Last active
April 11, 2023 04:18
-
-
Save verdimrc/3c11651715b0f4e727b6c28ef0e9acee to your computer and use it in GitHub Desktop.
Add Checkov metadata to CDK BucketDeployment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
interface CheckovRule { | |
id: string, | |
comment: string, | |
} | |
function silence_checkov(construct: Construct, rules: CheckovRule[]) { | |
let metadata = (construct.node.defaultChild as cdk.CfnResource).cfnOptions.metadata; | |
metadata = { checkov: { skip: rules }, ...metadata }; | |
(construct.node.defaultChild as cdk.CfnResource).cfnOptions.metadata = metadata | |
} | |
interface CfnNagRule { | |
id: string, | |
reason: string, | |
} | |
function silence_cfn_nag(construct: Construct, rules: CfnNagRule[]) { | |
let metadata = (construct.node.defaultChild as cdk.CfnResource).cfnOptions.metadata; | |
metadata = { cfn_nag: { rules_to_suppress: rules }, ...metadata }; | |
(construct.node.defaultChild as cdk.CfnResource).cfnOptions.metadata = metadata | |
} | |
/****************************************************************************** | |
* HERE WE GO | |
******************************************************************************/ | |
// NOTE: lambda console shows 10 unreserved concurrency. | |
const scriptsUploader = new s3deploy.BucketDeployment(this, 'DeployScripts', { | |
sources: [s3deploy.Source.asset("path/to/scripts")], | |
destinationBucket: s3Bucket, // Require an s3 bucket construct | |
destinationKeyPrefix: "scripts", | |
retainOnDelete: false, | |
vpc: vpc, // Require a vpc construct, to put the lambda to this vpc. | |
}); | |
const crh = (scriptsUploader.node.findChild("CustomResourceHandler") as SingletonFunction); | |
silence_checkov( | |
crh['lambdaFunction'], // Access private member. | |
[ | |
{ id: 'CKV_AWS_116', comment: 'DLQ not required' }, | |
{ id: 'CKV_AWS_115', comment: 'Default concurrency limit is sufficient' }, | |
] | |
); | |
silence_cfn_nag( | |
crh['lambdaFunction'], // Access private member. | |
[ | |
{ id: 'ASDF', reason: 'Reason to suppress' }, | |
] | |
) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment