Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Serverless Nag Pack #1793

Open
wants to merge 43 commits into
base: main
Choose a base branch
from
Open

feat: Serverless Nag Pack #1793

wants to merge 43 commits into from

Conversation

Kevinwochan
Copy link

Fixes #

Kevinwochan and others added 30 commits April 29, 2024 12:20
@Kevinwochan
feat: implemented rules and 1 test
6b112a8
@Kevinwochan
feat: lambda logging rules
3cd5e1c
@Kevinwochan @dontirun
fix: typo in function id
a757e4b 
Co-authored-by: Arun Donti <dontirun@gmail.com>
@Kevinwochan @dontirun
fix: typo in function id
38c23bc 
Co-authored-by: Arun Donti <dontirun@gmail.com>
@Kevinwochan @dontirun
styling: rule description grammar
66181a6 
Co-authored-by: Arun Donti <dontirun@gmail.com>
@Kevinwochan
docs: added docs for lambda logging
71793d0
@Kevinwochan
feat: testing L2 constructs
bc1d61c
@Kevinwochan
implemeted all rules, untested and undocumented
515f898
@Kevinwochan
feat: LambdaLogLevels rules
9211f03
@Kevinwochan
Merge branch 'feat/serverless-nag-pack' into feat/serverless-nag-pack…
1e0d6ce 
…-complete
@Kevinwochan @dontirun
feat: lambda logging rules
4fb7e60 
Co-authored-by: Arun Donti <dontirun@gmail.com>
@Kevinwochan
Merge branch 'feat/serverless-nag-pack' into feat/serverless-nag-pack…
e61f13c 
…-complete
@Kevinwochan
docs(serverless): added example of warning and error
c9b8332
@Kevinwochan
docs(serverless): added example warning and error rules
21ab1a2
@Kevinwochan
feat(serverless): remove lambda logging rule
55144a9
@Kevinwochan
feat(serverless): remove lambda logging rule
f8a47b9
@Kevinwochan
feat(serverless): unit tests for lambda xray tracing
0ff3d12
@Kevinwochan
feat(serverless): updated LambdaTracing to use tracingConfig object
9b4cd49
@Kevinwochan
docs(serverless): updated docs for LambdaTracing rule
d783d82
@Kevinwochan
feat(serverless): LambdaEventSourceMappingDestination unit tested
872bdf7
@Kevinwochan
feat(serverless): added docs and checks to the serverless nag pack
9620a94
@Kevinwochan
feat(serverless): added iam wildcard checks
5d2cb8b
@Kevinwochan
feat(serverless): added cw logs retention checks
ce169fc
@Kevinwochan
feat(serverless): unit tested and documented LambdaDefaultMemorySize …
554fced 
…rule
@Kevinwochan
feat(serverless): unit tests for Lambda Default Timeout
73821c8
@Kevinwochan
feat(serverless): documented LambdaDefaultTimeout in the serverless n…
3fd72f7 
…ag pack
@Kevinwochan
feat(serverless): implemented LambdaAsyncFailureDestination rule
11eb99a
@Kevinwochan
feat(serverless): added latestlambdaversion check to serverless nag pack
901b423
@Kevinwochan
feat(serverless): added APIGW access logging check
47091d2
@Kevinwochan
feat(serverless): unit tests for apigw structured logging
eac6ce2
@Kevinwochan
Copy link
Author

Test Suites: 50 passed, 50 total
Tests: 761 passed, 761 total
Snapshots: 0 total
Time: 10.992 s, estimated 11 s

@Kevinwochan
Copy link
Author

Service Level Name cfn-lint tflint CDK Nag
AWS Lambda Warning Lambda Tracing WS1000 aws_lambda_function_tracing_rule LambdaTracing (new)
AWS Lambda Error EventSourceMapping Failure Destination ES1001 aws_lambda_event_source_mapping_failure_destination LambdaEventSourceMappingDestination (new)
AWS Lambda Warning Lambda Permission Multiple Principals WS1002 aws_lambda_permission_multiple_principals N/A
AWS Lambda Warning Lambda Star Permissions WS1003 aws_iam_role_lambda_no_star IAMNoWildcardPermissions
AWS Lambda Warning Lambda Log Retention WS1004 aws_cloudwatch_log_group_lambda_retention CloudWatchLogGroupSpecifiedRetentionPeriod
AWS Lambda Error Lambda Default Memory Size ES1005 aws_lambda_function_default_memory LambdaDefaultMemorySize (new)
AWS Lambda Error Lambda Default Timeout ES1006 aws_lambda_function_default_timeout LambdaDefaultTimeout (new)
AWS Lambda Error Async Lambda Failure Destination ES1007 aws_lambda_event_invoke_config_async_on_failure LambdaAsyncFailureDestination (new)
AWS Lambda Error Lambda EOL Runtime E2531 aws_lambda_function_eol_runtime LambdaLatestVersion (new)
Amazon API Gateway REST APIs Error API Gateway Logging ES2000 aws_apigateway_stage_logging_rule APIGWAccessLogging (new)
Amazon API Gateway REST APIs Warning API Gateway Structured Logging WS2001 aws_api_gateway_stage_structured_logging APIGWStructuredLogging (new)
Amazon API Gateway REST APIs Warning API Gateway Tracing WS2002 aws_apigateway_stage_tracing_rule APIGWXrayEnabled
Amazon API Gateway REST APIs Warning API Gateway Default Throttling ES2003 aws_apigateway_stage_throttling_rule APIGWDefaultThrottling (new)
Amazon API Gateway HTTP APIs Error API Gateway Logging ES2000 aws_apigatewayv2_stage_logging_rule APIGWAccessLogging
Amazon API Gateway HTTP APIs Warning API Gateway Structured Logging WS2001 aws_apigatewayv2_stage_structured_logging APIGWStructuredLogging (new)
Amazon API Gateway HTTP APIs Warning API Gateway Default Throttling ES2003 aws_apigatewayv2_stage_throttling_rule APIGWDefaultThrottling (new)
AWS AppSync Error AppSync Tracing WS3000 aws_appsync_graphql_api_tracing_rule AppSyncTracing (new)
Amazon EventBridge Error EventBridge Rule Without DLQ ES4000 aws_cloudwatch_event_target_no_dlq EventBusDLQ (new)
Amazon SNS Error SNS Redrive Policy ES7000 aws_sns_topic_subscription_redrive_policy SNSRedrivePolicy (new)
Amazon SQS Error SQS Redrive Policy ES6000 aws_sqs_queue_redrive_policy SQSRedrivePolicy (new)
Amazon Step Functions Warning Step Functions Tracing WS5000 aws_sfn_state_machine_tracing StepFunctionStateMachineXray

@Kevinwochan Kevinwochan changed the title Serverless nag pack complete feat:Serverless nag pack complete Sep 2, 2024
@Kevinwochan
Copy link
Author

100% code coverage on all the rules, all the rules have been unit tested on L1 and L2 constructs

@Kevinwochan Kevinwochan changed the title feat:Serverless nag pack complete feat: Serverless Nag Pack Sep 2, 2024
dontirun
dontirun requested changes Oct 3, 2024
View reviewed changes
Copy link
Collaborator

@dontirun dontirun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a large change thus I will go through multiple iterations of reviews.

In addition to the proposed changes to descriptions, please link this PR to the issue you created

src/rules/apigw/APIGWStructuredLogging.ts
};

/**
* Ensure that API Gateway REST and HTTP APIs are using JSON structured logs
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The explanations on all the rules need to be written in a declarative manner.

Suggested change
* Ensure that API Gateway REST and HTTP APIs are using JSON structured logs
* API Gateway REST and HTTP APIs use JSON structured logs

src/packs/serverless.ts
*/
private checkLambda(node: CfnResource) {
this.applyRule({
info: 'The Lambda function should have tracing set to Tracing.ACTIVE',
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These all need to be re-written to be both declarative and resource specific.

Example

Suggested change
info: 'The Lambda function should have tracing set to Tracing.ACTIVE',
info: 'The Lambda function does not have tracing set to Tracing.ACTIVE',

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dontirun dontirun dontirun requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Kevinwochan @dontirun