From bc37eed0eb13c6a981da65c8424a52cb7b86a24b Mon Sep 17 00:00:00 2001 From: Daniel Matuki da Cunha Date: Wed, 25 Nov 2020 09:57:32 -0800 Subject: [PATCH] fix(aws-s3-sqs): Added logic to suppress cfn_nag warnings for S3 bucket notifications. --- .../aws-s3-sqs/lib/index.ts | 38 ++++++++- .../aws-s3-sqs/package.json | 4 + .../__snapshots__/test.s3-sqs.test.js.snap | 80 +++++++++++++++++++ .../test/integ.deployQueue.expected.json | 22 ++++- .../test/integ.existingQueue.expected.json | 22 ++++- .../test/integ.existingS3Bucket.expected.json | 22 ++++- .../test/integ.noArguments.expected.json | 22 ++++- 7 files changed, 205 insertions(+), 5 deletions(-) diff --git a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/lib/index.ts index 531259ff1..e6a5b75ca 100644 --- a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/lib/index.ts @@ -16,7 +16,9 @@ import * as sqs from '@aws-cdk/aws-sqs'; import * as s3 from '@aws-cdk/aws-s3'; import * as defaults from '@aws-solutions-constructs/core'; import * as s3n from '@aws-cdk/aws-s3-notifications'; -import { Construct } from '@aws-cdk/core'; +import { Construct, Stack } from '@aws-cdk/core'; +import * as lambda from '@aws-cdk/aws-lambda'; +import * as iam from '@aws-cdk/aws-iam'; /** * @summary The properties for the S3ToSqs class. @@ -148,6 +150,40 @@ export class S3ToSqs extends Construct { // Setup the S3 bucket event notifications s3EventTypes.forEach(type => bucket.addEventNotification(type, new s3n.SqsDestination(this.sqsQueue), ...s3Eventfilters)); + + this.addCfnNagSuppress(); + } + + private addCfnNagSuppress() { + const root = Stack.of(this); + const logicalId = 'BucketNotificationsHandler050a0587b7544547bf325f094a3db834'; + const notificationsResourceHandler = root.node.tryFindChild(logicalId) as lambda.Function; + const notificationsResourceHandlerRoleRole = notificationsResourceHandler.node.findChild('Role') as iam.Role; + const notificationsResourceHandlerRolePolicy = notificationsResourceHandlerRoleRole.node.findChild('DefaultPolicy') as iam.Policy; + + // Extract the CfnFunction from the Function + const fnResource = notificationsResourceHandler.node.findChild('Resource') as lambda.CfnFunction; + + fnResource.cfnOptions.metadata = { + cfn_nag: { + rules_to_suppress: [{ + id: 'W58', + reason: `Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role` + }] + } + }; + + // Extract the CfnPolicy from the iam.Policy + const policyResource = notificationsResourceHandlerRolePolicy.node.findChild('Resource') as iam.CfnPolicy; + + policyResource.cfnOptions.metadata = { + cfn_nag: { + rules_to_suppress: [{ + id: 'W12', + reason: `Bucket resource is '*' due to circular dependency with bucket and role creation at the same time` + }] + } + }; } private hasQueueEncryptionProperties(queueProps: sqs.QueueProps | undefined) { diff --git a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/package.json b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/package.json index 4d06ff2e1..201e9671c 100644 --- a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/package.json +++ b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/package.json @@ -56,6 +56,8 @@ "@aws-cdk/aws-s3": "0.0.0", "@aws-cdk/aws-s3-notifications": "0.0.0", "@aws-cdk/aws-sqs": "0.0.0", + "@aws-cdk/aws-lambda": "0.0.0", + "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-kms": "0.0.0", "@aws-cdk/core": "0.0.0", "@aws-solutions-constructs/core": "0.0.0", @@ -75,6 +77,8 @@ "@aws-cdk/aws-s3": "0.0.0", "@aws-cdk/aws-s3-notifications": "0.0.0", "@aws-cdk/aws-sqs": "0.0.0", + "@aws-cdk/aws-lambda": "0.0.0", + "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-kms": "0.0.0", "@aws-cdk/core": "0.0.0", "@aws-solutions-constructs/core": "0.0.0", diff --git a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/__snapshots__/test.s3-sqs.test.js.snap b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/__snapshots__/test.s3-sqs.test.js.snap index 7e0f3e47d..04e5f0771 100644 --- a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/__snapshots__/test.s3-sqs.test.js.snap +++ b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/__snapshots__/test.s3-sqs.test.js.snap @@ -8,6 +8,16 @@ Object { "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC", ], + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W58", + "reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role", + }, + ], + }, + }, "Properties": Object { "Code": Object { "ZipFile": "exports.handler = (event, context) => { @@ -121,6 +131,16 @@ Object { "Type": "AWS::IAM::Role", }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": Object { + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W12", + "reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time", + }, + ], + }, + }, "Properties": Object { "PolicyDocument": Object { "Statement": Array [ @@ -615,6 +635,16 @@ Object { "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC", ], + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W58", + "reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role", + }, + ], + }, + }, "Properties": Object { "Code": Object { "ZipFile": "exports.handler = (event, context) => { @@ -728,6 +758,16 @@ Object { "Type": "AWS::IAM::Role", }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": Object { + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W12", + "reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time", + }, + ], + }, + }, "Properties": Object { "PolicyDocument": Object { "Statement": Array [ @@ -1084,6 +1124,16 @@ Object { "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC", ], + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W58", + "reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role", + }, + ], + }, + }, "Properties": Object { "Code": Object { "ZipFile": "exports.handler = (event, context) => { @@ -1197,6 +1247,16 @@ Object { "Type": "AWS::IAM::Role", }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": Object { + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W12", + "reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time", + }, + ], + }, + }, "Properties": Object { "PolicyDocument": Object { "Statement": Array [ @@ -1705,6 +1765,16 @@ Object { "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC", ], + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W58", + "reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role", + }, + ], + }, + }, "Properties": Object { "Code": Object { "ZipFile": "exports.handler = (event, context) => { @@ -1818,6 +1888,16 @@ Object { "Type": "AWS::IAM::Role", }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": Object { + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W12", + "reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time", + }, + ], + }, + }, "Properties": Object { "PolicyDocument": Object { "Statement": Array [ diff --git a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.deployQueue.expected.json b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.deployQueue.expected.json index 2900ec197..fa28ffa16 100644 --- a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.deployQueue.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.deployQueue.expected.json @@ -529,6 +529,16 @@ "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" } ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W12", + "reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time" + } + ] + } } }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": { @@ -551,7 +561,17 @@ "DependsOn": [ "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" - ] + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W58", + "reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role" + } + ] + } + } } } } \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingQueue.expected.json b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingQueue.expected.json index b21ab06da..802aa2878 100644 --- a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingQueue.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingQueue.expected.json @@ -428,6 +428,16 @@ "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" } ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W12", + "reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time" + } + ] + } } }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": { @@ -450,7 +460,17 @@ "DependsOn": [ "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" - ] + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W58", + "reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role" + } + ] + } + } } } } \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingS3Bucket.expected.json b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingS3Bucket.expected.json index 893a9efda..2d3e56bd8 100644 --- a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingS3Bucket.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.existingS3Bucket.expected.json @@ -512,6 +512,16 @@ "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" } ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W12", + "reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time" + } + ] + } } }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": { @@ -534,7 +544,17 @@ "DependsOn": [ "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" - ] + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W58", + "reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role" + } + ] + } + } } } } \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.noArguments.expected.json b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.noArguments.expected.json index 85e75fbba..aa2b66d2e 100644 --- a/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.noArguments.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-s3-sqs/test/integ.noArguments.expected.json @@ -512,6 +512,16 @@ "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" } ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W12", + "reason": "Bucket resource is '*' due to circular dependency with bucket and role creation at the same time" + } + ] + } } }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": { @@ -534,7 +544,17 @@ "DependsOn": [ "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" - ] + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W58", + "reason": "Lambda function has permission to write CloudWatch Logs via AWSLambdaBasicExecutionRole policy attached to the lambda role" + } + ] + } + } } } } \ No newline at end of file