From 50e7d85303e77fffbba1e7d4e25b27052d8252f7 Mon Sep 17 00:00:00 2001 From: Marko Malenic Date: Fri, 22 Mar 2024 13:24:14 +1100 Subject: [PATCH] fix(filemanager): cdk nag warnings --- .../components/cdk_resource_invoke.ts | 10 +++---- .../stateful/event_source/component.ts | 3 +- lib/workload/stateless/filemanager/Cargo.lock | 30 +++++++++---------- .../deploy/constructs/functions/ingest.ts | 4 +-- test/stateless/cdkResourceInvoke.test.ts | 2 +- test/stateless/stateless-deployment.test.ts | 25 ++++++++++++++++ 6 files changed, 49 insertions(+), 25 deletions(-) diff --git a/lib/workload/components/cdk_resource_invoke.ts b/lib/workload/components/cdk_resource_invoke.ts index aba018533..ab127dab7 100644 --- a/lib/workload/components/cdk_resource_invoke.ts +++ b/lib/workload/components/cdk_resource_invoke.ts @@ -111,13 +111,10 @@ export class CdkResourceInvoke extends Construct { const role = new Role(this, 'AwsCustomResourceRole', { assumedBy: new ServicePrincipal('lambda.amazonaws.com'), }); + const lambdaResource = `arn:aws:lambda:${stack.region}:${stack.account}:function:${stackHash}-ResourceInvokeFunction-${props.id}`; role.addToPolicy( new PolicyStatement({ - resources: [ - // This needs to have permissions to run any `ResourceInvokeFunction` because it is deployed as a - // singleton Lambda function. - `arn:aws:lambda:${stack.region}:${stack.account}:function:${stackHash}-ResourceInvokeFunction-*`, - ], + resources: [lambdaResource], actions: ['lambda:InvokeFunction'], }) ); @@ -128,11 +125,12 @@ export class CdkResourceInvoke extends Construct { this._customResource = new AwsCustomResource(this, 'AwsCustomResource', { policy: AwsCustomResourcePolicy.fromSdkCalls({ - resources: AwsCustomResourcePolicy.ANY_RESOURCE, + resources: [lambdaResource], }), onUpdate: sdkCall, role: role, vpc: props.vpc, + installLatestAwsSdk: true, vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_EGRESS }, }); diff --git a/lib/workload/stateful/event_source/component.ts b/lib/workload/stateful/event_source/component.ts index 3df7e30c5..e264954e1 100644 --- a/lib/workload/stateful/event_source/component.ts +++ b/lib/workload/stateful/event_source/component.ts @@ -55,9 +55,10 @@ export class EventSource extends Construct { constructor(scope: Construct, id: string, props: EventSourceProps) { super(scope, id); - this.deadLetterQueue = new Queue(this, 'DeadLetterQueue'); + this.deadLetterQueue = new Queue(this, 'DeadLetterQueue', { enforceSSL: true }); this.queue = new Queue(this, 'Queue', { queueName: props.queueName, + enforceSSL: true, deadLetterQueue: { maxReceiveCount: props.maxReceiveCount, queue: this.deadLetterQueue, diff --git a/lib/workload/stateless/filemanager/Cargo.lock b/lib/workload/stateless/filemanager/Cargo.lock index 90fb65303..2a9cff897 100644 --- a/lib/workload/stateless/filemanager/Cargo.lock +++ b/lib/workload/stateless/filemanager/Cargo.lock @@ -188,9 +188,9 @@ dependencies = [ [[package]] name = "aws-sdk-s3" -version = "1.19.1" +version = "1.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54dd36a773ad90e8ae6b8464e51af0312b5422418ae1fd80c7a647975e1846b6" +checksum = "c2090d4e1455988a3a09a3a695c66de0feef49ebbc3f87bf49a7344308bc5656" dependencies = [ "ahash", "aws-credential-types", @@ -533,9 +533,9 @@ dependencies = [ [[package]] name = "backtrace" -version = "0.3.69" +version = "0.3.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2089b7e3f35b9dd2d0ed921ead4f6d318c27680d4a5bd167b3ee120edb105837" +checksum = "95d8e92cac0961e91dbd517496b00f7e9b92363dbe6d42c3198268323798860c" dependencies = [ "addr2line", "cc", @@ -582,9 +582,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.4.2" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" +checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" dependencies = [ "serde", ] @@ -2216,11 +2216,11 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.31" +version = "0.38.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ea3e1a662af26cd7a3ba09c0297a31af215563ecf42817c98df621387f4e949" +checksum = "65e04861e65f21776e67888bfbea442b3642beaa0138fdb1dd7a84a52dffdb89" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.5.0", "errno", "libc", "linux-raw-sys", @@ -2508,9 +2508,9 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.13.1" +version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "socket2" @@ -2672,7 +2672,7 @@ checksum = "1ed31390216d20e538e447a7a9b959e06ed9fc51c37b514b46eb758016ecd418" dependencies = [ "atoi", "base64", - "bitflags 2.4.2", + "bitflags 2.5.0", "byteorder", "bytes", "chrono", @@ -2716,7 +2716,7 @@ checksum = "7c824eb80b894f926f89a0b9da0c7f435d27cdd35b8c655b114e58223918577e" dependencies = [ "atoi", "base64", - "bitflags 2.4.2", + "bitflags 2.5.0", "byteorder", "chrono", "crc", @@ -3135,9 +3135,9 @@ checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da" [[package]] name = "uuid" -version = "1.7.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f00cc9702ca12d3c81455259621e676d0f7251cec66a21e98fe2e9a37db93b2a" +checksum = "a183cf7feeba97b4dd1c0d46788634f6221d87fa961b305bed08c851829efcc0" dependencies = [ "atomic", "getrandom", diff --git a/lib/workload/stateless/filemanager/deploy/constructs/functions/ingest.ts b/lib/workload/stateless/filemanager/deploy/constructs/functions/ingest.ts index 9af453e2f..9e2ba4417 100644 --- a/lib/workload/stateless/filemanager/deploy/constructs/functions/ingest.ts +++ b/lib/workload/stateless/filemanager/deploy/constructs/functions/ingest.ts @@ -34,8 +34,8 @@ export class IngestFunction extends fn.Function { }); props.buckets.map((bucket) => { this.addToPolicy(new PolicyStatement({ - actions: ['s3:List*', 's3:Get*'], - resources: [`arn:aws:s3:::${bucket}/*`], + actions: ['s3:ListBucket', 's3:GetObject'], + resources: [`arn:aws:s3:::${bucket}`, `arn:aws:s3:::${bucket}/*`], })); }) } diff --git a/test/stateless/cdkResourceInvoke.test.ts b/test/stateless/cdkResourceInvoke.test.ts index 862c94c32..05a97721b 100644 --- a/test/stateless/cdkResourceInvoke.test.ts +++ b/test/stateless/cdkResourceInvoke.test.ts @@ -62,7 +62,7 @@ test('Test CdkResourceInvoke', () => { Resource: { 'Fn::Join': [ '', - Match.arrayWith([`:function:${expectedHash}-ResourceInvokeFunction-*`]), + Match.arrayWith([`:function:${expectedHash}-ResourceInvokeFunction-TestFunction`]), ], }, }, diff --git a/test/stateless/stateless-deployment.test.ts b/test/stateless/stateless-deployment.test.ts index 3bb03111d..e63e45c6b 100644 --- a/test/stateless/stateless-deployment.test.ts +++ b/test/stateless/stateless-deployment.test.ts @@ -99,6 +99,17 @@ function applyNagSuppression(stackId: string, stack: Stack) { true ); + NagSuppressions.addStackSuppressions( + stack, + [ + { + id: 'AwsSolutions-L1', + reason: "'AwsCustomResource' is out of date", + }, + ], + true + ); + // for each stack specific switch (stackId) { @@ -117,6 +128,20 @@ function applyNagSuppression(stackId: string, stack: Stack) { ); break; + case 'Filemanager': + NagSuppressions.addResourceSuppressions( + stack, + [ + { + id: 'AwsSolutions-IAM5', + reason: "'*' is required to access objects in the indexed bucket by filemanager", + appliesTo: ['Resource::arn:aws:s3:::org.umccr.data.oncoanalyser/*'], + }, + ], + true + ); + break; + default: break; }