Skip to content

Commit

Permalink
Enable AWS Solutions Checks from cdk-nag
Browse files Browse the repository at this point in the history
  • Loading branch information
@mellevanderlinde
mellevanderlinde committed Jan 25, 2025
1 parent 3c09932 commit aac8d41
Show file tree
Hide file tree
Showing 5 changed files with 137 additions and 8 deletions.
3 changes: 3 additions & 0 deletions apps/infra/bin/portfolio.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import {
type IAspect,
RemovalPolicy,
} from "aws-cdk-lib";
import { AwsSolutionsChecks } from "cdk-nag";
import type { IConstruct } from "constructs";
import { PortfolioStack } from "../lib/portfolio-stack";

Expand All @@ -25,4 +26,6 @@ new PortfolioStack(app, "PortfolioStack", {
region: "us-east-1", // Required, see https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
},
});

Aspects.of(app).add(new RemovalPolicyDestroyAspect());
Aspects.of(app).add(new AwsSolutionsChecks());
65 changes: 57 additions & 8 deletions apps/infra/lib/portfolio-stack.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
aws_s3 as s3,
aws_s3_deployment as s3_deployment,
} from "aws-cdk-lib";
import { NagSuppressions } from "cdk-nag";
import type { Construct } from "constructs";

export class PortfolioStack extends Stack {
Expand All @@ -32,6 +33,13 @@ export class PortfolioStack extends Stack {
autoDeleteObjects: true,
});

NagSuppressions.addResourceSuppressions(bucket, [
{
id: "AwsSolutions-S1",
reason: "Server access logging is not required",
},
]);

const certificate = new certificatemanager.Certificate(
this,
"Certificate",
Expand Down Expand Up @@ -97,6 +105,17 @@ export class PortfolioStack extends Stack {
),
});

NagSuppressions.addResourceSuppressions(distribution, [
{
id: "AwsSolutions-CFR2",
reason: "AWS WAF is not required",
},
{
id: "AwsSolutions-CFR3",
reason: "Access logging is not required",
},
]);

const target = route53.RecordTarget.fromAlias(
new route53_targets.CloudFrontTarget(distribution),
);
Expand Down Expand Up @@ -137,13 +156,43 @@ export class PortfolioStack extends Stack {
retention: logs.RetentionDays.ONE_DAY,
});

new s3_deployment.BucketDeployment(this, "BucketDeployment", {
destinationBucket: bucket,
sources: [s3_deployment.Source.asset("../website/out")],
distribution,
distributionPaths: ["/*"],
logGroup,
memoryLimit: 2048,
});
const bucketDeployment = new s3_deployment.BucketDeployment(
this,
"BucketDeployment",
{
destinationBucket: bucket,
sources: [s3_deployment.Source.asset("../website/out")],
distribution,
distributionPaths: ["/*"],
logGroup,
memoryLimit: 2048,
},
);

NagSuppressions.addResourceSuppressionsByPath(
this,
"/PortfolioStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C2048MiB/Resource",
[
{
id: "AwsSolutions-L1",
reason: "This Lambda is managed by CDK",
},
],
);

NagSuppressions.addResourceSuppressions(
bucketDeployment.handlerRole,
[
{
id: "AwsSolutions-IAM5",
reason: "Full S3 access is required",
},
{
id: "AwsSolutions-IAM4",
reason: "Write access to CloudWatch is allowed",
},
],
true,
);
}
}
1 change: 1 addition & 0 deletions apps/infra/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
"devDependencies": {
"@types/node": "^22.10.10",
"aws-cdk": "^2.177.0",
"cdk-nag": "^2.35.0",
"ts-node": "^10.9.2",
"typescript": "^5.7.3",
"vitest": "^3.0.4"
Expand Down
62 changes: 62 additions & 0 deletions apps/infra/test/__snapshots__/stack.test.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,16 @@ exports[`Match with snapshot 1`] = `
},
"Bucket83908E77": {
"DeletionPolicy": "Delete",
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-S1",
"reason": "Server access logging is not required",
},
],
},
},
"Properties": {
"BucketName": "mellevanderlinde.com",
"PublicAccessBlockConfiguration": {
Expand Down Expand Up @@ -314,6 +324,16 @@ exports[`Match with snapshot 1`] = `
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C2048MiBServiceRoleDefaultPolicy5D765796",
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C2048MiBServiceRoleB37F9ACF",
],
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-L1",
"reason": "This Lambda is managed by CDK",
},
],
},
},
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-012345678912-us-east-1",
Expand Down Expand Up @@ -348,6 +368,20 @@ exports[`Match with snapshot 1`] = `
"Type": "AWS::Lambda::Function",
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C2048MiBServiceRoleB37F9ACF": {
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-IAM5",
"reason": "Full S3 access is required",
},
{
"id": "AwsSolutions-IAM4",
"reason": "Write access to CloudWatch is allowed",
},
],
},
},
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
Expand Down Expand Up @@ -379,6 +413,20 @@ exports[`Match with snapshot 1`] = `
"Type": "AWS::IAM::Role",
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C2048MiBServiceRoleDefaultPolicy5D765796": {
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-IAM5",
"reason": "Full S3 access is required",
},
{
"id": "AwsSolutions-IAM4",
"reason": "Write access to CloudWatch is allowed",
},
],
},
},
"Properties": {
"PolicyDocument": {
"Statement": [
Expand Down Expand Up @@ -530,6 +578,20 @@ exports[`Match with snapshot 1`] = `
"Type": "AWS::IAM::Role",
},
"Distribution830FAC52": {
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-CFR2",
"reason": "AWS WAF is not required",
},
{
"id": "AwsSolutions-CFR3",
"reason": "Access logging is not required",
},
],
},
},
"Properties": {
"DistributionConfig": {
"Aliases": [
Expand Down
14 changes: 14 additions & 0 deletions pnpm-lock.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit aac8d41

Please sign in to comment.