@aws-cdk/aws-s3';
import * as defaults from '@aws-solutions-constructs/core';
import * as s3n from '@aws-cdk/aws-s3-notifications';
import { Construct } from '@aws-cdk/core';
import { Construct, Stack } from '@aws-cdk/core';
import * as lambda from '@aws-cdk/aws-lambda';
import * as iam from '@aws-cdk/aws-iam';

/**
* @summary The properties for the S3ToSqs class.
Expand Down Expand Up @@ -148,6 +150,40 @@ export class S3ToSqs extends Construct {

// Setup the S3 bucket event notifications
s3EventTypes.forEach(type => bucket.addEventNotification(type, new s3n.SqsDestination(this.sqsQueue), ...s3Eventfilters));

this.addCfnNagSuppress();
}

private addCfnNagSuppress() {
const root = Stack.of(this);
const logicalId = 'BucketNotificationsHandler050a0587b7544547bf325f094a3db834';
const notificationsResourceHandler = root.node.tryFindChild(logicalId) as lambda.Function;
const notificationsResourceHandlerRoleRole = notificationsResourceHandler.node.findChild('Role') as iam.Role;
const notificationsResourceHandlerRolePolicy = notificationsResourceHandlerRoleRole.node.findChild('DefaultPolicy') as iam.Policy;

// Extract the CfnFunction from the Function
const fnResource = notificationsResourceHandler.node.findChild('Resource') as lambda.CfnFunction;

fnResource.cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [{
id: 'W58',
reason: `Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role`
}]
}
};

// Extract the CfnPolicy from the iam.Policy
const policyResource = notificationsResourceHandlerRolePolicy.node.findChild('Resource') as iam.CfnPolicy;

policyResource.cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [{
id: 'W12',
reason: `Bucket resource is '*' due to circular dependency with bucket and role creation at the same time`
}]
}
};
}

private hasQueueEncryptionProperties(queueProps: sqs.QueueProps | undefined) {
Expand Down
4 changes: 4 additions & 0 deletions source/patterns/@aws-solutions-constructs/aws-s3-sqs/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@
"@aws-cdk/aws-s3": "0.0.0",
"@aws-cdk/aws-s3-notifications": "0.0.0",
"@aws-cdk/aws-sqs": "0.0.0",
"@aws-cdk/aws-lambda": "0.0.0",
"@aws-cdk/aws-iam": "0.0.0",
"@aws-cdk/aws-kms": "0.0.0",
"@aws-cdk/core": "0.0.0",
"@aws-solutions-constructs/core": "0.0.0",
Expand All @@ -75,6 +77,8 @@
"@aws-cdk/aws-s3": "0.0.0",
"@aws-cdk/aws-s3-notifications": "0.0.0",
"@aws-cdk/aws-sqs": "0.0.0",
"@aws-cdk/aws-lambda": "0.0.0",
"@aws-cdk/aws-iam": "0.0.0",
"@aws-cdk/aws-kms": "0.0.0",
"@aws-cdk/core": "0.0.0",
"@aws-solutions-constructs/core": "0.0.0",
Expand Down
80 changes: 80 additions & 0 deletions ...patterns/@aws-solutions-constructs/aws-s3-sqs/test/__snapshots__/test.s3-sqs.test.js.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,16 @@ Object {
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC",
],
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W58",
"reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role",
},
],
},
},
"Properties": Object {
"Code": Object {
"ZipFile": "exports.handler = (event, context) => {
Expand Down Expand Up @@ -121,6 +131,16 @@ Object {
"Type": "AWS::IAM::Role",
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": Object {
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W12",
"reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time",
},
],
},
},
"Properties": Object {
"PolicyDocument": Object {
"Statement": Array [
Expand Down Expand Up @@ -615,6 +635,16 @@ Object {
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC",
],
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W58",
"reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role",
},
],
},
},
"Properties": Object {
"Code": Object {
"ZipFile": "exports.handler = (event, context) => {
Expand Down Expand Up @@ -728,6 +758,16 @@ Object {
"Type": "AWS::IAM::Role",
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": Object {
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W12",
"reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time",
},
],
},
},
"Properties": Object {
"PolicyDocument": Object {
"Statement": Array [
Expand Down Expand Up @@ -1084,6 +1124,16 @@ Object {
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC",
],
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W58",
"reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role",
},
],
},
},
"Properties": Object {
"Code": Object {
"ZipFile": "exports.handler = (event, context) => {
Expand Down Expand Up @@ -1197,6 +1247,16 @@ Object {
"Type": "AWS::IAM::Role",
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": Object {
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W12",
"reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time",
},
],
},
},
"Properties": Object {
"PolicyDocument": Object {
"Statement": Array [
Expand Down Expand Up @@ -1705,6 +1765,16 @@ Object {
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC",
],
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W58",
"reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role",
},
],
},
},
"Properties": Object {
"Code": Object {
"ZipFile": "exports.handler = (event, context) => {
Expand Down Expand Up @@ -1818,6 +1888,16 @@ Object {
"Type": "AWS::IAM::Role",
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": Object {
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W12",
"reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time",
},
],
},
},
"Properties": Object {
"PolicyDocument": Object {
"Statement": Array [
Expand Down
22 changes: 21 additions & 1 deletion source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.deployQueue.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -529,6 +529,16 @@
"Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC"
}
]
},
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time"
}
]
}
}
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": {
Expand All @@ -551,7 +561,17 @@
"DependsOn": [
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC"
]
],
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W58",
"reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role"
}
]
}
}
}
}
}
22 changes: 21 additions & 1 deletion source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingQueue.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -428,6 +428,16 @@
"Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC"
}
]
},
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time"
}
]
}
}
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": {
Expand All @@ -450,7 +460,17 @@
"DependsOn": [
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC"
]
],
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W58",
"reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role"
}
]
}
}
}
}
}
22 changes: 21 additions & 1 deletion ...e/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingS3Bucket.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,16 @@
"Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC"
}
]
},
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time"
}
]
}
}
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": {
Expand All @@ -534,7 +544,17 @@
"DependsOn": [
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC"
]
],
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W58",
"reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role"
}
]
}
}
}
}
}
22 changes: 21 additions & 1 deletion source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.noArguments.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,16 @@
"Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC"
}
]
},
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time"
}
]
}
}
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": {
Expand All @@ -534,7 +544,17 @@
"DependsOn": [
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
"BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC"
]
],
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W58",
"reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role"
}
]
}
}
}
}
}

0 comments on commit bc37eed

Please sign in to comment.