Fix more cfn_nag issues

awslabs · Oct 6, 2021 · 82783b8 · 82783b8
1 parent 31472a6
commit 82783b8
Show file tree

Hide file tree

Showing 8 changed files with 111 additions and 54 deletions.
diff --git a/...terns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.expected.json b/...terns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.expected.json
@@ -1,7 +1,7 @@
 {
   "Description": "Integration Test for aws-route53-alb",
   "Resources": {
-    "testroute53albtestroute53albzone04BEDFE6": {
+    "privateapistackprivateapistackzone3E5194E7": {
       "Type": "AWS::Route53::HostedZone",
       "Properties": {
         "Name": "www.example.com.",
@@ -15,7 +15,7 @@
         ]
       }
     },
-    "testroute53albtestroute53albalb7C171F50": {
+    "privateapistackprivateapistackalb7242E759": {
       "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
       "Properties": {
         "LoadBalancerAttributes": [
@@ -30,7 +30,7 @@
           {
             "Key": "access_logs.s3.bucket",
             "Value": {
-              "Ref": "testroute53albAC463A50"
+              "Ref": "privateapistack09C932BB"
             }
           },
           {
@@ -42,7 +42,7 @@
         "SecurityGroups": [
           {
             "Fn::GetAtt": [
-              "testroute53albtestroute53albalbSecurityGroupC3716E02",
+              "privateapistackprivateapistackalbSecurityGroup5A8A9725",
               "GroupId"
             ]
           }
@@ -61,14 +61,14 @@
         "Type": "application"
       },
       "DependsOn": [
-        "testroute53albPolicy478FC0AF",
-        "testroute53albAC463A50"
+        "privateapistackPolicy98558170",
+        "privateapistack09C932BB"
       ]
     },
-    "testroute53albtestroute53albalbSecurityGroupC3716E02": {
+    "privateapistackprivateapistackalbSecurityGroup5A8A9725": {
       "Type": "AWS::EC2::SecurityGroup",
       "Properties": {
-        "GroupDescription": "Automatically created Security Group for ELB deployPrivateApitestroute53albtestroute53albalb1145D1AD",
+        "GroupDescription": "Automatically created Security Group for ELB deployPrivateApiprivateapistackprivateapistackalb5DF93E18",
         "SecurityGroupEgress": [
           {
             "CidrIp": "255.255.255.255/32",
@@ -83,11 +83,21 @@
         }
       },
       "DependsOn": [
-        "testroute53albPolicy478FC0AF",
-        "testroute53albAC463A50"
-      ]
+        "privateapistackPolicy98558170",
+        "privateapistack09C932BB"
+      ],
+      "Metadata": {
+        "cfn_nag": {
+          "rules_to_suppress": [
+            {
+              "id": "W29",
+              "reason": "CDK created rule that blocks all traffic."
+            }
+          ]
+        }
+      }
     },
-    "testroute53albAC463A50": {
+    "privateapistack09C932BB": {
       "Type": "AWS::S3::Bucket",
       "Properties": {
         "BucketEncryption": {
@@ -122,11 +132,11 @@
         }
       }
     },
-    "testroute53albPolicy478FC0AF": {
+    "privateapistackPolicy98558170": {
       "Type": "AWS::S3::BucketPolicy",
       "Properties": {
         "Bucket": {
-          "Ref": "testroute53albAC463A50"
+          "Ref": "privateapistack09C932BB"
         },
         "PolicyDocument": {
           "Statement": [
@@ -148,7 +158,7 @@
                     [
                       {
                         "Fn::GetAtt": [
-                          "testroute53albAC463A50",
+                          "privateapistack09C932BB",
                           "Arn"
                         ]
                       },
@@ -158,7 +168,7 @@
                 },
                 {
                   "Fn::GetAtt": [
-                    "testroute53albAC463A50",
+                    "privateapistack09C932BB",
                     "Arn"
                   ]
                 }
@@ -191,7 +201,7 @@
                   [
                     {
                       "Fn::GetAtt": [
-                        "testroute53albAC463A50",
+                        "privateapistack09C932BB",
                         "Arn"
                       ]
                     },
@@ -209,7 +219,7 @@
         }
       }
     },
-    "testroute53albtestroute53albaliasCCC6DDF3": {
+    "privateapistackprivateapistackalias54E3713F": {
       "Type": "AWS::Route53::RecordSet",
       "Properties": {
         "Name": "www.example.com.",
@@ -222,7 +232,7 @@
                 "dualstack.",
                 {
                   "Fn::GetAtt": [
-                    "testroute53albtestroute53albalb7C171F50",
+                    "privateapistackprivateapistackalb7242E759",
                     "DNSName"
                   ]
                 }
@@ -231,13 +241,13 @@
           },
           "HostedZoneId": {
             "Fn::GetAtt": [
-              "testroute53albtestroute53albalb7C171F50",
+              "privateapistackprivateapistackalb7242E759",
               "CanonicalHostedZoneID"
             ]
           }
         },
         "HostedZoneId": {
-          "Ref": "testroute53albtestroute53albzone04BEDFE6"
+          "Ref": "privateapistackprivateapistackzone3E5194E7"
         }
       }
     },

diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.ts b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.ts
@@ -15,6 +15,8 @@
 import { App, Stack, Aws } from "@aws-cdk/core";
 import { Route53ToAlb, Route53ToAlbProps } from "../lib";
 import { generateIntegStackName } from '@aws-solutions-constructs/core';
+import * as defaults from '@aws-solutions-constructs/core';
+import { CfnSecurityGroup } from "@aws-cdk/aws-ec2";
 
 // Setup
 const app = new App();
@@ -31,7 +33,10 @@ const props: Route53ToAlbProps = {
   }
 };
 
-new Route53ToAlb(stack, 'test-route53-alb', props);
+const testConstruct = new Route53ToAlb(stack, 'private-api-stack', props);
+
+const newSecurityGroup = testConstruct.loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup;
+defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]);
 
 // Synth
 app.synth();
diff --git a/...-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.expected.json b/...-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.expected.json
@@ -716,9 +716,19 @@
         "VpcId": {
           "Ref": "Vpc8378EB38"
         }
+      },
+      "Metadata": {
+        "cfn_nag": {
+          "rules_to_suppress": [
+            {
+              "id": "W29",
+              "reason": "CDK created rule that blocks all traffic."
+            }
+          ]
+        }
       }
     },
-    "testroute53albtestroute53albaliasCCC6DDF3": {
+    "publicapistackpublicapistackalias4096038C": {
       "Type": "AWS::Route53::RecordSet",
       "Properties": {
         "Name": "www.test-example.com.",

diff --git a/...tterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.ts b/...tterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.ts
@@ -18,6 +18,7 @@ import { ApplicationLoadBalancer } from "@aws-cdk/aws-elasticloadbalancingv2";
 import { PublicHostedZone } from "@aws-cdk/aws-route53";
 import { Route53ToAlb, Route53ToAlbProps } from "../lib";
 import { generateIntegStackName } from '@aws-solutions-constructs/core';
+import { CfnSecurityGroup } from "@aws-cdk/aws-ec2";
 
 // Setup
 const app = new App();
@@ -53,7 +54,10 @@ const props: Route53ToAlbProps = {
   existingLoadBalancerObj: existingAlb,
 };
 
-new Route53ToAlb(stack, 'test-route53-alb', props);
+const testConstruct = new Route53ToAlb(stack, 'public-api-stack', props);
+
+const newSecurityGroup = testConstruct.loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup;
+defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]);
 
 // Synth
 app.synth();
diff --git a/.../@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.expected.json b/.../@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.expected.json
@@ -658,7 +658,7 @@
         "Name": "www.test-example.com."
       }
     },
-    "testroute53albtestroute53albalb7C171F50": {
+    "newalbstacknewalbstackalb50B67E3E": {
       "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
       "Properties": {
         "LoadBalancerAttributes": [
@@ -673,7 +673,7 @@
           {
             "Key": "access_logs.s3.bucket",
             "Value": {
-              "Ref": "testroute53albAC463A50"
+              "Ref": "newalbstackADB02838"
             }
           },
           {
@@ -686,7 +686,7 @@
         "SecurityGroups": [
           {
             "Fn::GetAtt": [
-              "testroute53albtestroute53albalbSecurityGroupC3716E02",
+              "newalbstacknewalbstackalbSecurityGroup7BBB827C",
               "GroupId"
             ]
           }
@@ -705,17 +705,17 @@
         "Type": "application"
       },
       "DependsOn": [
-        "testroute53albPolicy478FC0AF",
-        "testroute53albAC463A50",
+        "newalbstackPolicyB7C2D898",
+        "newalbstackADB02838",
         "VpcPublicSubnet1DefaultRoute3DA9E72A",
         "VpcPublicSubnet2DefaultRoute97F91067",
         "VpcPublicSubnet3DefaultRoute4697774F"
       ]
     },
-    "testroute53albtestroute53albalbSecurityGroupC3716E02": {
+    "newalbstacknewalbstackalbSecurityGroup7BBB827C": {
       "Type": "AWS::EC2::SecurityGroup",
       "Properties": {
-        "GroupDescription": "Automatically created Security Group for ELB deployPublicApiNewAlbtestroute53albtestroute53albalbC4C12C26",
+        "GroupDescription": "Automatically created Security Group for ELB deployPublicApiNewAlbnewalbstacknewalbstackalbC987D9E9",
         "SecurityGroupEgress": [
           {
             "CidrIp": "255.255.255.255/32",
@@ -730,11 +730,21 @@
         }
       },
       "DependsOn": [
-        "testroute53albPolicy478FC0AF",
-        "testroute53albAC463A50"
-      ]
+        "newalbstackPolicyB7C2D898",
+        "newalbstackADB02838"
+      ],
+      "Metadata": {
+        "cfn_nag": {
+          "rules_to_suppress": [
+            {
+              "id": "W29",
+              "reason": "CDK created rule that blocks all traffic."
+            }
+          ]
+        }
+      }
     },
-    "testroute53albAC463A50": {
+    "newalbstackADB02838": {
       "Type": "AWS::S3::Bucket",
       "Properties": {
         "BucketEncryption": {
@@ -769,11 +779,11 @@
         }
       }
     },
-    "testroute53albPolicy478FC0AF": {
+    "newalbstackPolicyB7C2D898": {
       "Type": "AWS::S3::BucketPolicy",
       "Properties": {
         "Bucket": {
-          "Ref": "testroute53albAC463A50"
+          "Ref": "newalbstackADB02838"
         },
         "PolicyDocument": {
           "Statement": [
@@ -795,7 +805,7 @@
                     [
                       {
                         "Fn::GetAtt": [
-                          "testroute53albAC463A50",
+                          "newalbstackADB02838",
                           "Arn"
                         ]
                       },
@@ -805,7 +815,7 @@
                 },
                 {
                   "Fn::GetAtt": [
-                    "testroute53albAC463A50",
+                    "newalbstackADB02838",
                     "Arn"
                   ]
                 }
@@ -838,7 +848,7 @@
                   [
                     {
                       "Fn::GetAtt": [
-                        "testroute53albAC463A50",
+                        "newalbstackADB02838",
                         "Arn"
                       ]
                     },
@@ -856,7 +866,7 @@
         }
       }
     },
-    "testroute53albtestroute53albaliasCCC6DDF3": {
+    "newalbstacknewalbstackalias05E0DF53": {
       "Type": "AWS::Route53::RecordSet",
       "Properties": {
         "Name": "www.test-example.com.",
@@ -869,7 +879,7 @@
                 "dualstack.",
                 {
                   "Fn::GetAtt": [
-                    "testroute53albtestroute53albalb7C171F50",
+                    "newalbstacknewalbstackalb50B67E3E",
                     "DNSName"
                   ]
                 }
@@ -878,7 +888,7 @@
           },
           "HostedZoneId": {
             "Fn::GetAtt": [
-              "testroute53albtestroute53albalb7C171F50",
+              "newalbstacknewalbstackalb50B67E3E",
               "CanonicalHostedZoneID"
             ]
           }

diff --git a/...ce/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.ts b/...ce/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.ts
@@ -16,6 +16,7 @@ import { App, Stack, Aws } from "@aws-cdk/core";
 import * as defaults from '@aws-solutions-constructs/core';
 import { PublicHostedZone } from "@aws-cdk/aws-route53";
 import { Route53ToAlb, Route53ToAlbProps } from "../lib";
+import { CfnSecurityGroup } from "@aws-cdk/aws-ec2";
 
 // Setup
 const app = new App();
@@ -47,7 +48,10 @@ const props: Route53ToAlbProps = {
   }
 };
 
-new Route53ToAlb(stack, 'test-route53-alb', props);
+const testConstruct = new Route53ToAlb(stack, 'new-alb-stack', props);
+
+const newSecurityGroup = testConstruct.loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup;
+defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]);
 
 // Synth
 app.synth();