From 79d54a410e3c5ed08515d85c966ae211ccdb7bc7 Mon Sep 17 00:00:00 2001
From: Alexis Lucattini <Alexis.Lucattini@umccr.org>
Date: Sat, 2 Nov 2024 11:27:50 +1100
Subject: [PATCH] Nag suppression add resource suppressions after creation of
 Ora Container Image

---
 .../index.ts                                  | 34 +++++++++----------
 .../ora-decompression-manager/deploy/index.ts |  1 -
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/lib/workload/components/ora-file-decompression-fq-pair-sfn/index.ts b/lib/workload/components/ora-file-decompression-fq-pair-sfn/index.ts
index ef3e47f4b..1898abd61 100644
--- a/lib/workload/components/ora-file-decompression-fq-pair-sfn/index.ts
+++ b/lib/workload/components/ora-file-decompression-fq-pair-sfn/index.ts
@@ -59,23 +59,6 @@ export class OraDecompressionConstruct extends Construct {
       },
     });
 
-    // FIXME - cdk nag error on fargate task definition role
-    // {
-    //   "Action": "ecr:GetAuthorizationToken",
-    //   "Effect": "Allow",
-    //   "Resource": "*"
-    // },
-    NagSuppressions.addResourceSuppressions(
-      taskDefinition,
-      [
-        {
-          id: 'AwsSolutions-IAM5',
-          reason: 'Fargate has GetAuthorizationToken permission on all resources by default',
-        },
-      ],
-      true
-    );
-
     // Add permission to task role
     const icav2SecretObj = secretsManager.Secret.fromSecretNameV2(
       this,
@@ -119,6 +102,23 @@ export class OraDecompressionConstruct extends Construct {
     // Allow step function to run the ECS task
     taskDefinition.grantRun(this.sfnObject);
 
+    // FIXME - cdk nag error on fargate task definition role
+    // {
+    //   "Action": "ecr:GetAuthorizationToken",
+    //   "Effect": "Allow",
+    //   "Resource": "*"
+    // },
+    NagSuppressions.addResourceSuppressions(
+      taskDefinition,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason: 'Fargate has GetAuthorizationToken permission on all resources by default',
+        },
+      ],
+      true
+    );
+
     /* Grant the state machine access to monitor the tasks */
     this.sfnObject.addToRolePolicy(
       new iam.PolicyStatement({
diff --git a/lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts b/lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts
index a208b693b..637ae52c5 100644
--- a/lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts
+++ b/lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts
@@ -1,6 +1,5 @@
 import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
-import * as ssm from 'aws-cdk-lib/aws-ssm';
 import * as events from 'aws-cdk-lib/aws-events';
 import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager';
 import { OraDecompressionConstruct } from '../../../../components/ora-file-decompression-fq-pair-sfn';