fix(filemanager): cdk nag warnings

lib/workload/components/cdk_resource_invoke.ts

@@ -111,13 +111,10 @@ export class CdkResourceInvoke<P, F extends InvokeFunction> extends Construct {
     const role = new Role(this, 'AwsCustomResourceRole', {
       assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
     });
+    const lambdaResource = `arn:aws:lambda:${stack.region}:${stack.account}:function:${stackHash}-ResourceInvokeFunction-${props.id}`;
     role.addToPolicy(
       new PolicyStatement({
-        resources: [
-          // This needs to have permissions to run any `ResourceInvokeFunction` because it is deployed as a
-          // singleton Lambda function.
-          `arn:aws:lambda:${stack.region}:${stack.account}:function:${stackHash}-ResourceInvokeFunction-*`,
-        ],
+        resources: [lambdaResource],
         actions: ['lambda:InvokeFunction'],
       })
     );
@@ -128,11 +125,12 @@ export class CdkResourceInvoke<P, F extends InvokeFunction> extends Construct {
 
     this._customResource = new AwsCustomResource(this, 'AwsCustomResource', {
       policy: AwsCustomResourcePolicy.fromSdkCalls({
-        resources: AwsCustomResourcePolicy.ANY_RESOURCE,
+        resources: [lambdaResource],
       }),
       onUpdate: sdkCall,
       role: role,
       vpc: props.vpc,
+      installLatestAwsSdk: true,
       vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_EGRESS },
     });
 

lib/workload/stateful/event_source/component.ts

@@ -55,9 +55,10 @@ export class EventSource extends Construct {
   constructor(scope: Construct, id: string, props: EventSourceProps) {
     super(scope, id);
 
-    this.deadLetterQueue = new Queue(this, 'DeadLetterQueue');
+    this.deadLetterQueue = new Queue(this, 'DeadLetterQueue', { enforceSSL: true });
     this.queue = new Queue(this, 'Queue', {
       queueName: props.queueName,
+      enforceSSL: true,
       deadLetterQueue: {
         maxReceiveCount: props.maxReceiveCount,
         queue: this.deadLetterQueue,

lib/workload/stateless/filemanager/deploy/constructs/functions/ingest.ts

@@ -34,8 +34,8 @@ export class IngestFunction extends fn.Function {
     });
     props.buckets.map((bucket) => {
       this.addToPolicy(new PolicyStatement({
-        actions: ['s3:List*', 's3:Get*'],
-        resources: [`arn:aws:s3:::${bucket}/*`],
+        actions: ['s3:ListBucket', 's3:GetObject'],
+        resources: [`arn:aws:s3:::${bucket}`, `arn:aws:s3:::${bucket}/*`],
       }));
     })
   }

test/stateless/cdkResourceInvoke.test.ts

@@ -62,7 +62,7 @@ test('Test CdkResourceInvoke', () => {
           Resource: {
             'Fn::Join': [
               '',
-              Match.arrayWith([`:function:${expectedHash}-ResourceInvokeFunction-*`]),
+              Match.arrayWith([`:function:${expectedHash}-ResourceInvokeFunction-TestFunction`]),
             ],
           },
         },

test/stateless/stateless-deployment.test.ts

@@ -99,6 +99,17 @@ function applyNagSuppression(stackId: string, stack: Stack) {
     true
   );
 
+  NagSuppressions.addStackSuppressions(
+    stack,
+    [
+      {
+        id: 'AwsSolutions-L1',
+        reason: "'AwsCustomResource' is out of date",
+      },
+    ],
+    true
+  );
+
   // for each stack specific
 
   switch (stackId) {
@@ -117,6 +128,20 @@ function applyNagSuppression(stackId: string, stack: Stack) {
       );
       break;
 
+    case 'Filemanager':
+      NagSuppressions.addResourceSuppressions(
+        stack,
+        [
+          {
+            id: 'AwsSolutions-IAM5',
+            reason: "'*' is required to access objects in the indexed bucket by filemanager",
+            appliesTo: ['Resource::arn:aws:s3:::org.umccr.data.oncoanalyser/*'],
+          },
+        ],
+        true
+      );
+      break;
+
     default:
       break;
   }