From 327b0b115cb4625e51228a033b95fd5c0c5b2842 Mon Sep 17 00:00:00 2001 From: Mike Shepherd Date: Tue, 14 May 2024 16:24:59 +0100 Subject: [PATCH] Disable state machine logging --- .projen/deps.json | 4 +- .projenrc.ts | 2 +- API.md | 2 +- package.json | 4 +- src/ecs-deployment-provider/index.ts | 1 + ...s-cdk-ecs-codedeploy-service-NagReport.csv | 2 + .../cdk-ecs-codedeploy-service.assets.json | 10 +- .../cdk-ecs-codedeploy-service.template.json | 102 +++++++++++++++++- ...nced-codedeployed-fargate-service.integ.ts | 2 + ...cs-codedeploy-ecs-deployment-NagReport.csv | 2 + ...-ecs-codedeploy-ecs-deployment.assets.json | 10 +- ...cs-codedeploy-ecs-deployment.template.json | 102 +++++++++++++++++- test/ecs-deployment-hooks.integ.ts | 2 + ...cs-codedeploy-ecs-deployment-NagReport.csv | 2 + ...-ecs-codedeploy-ecs-deployment.assets.json | 10 +- ...cs-codedeploy-ecs-deployment.template.json | 102 +++++++++++++++++- test/ecs-deployment.integ.ts | 2 + yarn.lock | 28 ++--- 18 files changed, 345 insertions(+), 44 deletions(-) diff --git a/.projen/deps.json b/.projen/deps.json index ed07bdf..e70a593 100644 --- a/.projen/deps.json +++ b/.projen/deps.json @@ -2,7 +2,7 @@ "dependencies": [ { "name": "@aws-cdk/integ-tests-alpha", - "version": "^2.131.0-alpha.0", + "version": "^2.139.0-alpha.0", "type": "build" }, { @@ -145,7 +145,7 @@ }, { "name": "aws-cdk-lib", - "version": "^2.131.0", + "version": "^2.139.0", "type": "peer" }, { diff --git a/.projenrc.ts b/.projenrc.ts index 533ecb4..d36b302 100644 --- a/.projenrc.ts +++ b/.projenrc.ts @@ -23,7 +23,7 @@ export class WorkflowDotNetVersionPatch { ); } } -const cdkVersion = '2.131.0'; +const cdkVersion = '2.139.0'; const project = new CdklabsConstructLibrary({ setNodeEngineVersion: false, private: false, diff --git a/API.md b/API.md index 7d17b9c..7e1b6a6 100644 --- a/API.md +++ b/API.md @@ -1516,7 +1516,7 @@ public readonly desiredCount: number; ``` - *Type:* number -- *Default:* If the feature flag, ECS_REMOVE_DEFAULT_DESIRED_COUNT is false, the default is 1; if true, the default is 1 for all new services and uses the existing services desired count when updating an existing service. +- *Default:* The default is 1 for all new services and uses the existing service's desired count when updating an existing service. The desired number of instantiations of the task definition to keep running on the service. diff --git a/package.json b/package.json index 26999b4..817e421 100644 --- a/package.json +++ b/package.json @@ -80,7 +80,7 @@ "@typescript-eslint/eslint-plugin": "^6", "@typescript-eslint/parser": "^6", "aws-cdk": "^2", - "aws-cdk-lib": "2.131.0", + "aws-cdk-lib": "2.139.0", "aws-sdk-client-mock": "^4.0.0", "aws-sdk-client-mock-jest": "^4.0.0", "cdk-nag": "^2.28.114", @@ -105,7 +105,7 @@ "typescript": "^4.9.5" }, "peerDependencies": { - "aws-cdk-lib": "^2.131.0", + "aws-cdk-lib": "^2.139.0", "constructs": "^10.0.5" }, "dependencies": { diff --git a/src/ecs-deployment-provider/index.ts b/src/ecs-deployment-provider/index.ts index 0ee9dfa..89cec42 100644 --- a/src/ecs-deployment-provider/index.ts +++ b/src/ecs-deployment-provider/index.ts @@ -81,6 +81,7 @@ export class EcsDeploymentProvider extends cr.Provider { isCompleteHandler: completeLambda, queryInterval: props.queryInterval || cdk.Duration.seconds(15), totalTimeout: props.timeout, + disableWaiterStateMachineLogging: true, }); } } diff --git a/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-service-NagReport.csv b/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-service-NagReport.csv index a45b82e..a150200 100644 --- a/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-service-NagReport.csv +++ b/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-service-NagReport.csv @@ -57,3 +57,5 @@ Rule ID,Resource ID,Compliance,Exception Reason,Rule Level,Rule Info "AwsSolutions-IAM5","cdk-ecs-codedeploy-service/Service/DeploymentGroup/Deployment/DeploymentProvider/waiter-state-machine/Role/Resource","Compliant","N/A","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." "AwsSolutions-IAM5","cdk-ecs-codedeploy-service/Service/DeploymentGroup/Deployment/DeploymentProvider/waiter-state-machine/Role/DefaultPolicy/Resource","Suppressed","Unrelated to construct under test","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." "AwsSolutions-IAM5","cdk-ecs-codedeploy-service/Service/DeploymentGroup/Deployment/DeploymentProvider/waiter-state-machine/Role/DefaultPolicy/Resource","Suppressed","Unrelated to construct under test","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." +"AwsSolutions-SF1","cdk-ecs-codedeploy-service/Service/DeploymentGroup/Deployment/DeploymentProvider/waiter-state-machine/Resource","Suppressed","Unrelated to construct under test","Error","The Step Function does not log ""ALL"" events to CloudWatch Logs." +"AwsSolutions-SF2","cdk-ecs-codedeploy-service/Service/DeploymentGroup/Deployment/DeploymentProvider/waiter-state-machine/Resource","Suppressed","Unrelated to construct under test","Error","The Step Function does not have X-Ray tracing enabled." diff --git a/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/cdk-ecs-codedeploy-service.assets.json b/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/cdk-ecs-codedeploy-service.assets.json index 76221a2..04342bd 100644 --- a/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/cdk-ecs-codedeploy-service.assets.json +++ b/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/cdk-ecs-codedeploy-service.assets.json @@ -43,21 +43,21 @@ } } }, - "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7": { + "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc": { "source": { - "path": "asset.4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7", + "path": "asset.3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc", "packaging": "zip" }, "destinations": { "current_account-us-west-2": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2", - "objectKey": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip", + "objectKey": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip", "region": "us-west-2", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-us-west-2" } } }, - "a03066ba3f268acadfbbb3420dcd12c37e2be7581b6c2600ee81f0970bf95789": { + "836ca35039091e59abb6c2f08988abbbcee8fceaea74bd212f52105e1133a320": { "source": { "path": "cdk-ecs-codedeploy-service.template.json", "packaging": "file" @@ -65,7 +65,7 @@ "destinations": { "current_account-us-west-2": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2", - "objectKey": "a03066ba3f268acadfbbb3420dcd12c37e2be7581b6c2600ee81f0970bf95789.json", + "objectKey": "836ca35039091e59abb6c2f08988abbbcee8fceaea74bd212f52105e1133a320.json", "region": "us-west-2", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-us-west-2" } diff --git a/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/cdk-ecs-codedeploy-service.template.json b/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/cdk-ecs-codedeploy-service.template.json index 4973e84..2950166 100644 --- a/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/cdk-ecs-codedeploy-service.template.json +++ b/test/application-load-balanced-codedeployed-fargate-service.integ.snapshot/cdk-ecs-codedeploy-service.template.json @@ -2225,6 +2225,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2321,6 +2329,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2339,7 +2355,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - onEvent (cdk-ecs-codedeploy-service/Service/DeploymentGroup/Deployment/DeploymentProvider)", "Environment": { @@ -2386,6 +2402,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2438,6 +2462,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2527,6 +2559,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2545,7 +2585,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - isComplete (cdk-ecs-codedeploy-service/Service/DeploymentGroup/Deployment/DeploymentProvider)", "Environment": { @@ -2589,6 +2629,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2641,6 +2689,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2730,6 +2786,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2748,7 +2812,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - onTimeout (cdk-ecs-codedeploy-service/Service/DeploymentGroup/Deployment/DeploymentProvider)", "Environment": { @@ -2792,6 +2856,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2830,6 +2902,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2919,6 +2999,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2977,6 +3065,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", diff --git a/test/application-load-balanced-codedeployed-fargate-service.integ.ts b/test/application-load-balanced-codedeployed-fargate-service.integ.ts index c1ecb2c..3b1f755 100644 --- a/test/application-load-balanced-codedeployed-fargate-service.integ.ts +++ b/test/application-load-balanced-codedeployed-fargate-service.integ.ts @@ -46,6 +46,8 @@ NagSuppressions.addResourceSuppressionsByPath(stack, [ ], [ { id: 'AwsSolutions-IAM5', reason: 'Unrelated to construct under test' }, { id: 'AwsSolutions-L1', reason: 'Unrelated to construct under test' }, + { id: 'AwsSolutions-SF1', reason: 'Unrelated to construct under test' }, + { id: 'AwsSolutions-SF2', reason: 'Unrelated to construct under test' }, ], true); // Ignore findings from access log bucket diff --git a/test/ecs-deployment-hooks.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-ecs-deployment-NagReport.csv b/test/ecs-deployment-hooks.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-ecs-deployment-NagReport.csv index 71c3f73..1260eca 100644 --- a/test/ecs-deployment-hooks.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-ecs-deployment-NagReport.csv +++ b/test/ecs-deployment-hooks.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-ecs-deployment-NagReport.csv @@ -40,6 +40,8 @@ Rule ID,Resource ID,Compliance,Exception Reason,Rule Level,Rule Info "AwsSolutions-IAM5","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Role/Resource","Compliant","N/A","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." "AwsSolutions-IAM5","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Role/DefaultPolicy/Resource","Suppressed","Unrelated to construct under test","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." "AwsSolutions-IAM5","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Role/DefaultPolicy/Resource","Suppressed","Unrelated to construct under test","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." +"AwsSolutions-SF1","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Resource","Suppressed","Unrelated to construct under test","Error","The Step Function does not log ""ALL"" events to CloudWatch Logs." +"AwsSolutions-SF2","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Resource","Suppressed","Unrelated to construct under test","Error","The Step Function does not have X-Ray tracing enabled." "AwsSolutions-IAM4","cdk-ecs-codedeploy-ecs-deployment/Function/ServiceRole/Resource","Suppressed","[Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole] Allow AWSLambdaBasicExecutionRole policy","Error","The IAM user, role, or group uses AWS managed policies." "AwsSolutions-IAM5","cdk-ecs-codedeploy-ecs-deployment/Function/ServiceRole/Resource","Compliant","N/A","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." "AwsSolutions-IAM5","cdk-ecs-codedeploy-ecs-deployment/Function/ServiceRole/DefaultPolicy/Resource","Suppressed","Allow wildcard resources","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." diff --git a/test/ecs-deployment-hooks.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.assets.json b/test/ecs-deployment-hooks.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.assets.json index 335d16c..a073c7e 100644 --- a/test/ecs-deployment-hooks.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.assets.json +++ b/test/ecs-deployment-hooks.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.assets.json @@ -27,20 +27,20 @@ } } }, - "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7": { + "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc": { "source": { - "path": "asset.4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7", + "path": "asset.3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc", "packaging": "zip" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip", + "objectKey": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } }, - "59e7fad9d5117a9ca658fc374060936e8616492e81388b71ed5cf79ee047eb84": { + "fbfd7c0b4dbc0f5d9f2a4144c6a67b88f1e1344592cf5a42357bc4e4ef2d144a": { "source": { "path": "cdk-ecs-codedeploy-ecs-deployment.template.json", "packaging": "file" @@ -48,7 +48,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "59e7fad9d5117a9ca658fc374060936e8616492e81388b71ed5cf79ee047eb84.json", + "objectKey": "fbfd7c0b4dbc0f5d9f2a4144c6a67b88f1e1344592cf5a42357bc4e4ef2d144a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/test/ecs-deployment-hooks.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.template.json b/test/ecs-deployment-hooks.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.template.json index 816f75f..1532375 100644 --- a/test/ecs-deployment-hooks.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.template.json +++ b/test/ecs-deployment-hooks.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.template.json @@ -1746,6 +1746,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -1849,6 +1857,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -1867,7 +1883,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - onEvent (cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider)", "Environment": { @@ -1919,6 +1935,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -1978,6 +2002,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2074,6 +2106,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2092,7 +2132,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - isComplete (cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider)", "Environment": { @@ -2141,6 +2181,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2200,6 +2248,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2296,6 +2352,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2314,7 +2378,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - onTimeout (cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider)", "Environment": { @@ -2363,6 +2427,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2416,6 +2488,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2512,6 +2592,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2575,6 +2663,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", diff --git a/test/ecs-deployment-hooks.integ.ts b/test/ecs-deployment-hooks.integ.ts index fa1feff..575514e 100644 --- a/test/ecs-deployment-hooks.integ.ts +++ b/test/ecs-deployment-hooks.integ.ts @@ -244,6 +244,8 @@ NagSuppressions.addResourceSuppressionsByPath(stack, [ { id: 'AwsSolutions-IAM4', reason: 'Unrelated to construct under test' }, { id: 'AwsSolutions-IAM5', reason: 'Unrelated to construct under test' }, { id: 'AwsSolutions-L1', reason: 'Unrelated to construct under test' }, + { id: 'AwsSolutions-SF1', reason: 'Unrelated to construct under test' }, + { id: 'AwsSolutions-SF2', reason: 'Unrelated to construct under test' }, ], true); NagSuppressions.addResourceSuppressions(deployment, [ { diff --git a/test/ecs-deployment.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-ecs-deployment-NagReport.csv b/test/ecs-deployment.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-ecs-deployment-NagReport.csv index 6bbdc1b..6500b82 100644 --- a/test/ecs-deployment.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-ecs-deployment-NagReport.csv +++ b/test/ecs-deployment.integ.snapshot/AwsSolutions-cdk-ecs-codedeploy-ecs-deployment-NagReport.csv @@ -40,3 +40,5 @@ Rule ID,Resource ID,Compliance,Exception Reason,Rule Level,Rule Info "AwsSolutions-IAM5","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Role/Resource","Compliant","N/A","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." "AwsSolutions-IAM5","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Role/DefaultPolicy/Resource","Suppressed","Unrelated to construct under test","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." "AwsSolutions-IAM5","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Role/DefaultPolicy/Resource","Suppressed","Unrelated to construct under test","Error","The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission." +"AwsSolutions-SF1","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Resource","Suppressed","Unrelated to construct under test","Error","The Step Function does not log ""ALL"" events to CloudWatch Logs." +"AwsSolutions-SF2","cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider/waiter-state-machine/Resource","Suppressed","Unrelated to construct under test","Error","The Step Function does not have X-Ray tracing enabled." diff --git a/test/ecs-deployment.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.assets.json b/test/ecs-deployment.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.assets.json index 3e6f629..e03aa26 100644 --- a/test/ecs-deployment.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.assets.json +++ b/test/ecs-deployment.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.assets.json @@ -27,20 +27,20 @@ } } }, - "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7": { + "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc": { "source": { - "path": "asset.4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7", + "path": "asset.3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc", "packaging": "zip" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip", + "objectKey": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } }, - "133f7eb1a71680da68e635b301959d63f227a8ca3a9ac75ef412e21d930d6ad1": { + "f9927612a0cb36cdbb2b8a4e138e92a20c81328ece4eacc7fabd59982733d1e5": { "source": { "path": "cdk-ecs-codedeploy-ecs-deployment.template.json", "packaging": "file" @@ -48,7 +48,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "133f7eb1a71680da68e635b301959d63f227a8ca3a9ac75ef412e21d930d6ad1.json", + "objectKey": "f9927612a0cb36cdbb2b8a4e138e92a20c81328ece4eacc7fabd59982733d1e5.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/test/ecs-deployment.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.template.json b/test/ecs-deployment.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.template.json index ddb75d2..9d3a966 100644 --- a/test/ecs-deployment.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.template.json +++ b/test/ecs-deployment.integ.snapshot/cdk-ecs-codedeploy-ecs-deployment.template.json @@ -1746,6 +1746,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -1849,6 +1857,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -1867,7 +1883,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - onEvent (cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider)", "Environment": { @@ -1919,6 +1935,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -1978,6 +2002,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2074,6 +2106,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2092,7 +2132,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - isComplete (cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider)", "Environment": { @@ -2141,6 +2181,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2200,6 +2248,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2296,6 +2352,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2314,7 +2378,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "4b8313cdc235017293aeaa9b32282f38142f7e6923fd0ac5322de1edf4b426d7.zip" + "S3Key": "3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - onTimeout (cdk-ecs-codedeploy-ecs-deployment/DG/Deployment/DeploymentProvider)", "Environment": { @@ -2363,6 +2427,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2416,6 +2488,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2512,6 +2592,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", @@ -2575,6 +2663,14 @@ "reason": "Unrelated to construct under test", "id": "AwsSolutions-L1" }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF1" + }, + { + "reason": "Unrelated to construct under test", + "id": "AwsSolutions-SF2" + }, { "reason": "Allow AWSLambdaBasicExecutionRole policy", "id": "AwsSolutions-IAM4", diff --git a/test/ecs-deployment.integ.ts b/test/ecs-deployment.integ.ts index 88f02ae..bea2a91 100644 --- a/test/ecs-deployment.integ.ts +++ b/test/ecs-deployment.integ.ts @@ -209,6 +209,8 @@ NagSuppressions.addResourceSuppressionsByPath(stack, [ { id: 'AwsSolutions-IAM4', reason: 'Unrelated to construct under test' }, { id: 'AwsSolutions-IAM5', reason: 'Unrelated to construct under test' }, { id: 'AwsSolutions-L1', reason: 'Unrelated to construct under test' }, + { id: 'AwsSolutions-SF1', reason: 'Unrelated to construct under test' }, + { id: 'AwsSolutions-SF2', reason: 'Unrelated to construct under test' }, ], true); NagSuppressions.addResourceSuppressions(deployment, [ { diff --git a/yarn.lock b/yarn.lock index 1e15633..92c8a38 100644 --- a/yarn.lock +++ b/yarn.lock @@ -20,10 +20,10 @@ resolved "https://registry.yarnpkg.com/@aws-cdk/asset-kubectl-v20/-/asset-kubectl-v20-2.1.2.tgz#d8e20b5f5dc20128ea2000dc479ca3c7ddc27248" integrity sha512-3M2tELJOxQv0apCIiuKQ4pAbncz9GuLwnKFqxifWfe77wuMxyTRPmxssYHs42ePqzap1LT6GDcPygGs+hHstLg== -"@aws-cdk/asset-node-proxy-agent-v6@^2.0.1": - version "2.0.1" - resolved "https://registry.yarnpkg.com/@aws-cdk/asset-node-proxy-agent-v6/-/asset-node-proxy-agent-v6-2.0.1.tgz#6dc9b7cdb22ff622a7176141197962360c33e9ac" - integrity sha512-DDt4SLdLOwWCjGtltH4VCST7hpOI5DzieuhGZsBpZ+AgJdSI2GCjklCXm0GCTwJG/SolkL5dtQXyUKgg9luBDg== +"@aws-cdk/asset-node-proxy-agent-v6@^2.0.3": + version "2.0.3" + resolved "https://registry.yarnpkg.com/@aws-cdk/asset-node-proxy-agent-v6/-/asset-node-proxy-agent-v6-2.0.3.tgz#9b5d213b5ce5ad4461f6a4720195ff8de72e6523" + integrity sha512-twhuEG+JPOYCYPx/xy5uH2+VUsIEhPTzDY0F1KuB+ocjWWB/KEDiOVL19nHvbPCB6fhWnkykXEMJ4HHcKvjtvg== "@aws-cdk/aws-service-spec@0.1.1": version "0.1.1" @@ -2291,14 +2291,14 @@ available-typed-arrays@^1.0.7: dependencies: possible-typed-array-names "^1.0.0" -aws-cdk-lib@2.131.0: - version "2.131.0" - resolved "https://registry.yarnpkg.com/aws-cdk-lib/-/aws-cdk-lib-2.131.0.tgz#6e336e9a3e77b07052d28c017ea020f5c9948341" - integrity sha512-9XLgiTgY+q0S3K93VPeJO0chIN8BZwZ3aSrILvF868Dz+0NTNrD2m5M0xGK5Rw0uoJS+N+DvGaz/2hLAiVqcBw== +aws-cdk-lib@2.139.0: + version "2.139.0" + resolved "https://registry.yarnpkg.com/aws-cdk-lib/-/aws-cdk-lib-2.139.0.tgz#bee393c979d74cf58c087850ce896df145b04776" + integrity sha512-G9yoc+VFwF10kpgf4omtrAVmUNPeAP708oF5fc7XlRTzoTXMmAdUJW9cRGOMtAkFY83SxiJP0wm8n5Z9tjAdUA== dependencies: "@aws-cdk/asset-awscli-v1" "^2.2.202" "@aws-cdk/asset-kubectl-v20" "^2.1.2" - "@aws-cdk/asset-node-proxy-agent-v6" "^2.0.1" + "@aws-cdk/asset-node-proxy-agent-v6" "^2.0.3" "@balena/dockerignore" "^1.0.2" case "1.6.3" fs-extra "^11.2.0" @@ -2308,7 +2308,7 @@ aws-cdk-lib@2.131.0: minimatch "^3.1.2" punycode "^2.3.1" semver "^7.6.0" - table "^6.8.1" + table "^6.8.2" yaml "1.10.2" aws-cdk@2.141.0, aws-cdk@^2: @@ -6413,10 +6413,10 @@ symbol-tree@^3.2.4: resolved "https://registry.yarnpkg.com/symbol-tree/-/symbol-tree-3.2.4.tgz#430637d248ba77e078883951fb9aa0eed7c63fa2" integrity sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw== -table@^6.8.1: - version "6.8.1" - resolved "https://registry.yarnpkg.com/table/-/table-6.8.1.tgz#ea2b71359fe03b017a5fbc296204471158080bdf" - integrity sha512-Y4X9zqrCftUhMeH2EptSSERdVKt/nEdijTOacGD/97EKjhQ/Qs8RTlEGABSJNNN8lac9kheH+af7yAkEWlgneA== +table@^6.8.2: + version "6.8.2" + resolved "https://registry.yarnpkg.com/table/-/table-6.8.2.tgz#c5504ccf201213fa227248bdc8c5569716ac6c58" + integrity sha512-w2sfv80nrAh2VCbqR5AK27wswXhqcck2AhfnNW76beQXskGZ1V12GwS//yYVa3d3fcvAip2OUnbDAjW2k3v9fA== dependencies: ajv "^8.0.1" lodash.truncate "^4.4.2"