Merge branch 'feature/postgres-manager' into fix/postgres-manager

umccr · Feb 29, 2024 · 8548733 · 8548733
2 parents 4aa5716 + 9f8e04f
commit 8548733
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/lib/workload/stateless/postgres_manager/construct/postgresManager.ts b/lib/workload/stateless/postgres_manager/construct/postgresManager.ts
@@ -98,7 +98,9 @@ export class PostgresManager extends Construct {
         new iam.PolicyStatement({
           actions: ['secretsmanager:CreateSecret', 'secretsmanager:TagResource'],
           effect: iam.Effect.ALLOW,
-          resources: ['arn:aws:secretsmanager:ap-southeast-2:*:secret:*'],
+          resources: [
+            `arn:aws:secretsmanager:ap-southeast-2:${process.env.CDK_DEFAULT_ACCOUNT}:secret:*`,
+          ],
         }),
         new iam.PolicyStatement({
           actions: ['secretsmanager:GetRandomPassword'],

diff --git a/test/stateless/stateless-deployment.test.ts b/test/stateless/stateless-deployment.test.ts
@@ -1,7 +1,7 @@
 import { App, Aspects } from 'aws-cdk-lib';
 import { Annotations, Match } from 'aws-cdk-lib/assertions';
 import { SynthesisMessage } from 'aws-cdk-lib/cx-api';
-import { AwsSolutionsChecks } from 'cdk-nag';
+import { AwsSolutionsChecks, NagSuppressions } from 'cdk-nag';
 import { OrcaBusStatelessStack } from '../../lib/workload/orcabus-stateless-stack';
 import { getEnvironmentConfig } from '../../config/constants';
 
@@ -26,8 +26,22 @@ describe('cdk-nag-stateless-stack', () => {
     });
     Aspects.of(stack).add(new AwsSolutionsChecks());
 
-    // Suppressions (if any)
-    //  ...
+    NagSuppressions.addStackSuppressions(stack, [
+      { id: 'AwsSolutions-IAM4', reason: 'allow to use AWS managed policy' },
+    ]);
+
+    // suppress by resource
+    NagSuppressions.addResourceSuppressionsByPath(
+      stack,
+      `/TestStack/PostgresManager/CreateUserPassPostgresLambda/ServiceRole/DefaultPolicy/Resource`,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            "'*' is required for secretsmanager:GetRandomPassword and new SM ARN will contain random character",
+        },
+      ]
+    );
   });
 
   test('cdk-nag AwsSolutions Pack errors', () => {

diff --git a/tsconfig.json b/tsconfig.json
@@ -30,6 +30,7 @@
   "exclude": [
     "node_modules",
     "cdk.out",
-    "lib/workload/stateless/metadata_manager"
+    "lib/workload/stateless/metadata_manager",
+    "lib/workload/stateless/postgres_manager"
   ]
 }