Fix: [AEA-0000] - add cfn guard (#420)

## Summary - Routine Change ### Details - add cfn-guard
NHSDigital · Aug 29, 2024 · d4f0c2d · d4f0c2d
1 parent d81602d
commit d4f0c2d
Show file tree

Hide file tree

Showing 8 changed files with 81 additions and 0 deletions.
diff --git a/.github/workflows/quality_checks.yml b/.github/workflows/quality_checks.yml
@@ -58,6 +58,20 @@ jobs:
       - name: run unit tests
         run: make test
 
+      - name: Run cfn-guard
+        run: make cfn-guard
+
+      - name: show cfn-guard output
+        if: failure()
+        run: find cfn_guard_output -type f -print0 | xargs -0 cat
+
+      - uses: actions/upload-artifact@v4
+        name: upload cfn_guard_output
+        if: failure()
+        with:
+          name: cfn_guard_output
+          path: cfn_guard_output
+
       - name: SonarCloud Scan
         uses: SonarSource/sonarcloud-github-action@master
         env:

diff --git a/.gitignore b/.gitignore
@@ -20,3 +20,4 @@ release_notes
 .aws-sam
 lib/
 *.tsbuildinfo
+cfn_guard_output/
diff --git a/Makefile b/Makefile
@@ -158,3 +158,6 @@ aws-configure:
 
 aws-login:
 	aws sso login --sso-session sso-session
+
+cfn-guard:
+	./scripts/run_cfn_guard.sh
diff --git a/README.md b/README.md
@@ -214,6 +214,7 @@ These are used to do common commands
 - `lint-cloudformation` Runs lint for cloudformation templates
 - `lint-samtemplates` Runs lint for SAM templates
 - `test` Runs unit tests for all code
+- `cfn-guard` runs cfn-guard for sam and cloudformation templates
 
 #### Compiling
 

diff --git a/SAMtemplates/lambda_resources.yaml b/SAMtemplates/lambda_resources.yaml
@@ -106,6 +106,10 @@ Resources:
       LogGroupName: !Sub "/aws/lambda/${LambdaName}"
       RetentionInDays: !Ref LogRetentionDays
       KmsKeyId: !Ref CloudWatchKMSKey
+    Metadata:
+      guard:
+        SuppressedRules:
+          - CW_LOGGROUP_RETENTION_PERIOD_CHECK
 
   LambdaSplunkSubscriptionFilter:
     Condition: ShouldUseSplunk

diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml
@@ -130,6 +130,11 @@ Resources:
             Method: get
     Metadata: # Manage esbuild properties
       BuildMethod: esbuild
+      guard:
+        SuppressedRules:
+          - LAMBDA_DLQ_CHECK
+          - LAMBDA_INSIDE_VPC
+          - LAMBDA_CONCURRENCY_CHECK
       BuildProperties:
         Minify: true
         Target: "es2020"
@@ -240,6 +245,10 @@ Resources:
 
   ApiGwAccessLogs:
     Type: AWS::Logs::LogGroup
+    Metadata:
+      guard:
+        SuppressedRules:
+          - CW_LOGGROUP_RETENTION_PERIOD_CHECK
     Properties:
       LogGroupName:
         !Join [

diff --git a/SAMtemplates/sandbox_template.yaml b/SAMtemplates/sandbox_template.yaml
@@ -107,6 +107,11 @@ Resources:
             Method: get
     Metadata: # Manage esbuild properties
       BuildMethod: esbuild
+      guard:
+        SuppressedRules:
+          - LAMBDA_DLQ_CHECK
+          - LAMBDA_INSIDE_VPC
+          - LAMBDA_CONCURRENCY_CHECK
       BuildProperties:
         Minify: true
         Target: "es2020"
@@ -148,6 +153,11 @@ Resources:
             Method: get
     Metadata: # Manage esbuild properties
       BuildMethod: esbuild
+      guard:
+        SuppressedRules:
+          - LAMBDA_DLQ_CHECK
+          - LAMBDA_INSIDE_VPC
+          - LAMBDA_CONCURRENCY_CHECK
       BuildProperties:
         Minify: true
         Target: "es2020"
@@ -264,6 +274,10 @@ Resources:
         ]
       RetentionInDays: !Ref LogRetentionDays
       KmsKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
+    Metadata:
+      guard:
+        SuppressedRules:
+          - CW_LOGGROUP_RETENTION_PERIOD_CHECK
 
   ApiGwAccessLogsSplunkSubscriptionFilter:
     Condition: ShouldUseSplunk

diff --git a/scripts/run_cfn_guard.sh b/scripts/run_cfn_guard.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+rm -rf /tmp/ruleset
+rm -rf cfn_guard_output
+
+wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip  >/dev/null 2>&1
+unzip /tmp/ruleset.zip -d /tmp/ruleset/  >/dev/null 2>&1 
+
+curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh >/dev/null 2>&1
+
+mkdir -p cfn_guard_output
+
+declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
+for ruleset in "${rulesets[@]}"
+    do
+
+    while IFS= read -r -d '' file
+    do
+        echo "checking SAM template $file with ruleset $ruleset"
+        mkdir -p "$(dirname cfn_guard_output/"$file")"
+
+        # transform the SAM template to cloudformation and then run through cfn-guard
+        SAM_OUPUT=$(sam validate -t "$file" --region eu-west-2 --debug 2>&1 | \
+            grep -Pazo '(?s)AWSTemplateFormatVersion.*\n\/' | tr -d '\0')
+        echo "${SAM_OUPUT::-1}" | ~/.guard/bin/cfn-guard validate \
+            --rules "/tmp/ruleset/output/$ruleset.guard" \
+            --show-summary fail \
+            > "cfn_guard_output/${file}_${ruleset}.txt"
+
+    done <   <(find ./SAMtemplates -name '*.y*ml' -print0)
+
+done
+
+rm -rf /tmp/ruleset