From c92f945298b92e2cfc57227a3c8104cba55e20d3 Mon Sep 17 00:00:00 2001 From: shapirov Date: Tue, 27 Aug 2024 10:57:56 -0400 Subject: [PATCH 1/3] nag pattern updates --- bin/cdk-nag.ts | 10 ++ lib/cdk-nag-construct/index.ts | 69 ++++++++ lib/cdk-nag-construct/nag-rules.ts | 250 +++++++++++++++++++++++++++++ lib/starter-construct/index.ts | 18 +++ package.json | 15 +- 5 files changed, 356 insertions(+), 6 deletions(-) create mode 100644 bin/cdk-nag.ts create mode 100644 lib/cdk-nag-construct/index.ts create mode 100644 lib/cdk-nag-construct/nag-rules.ts diff --git a/bin/cdk-nag.ts b/bin/cdk-nag.ts new file mode 100644 index 00000000..da728487 --- /dev/null +++ b/bin/cdk-nag.ts @@ -0,0 +1,10 @@ +import * as cdk from 'aws-cdk-lib'; +import { AwsSolutionsChecks } from 'cdk-nag'; +import { configureApp } from '../lib/common/construct-utils'; +import CdkNagConstruct from '../lib/cdk-nag-construct'; + + +const app = configureApp(); +cdk.Aspects.of(app).add(new AwsSolutionsChecks()); // run CDK-nag + +new CdkNagConstruct(app, "cdk-nag-validation", app.account!); diff --git a/lib/cdk-nag-construct/index.ts b/lib/cdk-nag-construct/index.ts new file mode 100644 index 00000000..7a36c761 --- /dev/null +++ b/lib/cdk-nag-construct/index.ts @@ -0,0 +1,69 @@ +import { Construct } from 'constructs'; +import * as blueprints from '@aws-quickstart/eks-blueprints'; +import { ArnPrincipal } from 'aws-cdk-lib/aws-iam'; +import { NagSuppressionsConfig } from './nag-rules'; +import { KubernetesVersion } from 'aws-cdk-lib/aws-eks'; + + +export default class CdkNagConstruct { + + constructor(scope: Construct, id: string, account: string) { + const stackId = `${id}-blueprint`; + + const addOns: Array = [ + new blueprints.addons.SSMAgentAddOn(), + new blueprints.addons.CoreDnsAddOn('auto'), + new blueprints.addons.KubeProxyAddOn("v1.29.1-eksbuild.2"), + new blueprints.addons.EbsCsiDriverAddOn(), + ]; + + const applicationTeams: Array = [ + new EKSaaPApplicationTeam("one", [ + new ArnPrincipal(`arn:aws:iam::${account}:role/its-user`) + ]), + new EKSaaPApplicationTeam("two", [ + new ArnPrincipal(`arn:aws:iam::${account}:role/its-user`) + ]) + ]; + + const platformTeam = new EKSaaPPlatformTeam([ + new ArnPrincipal(`arn:aws:iam::${account}:role/its-admin`) + ]); + + const promise = blueprints.EksBlueprint.builder() + .addOns(...addOns) + .version(KubernetesVersion.V1_29) + .teams(platformTeam, ...applicationTeams) + .useDefaultSecretEncryption(true) + .compatibilityMode(true) + .buildAsync(scope, stackId); + + promise.then(stack => new NagSuppressionsConfig(stack)); + } +} + +export class EKSaaPPlatformTeam extends blueprints.PlatformTeam { + constructor( + allowedArnPrincipals: Array, + name?: string + ) { + super({ + name: name ?? "infrastructure", + users: allowedArnPrincipals + }); + } +} + +export class EKSaaPApplicationTeam extends blueprints.ApplicationTeam { + constructor( + name: string, + allowedArnPrincipals: Array, + namespace?: string + ) { + super({ + name, + namespace, + users: allowedArnPrincipals + }); + } +} \ No newline at end of file diff --git a/lib/cdk-nag-construct/nag-rules.ts b/lib/cdk-nag-construct/nag-rules.ts new file mode 100644 index 00000000..cfc702ee --- /dev/null +++ b/lib/cdk-nag-construct/nag-rules.ts @@ -0,0 +1,250 @@ +import { Stack } from "aws-cdk-lib"; +import { NagSuppressions } from "cdk-nag"; + + +export class NagSuppressionsConfig { + constructor(stack: Stack) { + + NagSuppressions.addResourceSuppressions(stack, [ + { + id: 'AwsSolutions-SF1', + reason: 'The Step Function does not log "ALL" events to CloudWatch Logs. - Step functions are native CDK functionality, not part of blueprints.', + }, + { + id: 'AwsSolutions-SF2', + reason: 'The Step Function does not have X-Ray tracing enabled. - Step functions are native CDK functionality, not part of blueprints.', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}/KubectlHandlerRole/Resource`, [ + { + id: 'AwsSolutions-IAM4', + reason: 'Managed IAM policies make sense in the context of Lambda functions for basic execution', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}/KubectlHandlerRole/DefaultPolicy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'Wildcards in IAM policy are recommended for read/write', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}/Role/Resource`, [ + { + id: 'AwsSolutions-IAM4', + reason: 'EKS cluster default role should use AWS managed IAM policy', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}/Resource/CreationRole/DefaultPolicy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'Remediation ticket raised https://app.gitlab.gss.gov.uk/north/t-p/cloud-hub/cloud-adoption-engineering-patterns/products/eksaap/eks-as-a-pattern/-/issues/129', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}/Resource/Resource/Default`, [ + { + id: 'AwsSolutions-EKS2', + reason: 'Remediation ticket raised https://app.gitlab.gss.gov.uk/north/t-p/cloud-hub/cloud-adoption-engineering-patterns/products/eksaap/eks-as-a-pattern/-/issues/130', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}/aws-ebs-csi-driver-managed-policy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'Remediation ticket raised https://app.gitlab.gss.gov.uk/north/t-p/cloud-hub/cloud-adoption-engineering-patterns/products/eksaap/eks-as-a-pattern/-/issues/132', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.ClusterResourceProvider/OnEventHandler/ServiceRole/Resource`, [ + { + id: 'AwsSolutions-IAM4', + reason: 'This is the basic lambda execution role, that is ok', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.ClusterResourceProvider/OnEventHandler/Resource`, [ + { + id: 'AwsSolutions-L1', + reason: 'This is packaged as a core part of Blueprints, will be updated as part of their release schedule. Currently on a supported NodeJS verison (18)', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.ClusterResourceProvider/IsCompleteHandler/ServiceRole/Resource`, [ + { + id: 'AwsSolutions-IAM4', + reason: 'This is the basic lambda execution role, that is ok', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.ClusterResourceProvider/IsCompleteHandler/Resource`, [ + { + id: 'AwsSolutions-L1', + reason: 'This is packaged as a core part of Blueprints, will be updated as part of their release schedule. Currently on a supported NodeJS verison (18)', + }, + ]); + + // loop over framework providers as they implement similar functions multiple times + let frameworkProviders: string[] = ['framework-onEvent', 'framework-isComplete', 'framework-onTimeout'] + + for (var provider of frameworkProviders) { + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.ClusterResourceProvider/Provider/${provider}/ServiceRole/Resource`, [ + { + id: 'AwsSolutions-IAM4', + reason: 'This is the basic lambda execution role, that is ok', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.ClusterResourceProvider/Provider/${provider}/ServiceRole/DefaultPolicy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'This is scoped to the invocation of the managed providers lambda functions only', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.ClusterResourceProvider/Provider/${provider}/Resource`, [ + { + id: 'AwsSolutions-L1', + reason: 'This is packaged as a core part of Blueprints, will be updated as part of their release schedule. Currently on a supported NodeJS verison (18)', + }, + ]); + }; // end loop + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.ClusterResourceProvider/Provider/waiter-state-machine/Role/DefaultPolicy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'This is scoped to the invocation of the managed providers lambda functions only', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.KubectlProvider/Handler/Resource`, [ + { + id: 'AwsSolutions-L1', + reason: 'This is packaged as a core part of Blueprints, will be updated as part of their release schedule. Currently on a supported Python3 verison (3.10)', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.KubectlProvider/Provider/framework-onEvent/ServiceRole/Resource`, [ + { + id: 'AwsSolutions-IAM4', + reason: 'This is the basic lambda execution role and VPC execution role, that is ok', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.KubectlProvider/Provider/framework-onEvent/ServiceRole/DefaultPolicy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'This is scoped to the invocation of the managed providers lambda functions only', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/@aws-cdk--aws-eks.KubectlProvider/Provider/framework-onEvent/Resource`, [ + { + id: 'AwsSolutions-L1', + reason: 'This is packaged as a core part of Blueprints, will be updated as part of their release schedule. Currently on a supported NodeJS verison (18)', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}-vpc/Resource`, [ + { + id: 'AwsSolutions-VPC7', + reason: 'suppressed for demo purposes', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}-kms-key/Resource`, [ + { + id: 'AwsSolutions-KMS5', + reason: 'suppressed for demo purposes', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}/Resource/Resource/Default`, [ + { + id: 'AwsSolutions-EKS1', + reason: 'suppressed for demo purposes', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/${stack.stackName}/Nodegroup${stack.stackName}-ng-ng/NodeGroupRole/Resource`, [ + { + id: 'AwsSolutions-IAM4', + reason: 'suppressed for demo purposes', + }, + ]); + + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/team-infrastructureAccessRole/DefaultPolicy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'This wildcard is just for eks:ListClusters so that is ok', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/team-oneAccessRole/DefaultPolicy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'This wildcard is just for eks:ListClusters so that is ok', + }, + ]); + + NagSuppressions.addResourceSuppressionsByPath( + stack, + `/${stack.stackName}/team-twoAccessRole/DefaultPolicy/Resource`, [ + { + id: 'AwsSolutions-IAM5', + reason: 'This wildcard is just for eks:ListClusters so that is ok', + }, + ]); + }; +}; \ No newline at end of file diff --git a/lib/starter-construct/index.ts b/lib/starter-construct/index.ts index 1240c4cd..8d9cdf83 100644 --- a/lib/starter-construct/index.ts +++ b/lib/starter-construct/index.ts @@ -2,6 +2,24 @@ import { Construct } from 'constructs'; import * as blueprints from '@aws-quickstart/eks-blueprints'; +import * as AWS from 'aws-sdk'; + +const s3 = new AWS.S3(); + +async function readSettingsFromS3(bucketName: string, key: string): Promise { + const params = { + Bucket: bucketName, + Key: key + }; + + try { + const data = await s3.getObject(params).promise(); + return data.Body?.toString() || ''; + } catch (err) { + console.error('Error reading settings file from S3:', err); + throw err; + } +} /** * Example starter with placeholders to add addOns and teams. diff --git a/package.json b/package.json index ced0b6f3..b7a93d8d 100644 --- a/package.json +++ b/package.json @@ -24,9 +24,11 @@ "typescript": "^5.3.3" }, "dependencies": { - "@aws-quickstart/eks-blueprints": "1.14.1", + "@aws-quickstart/eks-blueprints": "1.15.1", "@aws-sdk/client-config-service": "^3.576.0", "@aws-sdk/client-eks": "^3.478.0", + "@aws-sdk/client-s3": "3.624.0", + "@aws-sdk/credential-providers": "3.624.0", "@claranet-ch/konveyor-eks-blueprint-addon": "^1.0.2", "@datadog/datadog-eks-blueprints-addon": "^0.1.2", "@dynatrace/dynatrace-eks-blueprints-addon": "^0.0.4", @@ -40,15 +42,16 @@ "@paralus/paralus-eks-blueprints-addon": "^0.1.5", "@rafaysystems/rafay-eks-blueprints-addon": "^0.0.2", "@snyk-partners/snyk-monitor-eks-blueprints-addon": "^1.1.1", - "aws-cdk": "2.133.0", - "aws-cdk-lib": "2.133.0", + "aws-cdk": "2.147.3", + "aws-cdk-lib": "2.147.3", + "cdk-nag": "^2.28.151", "eks-blueprints-cdk-kubeflow-ext": "0.1.9", "source-map-support": "^0.5.21" }, "overrides": { - "@aws-quickstart/eks-blueprints": "1.14.1", - "aws-cdk": "2.133.0", - "aws-cdk-lib": "2.133.0", + "@aws-quickstart/eks-blueprints": "1.15.1", + "aws-cdk": "2.147.3", + "aws-cdk-lib": "2.147.3", "xml2js": "0.5.0", "@aws-cdk/core": "../_EXCLUDED_", "axios": "^1.6.2" From f058debf15708385881e41b43b50fa72186d167b Mon Sep 17 00:00:00 2001 From: shapirov Date: Thu, 24 Oct 2024 00:30:49 -0400 Subject: [PATCH 2/3] formatted code base --- .eslintrc.js | 4 +- cdk.json | 4 +- jest.config.js | 10 +- lib/amp-monitoring/index.ts | 14 +-- lib/aws-batch-on-eks-construct/index.ts | 6 +- .../backstage-secret-addon.ts | 4 +- .../database-credentials.ts | 2 +- lib/backstage-construct/index.ts | 6 +- .../rds-database-instance.ts | 8 +- lib/bottlerocket-construct/index.ts | 8 +- lib/cdk-nag-construct/index.ts | 2 +- lib/cloudwatch-monitoring/index.ts | 18 +-- lib/common/construct-utils.ts | 16 +-- lib/custom-networking-ipv4-construct/index.ts | 6 +- lib/datadog-construct/index.ts | 2 +- lib/emr-eks/index.ts | 26 ++-- lib/fargate-construct/index.ts | 2 +- lib/generative-ai-showcase/index.ts | 2 +- lib/generic-cluster-construct/index.ts | 8 +- lib/gmaestro-construct/index.ts | 2 +- lib/gpu-construct/index.ts | 2 +- lib/import-cluster/index.ts | 4 +- lib/instana-construct/index.ts | 2 +- lib/jupyterhub-construct/index.ts | 15 ++- lib/karpenter-construct/index.ts | 8 +- lib/kasten-k10-construct/index.ts | 5 +- lib/kubeflow-construct/index.ts | 4 +- lib/multi-account-monitoring/amg-iam-setup.ts | 8 +- lib/multi-account-monitoring/pipeline.ts | 4 +- lib/multi-region-construct/index.ts | 24 ++-- lib/multi-team-construct/index.ts | 4 +- lib/paralus-construct/index.ts | 2 +- lib/pipeline-stack/index.ts | 22 ++-- lib/secure-ingress-auth-cognito/index.ts | 28 ++--- lib/security/data-at-rest-encryption/index.ts | 4 +- lib/security/eks-config-rules/config-setup.ts | 10 +- lib/security/eks-config-rules/index.ts | 2 +- .../guardduty-construct/guardduty-setup.ts | 32 ++--- lib/security/guardduty-construct/index.ts | 6 +- .../image-scanning-setup.ts | 2 +- lib/starter-construct/index.ts | 28 ++--- lib/teams/team-batch/index.ts | 2 +- lib/teams/team-burnham/index.ts | 2 +- lib/teams/team-riker/index.ts | 4 +- lib/windows-construct/index.ts | 10 +- lib/windows-construct/vpc-cni/index.ts | 10 +- lib/workloads-codecommit-construct/index.ts | 2 +- .../lambda/index.js | 4 +- package.json | 116 +++++++++--------- 49 files changed, 258 insertions(+), 258 deletions(-) diff --git a/.eslintrc.js b/.eslintrc.js index 4b194fea..9d62319b 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -12,9 +12,9 @@ module.exports = { "@typescript-eslint/no-explicit-any": "off", "@typescript-eslint/explicit-module-boundary-types": "off", "@typescript-eslint/no-non-null-assertion": "off", - "@typescript-eslint/no-unused-vars": [1, {"argsIgnorePattern": "^_"}], + "@typescript-eslint/no-unused-vars": [1, { "argsIgnorePattern": "^_" }], indent: ['error', 4], "prefer-const": "off", - "semi": ['error',"always"], + "semi": ['error', "always"], }, }; \ No newline at end of file diff --git a/cdk.json b/cdk.json index 3d667b3e..c9b35f68 100644 --- a/cdk.json +++ b/cdk.json @@ -1,3 +1,3 @@ { - "app": "npx ts-node dist/lib/common/default-main.js" -} + "app": "npx ts-node dist/lib/common/default-main.js" +} \ No newline at end of file diff --git a/jest.config.js b/jest.config.js index 772f9749..4acd6a09 100644 --- a/jest.config.js +++ b/jest.config.js @@ -1,7 +1,7 @@ module.exports = { - roots: ['/test'], - testMatch: ['**/*.test.ts'], - transform: { - '^.+\\.tsx?$': 'ts-jest' - } + roots: ['/test'], + testMatch: ['**/*.test.ts'], + transform: { + '^.+\\.tsx?$': 'ts-jest' + } }; diff --git a/lib/amp-monitoring/index.ts b/lib/amp-monitoring/index.ts index a6af0d37..6cbce7f6 100644 --- a/lib/amp-monitoring/index.ts +++ b/lib/amp-monitoring/index.ts @@ -11,20 +11,20 @@ import * as team from '../teams/multi-account-monitoring'; * Demonstrates how to leverage more than one node group along with Fargate profiles. */ export default class AmpMonitoringConstruct { - build(scope: Construct, id: string, account?: string, region?: string ) { + build(scope: Construct, id: string, account?: string, region?: string) { // Setup platform team - const accountID = account ?? process.env.CDK_DEFAULT_ACCOUNT! ; - const awsRegion = region ?? process.env.CDK_DEFAULT_REGION! ; - + const accountID = account ?? process.env.CDK_DEFAULT_ACCOUNT!; + const awsRegion = region ?? process.env.CDK_DEFAULT_REGION!; + const stackID = `${id}-blueprint`; this.create(scope, accountID, awsRegion) .build(scope, stackID); } - create(scope: Construct, account?: string, region?: string ) { + create(scope: Construct, account?: string, region?: string) { // Setup platform team - const accountID = account ?? process.env.CDK_DEFAULT_ACCOUNT! ; - const awsRegion = region ?? process.env.CDK_DEFAULT_REGION! ; + const accountID = account ?? process.env.CDK_DEFAULT_ACCOUNT!; + const awsRegion = region ?? process.env.CDK_DEFAULT_REGION!; const ampWorkspaceName = "multi-account-monitoring"; const ampPrometheusEndpoint = (blueprints.getNamedResource(ampWorkspaceName) as unknown as amp.CfnWorkspace).attrPrometheusEndpoint; diff --git a/lib/aws-batch-on-eks-construct/index.ts b/lib/aws-batch-on-eks-construct/index.ts index 397fa33a..71ddacb8 100644 --- a/lib/aws-batch-on-eks-construct/index.ts +++ b/lib/aws-batch-on-eks-construct/index.ts @@ -5,7 +5,7 @@ import { PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam'; export default class BatchOnEKSConstruct { build(scope: Construct, id: string, teams: BatchEksTeam[]) { - + const batchIamPolicy = new PolicyStatement({ effect: Effect.ALLOW, actions: [ @@ -25,9 +25,9 @@ export default class BatchOnEKSConstruct { .account(process.env.CDK_DEFAULT_ACCOUNT!) .region(process.env.CDK_DEFAULT_REGION!) .addOns( - new blueprints.AwsBatchAddOn(), + new blueprints.AwsBatchAddOn(), new blueprints.AwsForFluentBitAddOn({ - iamPolicies:[batchIamPolicy], + iamPolicies: [batchIamPolicy], values: { cloudWatch: { enabled: true, diff --git a/lib/backstage-construct/backstage-secret-addon.ts b/lib/backstage-construct/backstage-secret-addon.ts index b0607ce3..63f3b70b 100644 --- a/lib/backstage-construct/backstage-secret-addon.ts +++ b/lib/backstage-construct/backstage-secret-addon.ts @@ -91,14 +91,14 @@ export class BackstageSecretAddOn implements blueprints.ClusterAddOn { secretKey: "POSTGRES_PASSWORD", remoteRef: { key: databaseInstanceCredentialsSecretName, - property: "password" + property: "password" } }, { secretKey: "POSTGRES_USER", remoteRef: { key: databaseInstanceCredentialsSecretName, - property: "username" + property: "username" } }, ], diff --git a/lib/backstage-construct/database-credentials.ts b/lib/backstage-construct/database-credentials.ts index 1e9d0ce7..13db3225 100644 --- a/lib/backstage-construct/database-credentials.ts +++ b/lib/backstage-construct/database-credentials.ts @@ -1,4 +1,4 @@ -import { Secret,ISecret } from 'aws-cdk-lib/aws-secretsmanager'; +import { Secret, ISecret } from 'aws-cdk-lib/aws-secretsmanager'; import { ResourceContext, ResourceProvider } from '@aws-quickstart/eks-blueprints'; export interface DatabaseInstanceCredentialsProviderProps { diff --git a/lib/backstage-construct/index.ts b/lib/backstage-construct/index.ts index 50d97990..5f0c95a5 100644 --- a/lib/backstage-construct/index.ts +++ b/lib/backstage-construct/index.ts @@ -26,8 +26,8 @@ export class BackstageConstruct extends Construct { databaseSecretTargetName: blueprints.utils.valueFromContext(scope, "backstage.database.secret.target.name", "backstage-database-secret"), }; - const subdomain = props.backstageLabel+"."+props.parentDomain; - + const subdomain = props.backstageLabel + "." + props.parentDomain; + const databaseInstanceCredentialsProviderProps = { username: props.username } as DatabaseInstanceCredentialsProviderProps; @@ -82,6 +82,6 @@ export class BackstageConstruct extends Construct { .addOns(...addOns) .version('auto') .teams() - .build(scope, props.backstageLabel+"-blueprint"); + .build(scope, props.backstageLabel + "-blueprint"); } } diff --git a/lib/backstage-construct/rds-database-instance.ts b/lib/backstage-construct/rds-database-instance.ts index b9eed157..f4798aa4 100644 --- a/lib/backstage-construct/rds-database-instance.ts +++ b/lib/backstage-construct/rds-database-instance.ts @@ -40,10 +40,10 @@ export class DatabaseInstanceProvider implements ResourceProvider logger.info(m)); } } diff --git a/lib/custom-networking-ipv4-construct/index.ts b/lib/custom-networking-ipv4-construct/index.ts index ad570f97..fe88e20e 100644 --- a/lib/custom-networking-ipv4-construct/index.ts +++ b/lib/custom-networking-ipv4-construct/index.ts @@ -36,9 +36,9 @@ export default class CustomNetworkingIPv4Construct { awsVpcK8sCniCustomNetworkCfg: true, eniConfigLabelDef: 'topology.kubernetes.io/zone' }), - new blueprints.AwsLoadBalancerControllerAddOn(), - new blueprints.CoreDnsAddOn(), - new blueprints.KubeProxyAddOn(), + new blueprints.AwsLoadBalancerControllerAddOn(), + new blueprints.CoreDnsAddOn(), + new blueprints.KubeProxyAddOn(), ) .resourceProvider(blueprints.GlobalResources.Vpc, new blueprints.VpcProvider(undefined, { primaryCidr: "10.2.0.0/16", diff --git a/lib/datadog-construct/index.ts b/lib/datadog-construct/index.ts index eb76fffe..d20a0f4a 100644 --- a/lib/datadog-construct/index.ts +++ b/lib/datadog-construct/index.ts @@ -6,7 +6,7 @@ import { prevalidateSecrets } from '../common/construct-utils'; const SECRET_API_KEY = 'datadog-api-key'; export default class DatadogConstruct { - + async buildAsync(scope: Construct, id: string) { await prevalidateSecrets(DatadogConstruct.name, process.env.CDK_DEFAULT_REGION!, SECRET_API_KEY); diff --git a/lib/emr-eks/index.ts b/lib/emr-eks/index.ts index 497c7ff0..2fe757f7 100644 --- a/lib/emr-eks/index.ts +++ b/lib/emr-eks/index.ts @@ -1,15 +1,15 @@ -import { - EksBlueprint, - AwsLoadBalancerControllerAddOn, - CertManagerAddOn, - ClusterAutoScalerAddOn, - CoreDnsAddOn, - EbsCsiDriverAddOn, - EmrEksAddOn, - EmrEksTeam, - KubeProxyAddOn, - MetricsServerAddOn, - VpcCniAddOn +import { + EksBlueprint, + AwsLoadBalancerControllerAddOn, + CertManagerAddOn, + ClusterAutoScalerAddOn, + CoreDnsAddOn, + EbsCsiDriverAddOn, + EmrEksAddOn, + EmrEksTeam, + KubeProxyAddOn, + MetricsServerAddOn, + VpcCniAddOn } from '@aws-quickstart/eks-blueprints'; import * as cdk from 'aws-cdk-lib'; @@ -17,7 +17,7 @@ import * as cdk from 'aws-cdk-lib'; export default class EmrEksConstruct { build(scope: cdk.App, id: string, teams: EmrEksTeam[]) { - + const stackId = `${id}-blueprint`; EksBlueprint.builder().addOns( diff --git a/lib/fargate-construct/index.ts b/lib/fargate-construct/index.ts index deeaae1f..2f65b7cc 100644 --- a/lib/fargate-construct/index.ts +++ b/lib/fargate-construct/index.ts @@ -13,7 +13,7 @@ export default class FargateConstruct { // Setup platform team const accountID = process.env.CDK_DEFAULT_ACCOUNT!; const platformTeam = new team.TeamPlatform(accountID); - + const fargateProfiles: Map = new Map([ ["team1", { selectors: [{ namespace: "team1" }] }] ]); diff --git a/lib/generative-ai-showcase/index.ts b/lib/generative-ai-showcase/index.ts index e883877f..febabd5a 100644 --- a/lib/generative-ai-showcase/index.ts +++ b/lib/generative-ai-showcase/index.ts @@ -17,7 +17,7 @@ export default class GenAIShowcase { createNamespace: true, serviceAccountName: 'bedrock-service-account', extensionFunction: extensionFunction - }; + }; BedrockBuilder.builder() .account(account) diff --git a/lib/generic-cluster-construct/index.ts b/lib/generic-cluster-construct/index.ts index f599540f..8292b6df 100644 --- a/lib/generic-cluster-construct/index.ts +++ b/lib/generic-cluster-construct/index.ts @@ -16,9 +16,9 @@ export default class GenericClusterConstruct { // Setup platform team const accountID = process.env.CDK_DEFAULT_ACCOUNT!; const platformTeam = new team.TeamPlatform(accountID); - + const stackID = `${id}-blueprint`; - + const clusterProvider = new blueprints.GenericClusterProvider({ version: eks.KubernetesVersion.V1_25, managedNodeGroups: [ @@ -36,11 +36,11 @@ export default class GenericClusterConstruct { fargateProfiles: { "fp1": { fargateProfileName: "fp1", - selectors: [{ namespace: "serverless1" }] + selectors: [{ namespace: "serverless1" }] }, "fp2": { fargateProfileName: "fp2", - selectors: [{ namespace: "serverless2" }] + selectors: [{ namespace: "serverless2" }] } } }); diff --git a/lib/gmaestro-construct/index.ts b/lib/gmaestro-construct/index.ts index 5d084864..7b7191a9 100644 --- a/lib/gmaestro-construct/index.ts +++ b/lib/gmaestro-construct/index.ts @@ -1,7 +1,7 @@ import * as blueprints from '@aws-quickstart/eks-blueprints'; import * as gmaestroAddOn from '@granulate/gmaestro-eks-blueprints-addon'; import * as cdk from 'aws-cdk-lib'; -import {prevalidateSecrets} from "../common/construct-utils"; +import { prevalidateSecrets } from "../common/construct-utils"; export default class GmaestroConstruct { diff --git a/lib/gpu-construct/index.ts b/lib/gpu-construct/index.ts index 5b13dffe..44bf6217 100644 --- a/lib/gpu-construct/index.ts +++ b/lib/gpu-construct/index.ts @@ -44,7 +44,7 @@ export default class GpuConstruct { GpuBuilder.builder(options) .account(account) .region(region) - .enableGpu({values}) + .enableGpu({ values }) .build(scope, stackID); } } \ No newline at end of file diff --git a/lib/import-cluster/index.ts b/lib/import-cluster/index.ts index 5b8b9715..2320927a 100644 --- a/lib/import-cluster/index.ts +++ b/lib/import-cluster/index.ts @@ -17,7 +17,7 @@ export class ImportClusterConstruct { *Modify these constants for your use case. */ const clusterName = "quickstart-cluster"; - const kubectlRoleName = "awsqs-kubernetes-helm"; + const kubectlRoleName = "awsqs-kubernetes-helm"; const region = process.env.CDK_DEFAULT_REGION!; const sdkCluster = await blueprints.describeCluster(clusterName, region); @@ -27,7 +27,7 @@ export class ImportClusterConstruct { */ const importClusterProvider = blueprints.ImportClusterProvider.fromClusterAttributes(sdkCluster, blueprints.getResource(context => new blueprints.LookupRoleProvider(kubectlRoleName).provide(context))); - + const vpcId = sdkCluster.resourcesVpcConfig?.vpcId; blueprints.EksBlueprint.builder() diff --git a/lib/instana-construct/index.ts b/lib/instana-construct/index.ts index 52330d9e..4b271bbb 100644 --- a/lib/instana-construct/index.ts +++ b/lib/instana-construct/index.ts @@ -13,7 +13,7 @@ export default class InstanaConstruct { const secretParamName: string = utils.valueFromContext(scope, "secretParamName", undefined); //console.log(`secretParamName is ${secretParamName}`); - if(secretParamName != undefined) { + if (secretParamName != undefined) { instanaProps.secretParamName = secretParamName; } const yamlObject = loadYaml(JSON.stringify(instanaProps)); diff --git a/lib/jupyterhub-construct/index.ts b/lib/jupyterhub-construct/index.ts index 72d0d24b..d4fc892b 100644 --- a/lib/jupyterhub-construct/index.ts +++ b/lib/jupyterhub-construct/index.ts @@ -5,19 +5,19 @@ import * as cdk from 'aws-cdk-lib'; export default class JupyterHubConstruct { constructor(scope: Construct, id: string, props: cdk.StackProps) { - const stackId = `${id}-blueprint`; + const stackId = `${id}-blueprint`; blueprints.EksBlueprint.builder() .account(props.env!.account!) .region(props.env!.region!) .version('auto') .addOns( - new blueprints.EfsCsiDriverAddOn({replicaCount: 1}), + new blueprints.EfsCsiDriverAddOn({ replicaCount: 1 }), new blueprints.VpcCniAddOn(), new blueprints.KubeProxyAddOn(), new blueprints.ClusterAutoScalerAddOn(), new blueprints.JupyterHubAddOn({ - efsConfig:{ + efsConfig: { removalPolicy: cdk.RemovalPolicy.DESTROY, pvcName: "efs-persist", capacity: "120Gi", @@ -29,18 +29,17 @@ export default class JupyterHubConstruct { userDataUrl: blueprints.utils.valueFromContext(scope, "userDataUrl", "https://yourid.oidcprovider.com/userinfo"), clientId: blueprints.utils.valueFromContext(scope, "clientId", "yourClientIdString"), clientSecret: blueprints.utils.valueFromContext(scope, "clientSecret", "yourClientSecretString"), - scope: blueprints.utils.valueFromContext(scope, "scope",["openid","name","profile","email"]), + scope: blueprints.utils.valueFromContext(scope, "scope", ["openid", "name", "profile", "email"]), usernameKey: blueprints.utils.valueFromContext(scope, "usernameKey", "name"), }, serviceType: blueprints.JupyterHubServiceType.CLUSTERIP, - values: { - prePuller: { + values: { + prePuller: { hook: { enabled: false }, } } }) ) - .build(scope, stackId); + .build(scope, stackId); } } - \ No newline at end of file diff --git a/lib/karpenter-construct/index.ts b/lib/karpenter-construct/index.ts index 6410685b..8449e3e1 100644 --- a/lib/karpenter-construct/index.ts +++ b/lib/karpenter-construct/index.ts @@ -12,9 +12,9 @@ export default class KarpenterConstruct { nodePoolSpec: { requirements: [ { key: 'node.kubernetes.io/instance-type', operator: 'In', values: ['m5.large'] }, - { key: 'topology.kubernetes.io/zone', operator: 'In', values: [`${region}a`,`${region}b`, `${region}c`]}, - { key: 'kubernetes.io/arch', operator: 'In', values: ['amd64','arm64']}, - { key: 'karpenter.sh/capacity-type', operator: 'In', values: ['on-demand']}, + { key: 'topology.kubernetes.io/zone', operator: 'In', values: [`${region}a`, `${region}b`, `${region}c`] }, + { key: 'kubernetes.io/arch', operator: 'In', values: ['amd64', 'arm64'] }, + { key: 'karpenter.sh/capacity-type', operator: 'In', values: ['on-demand'] }, ], disruption: { consolidationPolicy: "WhenUnderutilized", @@ -23,7 +23,7 @@ export default class KarpenterConstruct { weight: 20, }, - ec2NodeClassSpec:{ + ec2NodeClassSpec: { subnetSelectorTerms: [ { tags: { "Name": `${stackID}/${stackID}-vpc/*` } diff --git a/lib/kasten-k10-construct/index.ts b/lib/kasten-k10-construct/index.ts index d266cda3..cd3966b7 100644 --- a/lib/kasten-k10-construct/index.ts +++ b/lib/kasten-k10-construct/index.ts @@ -4,14 +4,13 @@ import { KastenK10AddOn } from '@kastenhq/kasten-eks-blueprints-addon'; export default class KastenK10Construct { constructor(scope: Construct, id: string) { - const stackId = `${id}-blueprint`; + const stackId = `${id}-blueprint`; blueprints.EksBlueprint.builder() .account(process.env.CDK_DEFAULT_ACCOUNT!) .region(process.env.CDK_DEFAULT_REGION) .version('auto') .addOns(new blueprints.ClusterAutoScalerAddOn, new KastenK10AddOn) - .build(scope, stackId); + .build(scope, stackId); } } - \ No newline at end of file diff --git a/lib/kubeflow-construct/index.ts b/lib/kubeflow-construct/index.ts index 4fda8fb0..be7800d1 100644 --- a/lib/kubeflow-construct/index.ts +++ b/lib/kubeflow-construct/index.ts @@ -16,14 +16,14 @@ export default class KubeflowConstruct { instanceTypes: [new ec2.InstanceType("m5.2xlarge")], amiType: eks.NodegroupAmiType.AL2_X86_64, desiredSize: 2, - maxSize: 3, + maxSize: 3, }; blueprints.EksBlueprint.builder() .account(process.env.CDK_DEFAULT_ACCOUNT!) .region(process.env.CDK_DEFAULT_REGION) .resourceProvider(ampWorkspaceName, new blueprints.CreateAmpProvider(ampWorkspaceName, ampWorkspaceName)) - .addOns( + .addOns( new blueprints.AwsLoadBalancerControllerAddOn(), new blueprints.ClusterAutoScalerAddOn(), new blueprints.VpcCniAddOn(), diff --git a/lib/multi-account-monitoring/amg-iam-setup.ts b/lib/multi-account-monitoring/amg-iam-setup.ts index 94efd403..38986084 100644 --- a/lib/multi-account-monitoring/amg-iam-setup.ts +++ b/lib/multi-account-monitoring/amg-iam-setup.ts @@ -16,13 +16,13 @@ export interface AmgIamSetupStackProps extends cdk.StackProps { * with trust relationship to the monitoring (AMG) account. */ accounts: string[] -} +} /** * Stack provisions IAM in the moniitoring account with turst relationship to the monitored account for metrics. */ export class AmgIamSetupStack extends cdk.Stack { - + constructor(scope: Construct, id: string, props: AmgIamSetupStackProps) { super(scope, id, props); @@ -31,14 +31,14 @@ export class AmgIamSetupStack extends cdk.Stack { assumedBy: new iam.ServicePrincipal('grafana.amazonaws.com'), description: 'Service Role for Amazon Managed Grafana', }); - + for (let i = 0; i < props.accounts.length; i++) { role.addToPolicy(new iam.PolicyStatement({ actions: [ "sts:AssumeRole" ], resources: [`arn:aws:iam::${props.accounts[i]}:role/ampPrometheusDataSourceRole`, - `arn:aws:iam::${props.accounts[i]}:role/cloudwatchDataSourceRole` + `arn:aws:iam::${props.accounts[i]}:role/cloudwatchDataSourceRole` ], })); } diff --git a/lib/multi-account-monitoring/pipeline.ts b/lib/multi-account-monitoring/pipeline.ts index 96a735d9..b141ff19 100644 --- a/lib/multi-account-monitoring/pipeline.ts +++ b/lib/multi-account-monitoring/pipeline.ts @@ -78,10 +78,10 @@ export class PipelineMultiEnvMonitoring { .application("npx ts-node bin/pipeline-multienv-monitoring.ts") .name("multi-account-central-pipeline") .owner(gitOwner) - .codeBuildPolicies([ + .codeBuildPolicies([ new iam.PolicyStatement({ resources: ["*"], - actions: [ + actions: [ "sts:AssumeRole", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", diff --git a/lib/multi-region-construct/index.ts b/lib/multi-region-construct/index.ts index 0dfc69a7..b3c64875 100644 --- a/lib/multi-region-construct/index.ts +++ b/lib/multi-region-construct/index.ts @@ -8,7 +8,7 @@ import { Construct } from 'constructs'; import * as team from '../teams'; const burnhamManifestDir = './lib/teams/team-burnham/'; const rikerManifestDir = './lib/teams/team-riker/'; -const teamManifestDirList = [burnhamManifestDir,rikerManifestDir]; +const teamManifestDirList = [burnhamManifestDir, rikerManifestDir]; export const SECRET_GIT_SSH_KEY = 'github-ssh-key'; export const SECRET_ARGO_ADMIN_PWD = 'argo-admin-secret'; @@ -23,14 +23,14 @@ export const SECRET_ARGO_ADMIN_PWD = 'argo-admin-secret'; */ export default class MultiRegionConstruct { - async buildAsync(scope: Construct, id: string) : Promise { + async buildAsync(scope: Construct, id: string): Promise { // Setup platform team const accountID = process.env.CDK_DEFAULT_ACCOUNT!; const gitUrl = 'https://github.com/aws-samples/eks-blueprints-workloads.git'; const gitSecureUrl = 'git@github.com:aws-samples/eks-blueprints-workloads.git'; await prevalidateSecrets(); // this checks if required secrets exist in the target regions - + const blueprint = blueprints.EksBlueprint.builder() .account(process.env.CDK_DEFAULT_ACCOUNT!) .version('auto') @@ -50,11 +50,11 @@ export default class MultiRegionConstruct { new blueprints.KarpenterAddOn, new blueprints.CloudWatchAdotAddOn, new blueprints.XrayAdotAddOn, - new blueprints.SecretsStoreAddOn ) - .teams( new team.TeamPlatform(accountID), + new blueprints.SecretsStoreAddOn) + .teams(new team.TeamPlatform(accountID), new team.TeamTroiSetup, new team.TeamRikerSetup(scope, teamManifestDirList[1]), - new team.TeamBurnhamSetup(scope,teamManifestDirList[0])); + new team.TeamBurnhamSetup(scope, teamManifestDirList[0])); const devBootstrapArgo = new blueprints.ArgoCDAddOn({ bootstrapRepo: { @@ -81,20 +81,20 @@ export default class MultiRegionConstruct { }, adminPasswordSecretName: SECRET_ARGO_ADMIN_PWD, }); - + const east1 = await blueprint.clone('us-east-1') .addOns(devBootstrapArgo) - .buildAsync(scope, `${id}-us-east-1`); - + .buildAsync(scope, `${id}-us-east-1`); + const east2 = await blueprint.clone('us-east-2') .addOns(testBootstrapArgo) .buildAsync(scope, `${id}-us-east-2`); - + const west2 = await blueprint.clone('us-west-2') .addOns(prodBootstrapArgo) .buildAsync(scope, `${id}-us-west-2`); - return [ east1, east2, west2 ]; + return [east1, east2, west2]; } } @@ -103,7 +103,7 @@ async function prevalidateSecrets() { await utils.validateSecret(SECRET_GIT_SSH_KEY, 'us-east-2'); await utils.validateSecret(SECRET_ARGO_ADMIN_PWD, 'us-west-2'); } - catch(error) { + catch (error) { throw new Error("Both github-ssh-key and argo-admin-secret secrets must be setup for the multi-region pattern to work."); } } diff --git a/lib/multi-team-construct/index.ts b/lib/multi-team-construct/index.ts index 4a7a9747..c4f216a4 100644 --- a/lib/multi-team-construct/index.ts +++ b/lib/multi-team-construct/index.ts @@ -6,11 +6,11 @@ import * as blueprints from '@aws-quickstart/eks-blueprints'; import * as team from '../teams'; const burnhamManifestDir = './lib/teams/team-burnham/'; const rikerManifestDir = './lib/teams/team-riker/'; -const teamManifestDirList = [burnhamManifestDir,rikerManifestDir]; +const teamManifestDirList = [burnhamManifestDir, rikerManifestDir]; export default class MultiTeamConstruct { constructor(scope: Construct, id: string) { - + // Setup platform team const accountID = process.env.CDK_DEFAULT_ACCOUNT!; const platformTeam = new team.TeamPlatform(accountID); diff --git a/lib/paralus-construct/index.ts b/lib/paralus-construct/index.ts index 76686bbf..3f9f1d0c 100644 --- a/lib/paralus-construct/index.ts +++ b/lib/paralus-construct/index.ts @@ -9,7 +9,7 @@ export default class ParalusConstruct { blueprints.EksBlueprint.builder() .account(process.env.CDK_DEFAULT_ACCOUNT!) .region(process.env.CDK_DEFAULT_REGION) - .addOns( + .addOns( new blueprints.AwsLoadBalancerControllerAddOn(), new blueprints.VpcCniAddOn(), new blueprints.KubeProxyAddOn(), diff --git a/lib/pipeline-stack/index.ts b/lib/pipeline-stack/index.ts index 8f71f808..6a9c8294 100644 --- a/lib/pipeline-stack/index.ts +++ b/lib/pipeline-stack/index.ts @@ -7,13 +7,13 @@ import * as team from '../teams'; const burnhamManifestDir = './lib/teams/team-burnham/'; const rikerManifestDir = './lib/teams/team-riker/'; -const teamManifestDirList = [burnhamManifestDir,rikerManifestDir]; +const teamManifestDirList = [burnhamManifestDir, rikerManifestDir]; export default class PipelineConstruct { async buildAsync(scope: Construct, props?: StackProps) { - + await this.prevalidateSecrets(); const account = process.env.CDK_DEFAULT_ACCOUNT!; @@ -22,12 +22,12 @@ export default class PipelineConstruct { .region('us-west-1') .version('auto') .addOns( - new blueprints.AwsLoadBalancerControllerAddOn, + new blueprints.AwsLoadBalancerControllerAddOn, new blueprints.CertManagerAddOn, new blueprints.AdotCollectorAddOn, new blueprints.NginxAddOn, new blueprints.ArgoCDAddOn, - new blueprints.AppMeshAddOn( { + new blueprints.AppMeshAddOn({ enableTracing: true }), new blueprints.SSMAgentAddOn, // this is added to deal with PVRE as it is adding correct role to the node group, otherwise stack destroy won't work @@ -56,11 +56,11 @@ export default class PipelineConstruct { id: 'us-west-1-sandbox', stackBuilder: blueprint.clone('us-west-1') }) - .wave( { + .wave({ id: "dev", stages: [ - { id: "dev-west-1", stackBuilder: blueprint.clone('us-west-1')}, - { id: "dev-east-2", stackBuilder: blueprint.clone('us-east-2')}, + { id: "dev-west-1", stackBuilder: blueprint.clone('us-west-1') }, + { id: "dev-east-2", stackBuilder: blueprint.clone('us-east-2') }, ] }) .stage({ @@ -70,11 +70,11 @@ export default class PipelineConstruct { pre: [new blueprints.pipelines.cdkpipelines.ManualApprovalStep('manual-approval')] } }) - .wave( { + .wave({ id: "prod", stages: [ - { id: "prod-west-1", stackBuilder: blueprint.clone('us-west-1')}, - { id: "prod-east-2", stackBuilder: blueprint.clone('us-east-2')}, + { id: "prod-west-1", stackBuilder: blueprint.clone('us-west-1') }, + { id: "prod-east-2", stackBuilder: blueprint.clone('us-east-2') }, ] }) .build(scope, "pipeline", props); @@ -85,7 +85,7 @@ export default class PipelineConstruct { await blueprints.utils.validateSecret('github-token', 'us-east-2'); await blueprints.utils.validateSecret('github-token', 'us-west-1'); } - catch(error) { + catch (error) { throw new Error(`github-token secret must be setup in AWS Secrets Manager for the GitHub pipeline. The GitHub Personal Access Token should have these scopes: * **repo** - to read the repository diff --git a/lib/secure-ingress-auth-cognito/index.ts b/lib/secure-ingress-auth-cognito/index.ts index 52b71f9c..e92b6a41 100644 --- a/lib/secure-ingress-auth-cognito/index.ts +++ b/lib/secure-ingress-auth-cognito/index.ts @@ -25,7 +25,7 @@ class CognitoIdpStack extends cdk.Stack { public readonly userPoolOut: cognito.UserPool; public readonly userPoolClientOut: cognito.UserPoolClient; public readonly userPoolDomainOut: cognito.UserPoolDomain; - + constructor(scope: Construct, id: string, subDomain: string, props?: cdk.StackProps) { super(scope, id, props); @@ -34,8 +34,8 @@ class CognitoIdpStack extends cdk.Stack { }); lambdaExecutionRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")); - lambdaExecutionRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMReadOnlyAccess")); - + lambdaExecutionRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMReadOnlyAccess")); + const authChallengeFn = new lambda.Function(this, 'authChallengeFn', { runtime: lambda.Runtime.PYTHON_3_12, code: lambda.Code.fromAsset('./lib/secure-ingress-auth-cognito/lambda'), @@ -69,19 +69,19 @@ class CognitoIdpStack extends cdk.Stack { lambdaTriggers: { preSignUp: authChallengeFn, preAuthentication: authChallengeFn, - }, + }, }); - - + + // Output the User Pool ID this.userPoolOut = userPool; - + new cdk.CfnOutput(this, 'CognitoIDPUserPoolOut', { value: userPool.userPoolId, exportName: 'CognitoIDPUserPoolId' }); - + new cdk.CfnOutput(this, 'CognitoIDPUserPoolArnOut', { value: userPool.userPoolArn, exportName: 'CognitoIDPUserPoolArn' @@ -90,7 +90,7 @@ class CognitoIdpStack extends cdk.Stack { // We will ask the IDP to redirect back to our domain's index page const redirectUri = `https://${subDomain}/oauth2/idpresponse`; - + // Configure the user pool client application const userPoolClient = new cognito.UserPoolClient(this, 'CognitoAppClient', { userPool, @@ -131,12 +131,12 @@ class CognitoIdpStack extends cdk.Stack { // Output the User Pool App Client ID this.userPoolDomainOut = userPoolDomain; - + new cdk.CfnOutput(this, 'CognitoIDPUserPoolDomainOut', { value: userPoolDomain.domainName, exportName: 'CognitoIDPUserPoolDomain' }); - + } } @@ -144,7 +144,7 @@ class CognitoIdpStack extends cdk.Stack { /** * See docs/patterns/secure-ingress-cognito.md for mode details on the setup. */ -export class SecureIngressCognito extends cdk.Stack{ +export class SecureIngressCognito extends cdk.Stack { async buildAsync(scope: Construct, id: string) { @@ -154,7 +154,7 @@ export class SecureIngressCognito extends cdk.Stack{ const parentDomain = utils.valueFromContext(scope, "parent.hostedzone.name", "mycompany.a2z.com"); const certificate: ICertificate = blueprints.getNamedResource(GlobalResources.Certificate); - const cognitoIdpStackOut = new CognitoIdpStack (scope,'cognito-idp-stack', subdomain, + const cognitoIdpStackOut = new CognitoIdpStack(scope, 'cognito-idp-stack', subdomain, { env: { account: process.env.CDK_DEFAULT_ACCOUNT, @@ -204,7 +204,7 @@ export class SecureIngressCognito extends cdk.Stack{ ) .buildAsync(scope, `${id}-blueprint`); - blueprints.HelmAddOn.validateHelmVersions = false; + blueprints.HelmAddOn.validateHelmVersions = false; } } diff --git a/lib/security/data-at-rest-encryption/index.ts b/lib/security/data-at-rest-encryption/index.ts index 6c55c534..d1c46185 100644 --- a/lib/security/data-at-rest-encryption/index.ts +++ b/lib/security/data-at-rest-encryption/index.ts @@ -34,7 +34,7 @@ export default class DataAtRestEncryptionConstruct { await EksBlueprint.builder() .resourceProvider(GlobalResources.Vpc, new blueprints.VpcProvider()) - // create KMS keys + // create KMS keys .resourceProvider( GlobalResources.KmsKey, new blueprints.CreateKmsKeyProvider() @@ -47,7 +47,7 @@ export default class DataAtRestEncryptionConstruct { efsKmsKeyName, new blueprints.CreateKmsKeyProvider(efsKmsKeyName) ) - // create EFS file system + // create EFS file system .resourceProvider( efsFileSystemName, new blueprints.CreateEfsFileSystemProvider({ diff --git a/lib/security/eks-config-rules/config-setup.ts b/lib/security/eks-config-rules/config-setup.ts index c55867ef..4b75f788 100644 --- a/lib/security/eks-config-rules/config-setup.ts +++ b/lib/security/eks-config-rules/config-setup.ts @@ -8,10 +8,10 @@ import * as subs from "aws-cdk-lib/aws-sns-subscriptions"; import * as blueprints from '@aws-quickstart/eks-blueprints'; import { Construct } from "constructs"; import { Stack, StackProps } from "aws-cdk-lib"; -import { - ConfigServiceClient, - DescribeConfigurationRecordersCommand, - DescribeDeliveryChannelsCommand +import { + ConfigServiceClient, + DescribeConfigurationRecordersCommand, + DescribeDeliveryChannelsCommand } from "@aws-sdk/client-config-service"; @@ -58,7 +58,7 @@ export class EksConfigSetup extends Stack { } else { logger.info(`AWS Config delivery channel is not enabled in ${currentRegion} region.`); logger.info("Configuring AWS Config delivery channel..."); - + // Create an AWS Config delivery channel // Setup an s3 bucket for the config recorder delivery channel const awsConfigBucket = new s3.Bucket(this, "BucketAwsConfig", { diff --git a/lib/security/eks-config-rules/index.ts b/lib/security/eks-config-rules/index.ts index 166427dc..29c0ea1a 100644 --- a/lib/security/eks-config-rules/index.ts +++ b/lib/security/eks-config-rules/index.ts @@ -15,7 +15,7 @@ export class EksConfigRulesSetup extends Stack { // Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version. new config.ManagedRule(this, "EksOldestSupportedVersion", { identifier: - config.ManagedRuleIdentifiers.EKS_CLUSTER_OLDEST_SUPPORTED_VERSION, + config.ManagedRuleIdentifiers.EKS_CLUSTER_OLDEST_SUPPORTED_VERSION, inputParameters: { oldestVersionSupported: defaultKubeVerison, // Set to the default cluster version used by CDK EKS Blueprints. }, diff --git a/lib/security/guardduty-construct/guardduty-setup.ts b/lib/security/guardduty-construct/guardduty-setup.ts index ee6e4e25..0a0ef2d8 100644 --- a/lib/security/guardduty-construct/guardduty-setup.ts +++ b/lib/security/guardduty-construct/guardduty-setup.ts @@ -17,22 +17,22 @@ export class GuardDutySetupStack extends Stack { const environmentName = "main"; const email = "your-email@example.com"; const features: aws_guardduty.CfnDetector.CFNFeatureConfigurationProperty[] = - [ - { name: "S3_DATA_EVENTS", status: "ENABLED" }, - { name: "EKS_AUDIT_LOGS", status: "ENABLED" }, - { name: "EBS_MALWARE_PROTECTION", status: "ENABLED" }, - { name: "RDS_LOGIN_EVENTS", status: "ENABLED" }, - { name: "LAMBDA_NETWORK_LOGS", status: "ENABLED" }, - { - name: "RUNTIME_MONITORING", - status: "ENABLED", - additionalConfiguration: [ - { name: "EKS_ADDON_MANAGEMENT", status: "ENABLED" }, - { name: "ECS_FARGATE_AGENT_MANAGEMENT", status: "ENABLED" }, - { name: "EC2_AGENT_MANAGEMENT", status: "ENABLED" }, - ], - }, - ]; + [ + { name: "S3_DATA_EVENTS", status: "ENABLED" }, + { name: "EKS_AUDIT_LOGS", status: "ENABLED" }, + { name: "EBS_MALWARE_PROTECTION", status: "ENABLED" }, + { name: "RDS_LOGIN_EVENTS", status: "ENABLED" }, + { name: "LAMBDA_NETWORK_LOGS", status: "ENABLED" }, + { + name: "RUNTIME_MONITORING", + status: "ENABLED", + additionalConfiguration: [ + { name: "EKS_ADDON_MANAGEMENT", status: "ENABLED" }, + { name: "ECS_FARGATE_AGENT_MANAGEMENT", status: "ENABLED" }, + { name: "EC2_AGENT_MANAGEMENT", status: "ENABLED" }, + ], + }, + ]; // check if GuardDuty is already enabled in the region const guardDuty = new AWS.GuardDuty(); diff --git a/lib/security/guardduty-construct/index.ts b/lib/security/guardduty-construct/index.ts index 785ecdcc..434a232d 100644 --- a/lib/security/guardduty-construct/index.ts +++ b/lib/security/guardduty-construct/index.ts @@ -9,9 +9,9 @@ const targetRevision = "main"; export default class GuardDutyWorkloadConstruct { async buildAsync(scope: Construct, id: string) { await prevalidateSecrets( - GuardDutyWorkloadConstruct.name, - process.env.CDK_DEFAULT_REGION!, - SECRET_ARGO_ADMIN_PWD + GuardDutyWorkloadConstruct.name, + process.env.CDK_DEFAULT_REGION!, + SECRET_ARGO_ADMIN_PWD ); const stackID = `${id}-blueprint`; diff --git a/lib/security/image-vulnerability-scanning/image-scanning-setup.ts b/lib/security/image-vulnerability-scanning/image-scanning-setup.ts index 631b27e2..9edf0c28 100644 --- a/lib/security/image-vulnerability-scanning/image-scanning-setup.ts +++ b/lib/security/image-vulnerability-scanning/image-scanning-setup.ts @@ -16,7 +16,7 @@ export class ImageScanningSetupStack extends Stack { // ENHANCED scanning configuration const enhancedContinuousScanDuration: AWS.Inspector2.EcrRescanDuration = - "LIFETIME"; + "LIFETIME"; const enhancedScanRules: AWS.ECR.RegistryScanningRuleList = [ { scanFrequency: "CONTINUOUS_SCAN", diff --git a/lib/starter-construct/index.ts b/lib/starter-construct/index.ts index 8d9cdf83..264d73b2 100644 --- a/lib/starter-construct/index.ts +++ b/lib/starter-construct/index.ts @@ -7,18 +7,18 @@ import * as AWS from 'aws-sdk'; const s3 = new AWS.S3(); async function readSettingsFromS3(bucketName: string, key: string): Promise { - const params = { - Bucket: bucketName, - Key: key - }; - - try { - const data = await s3.getObject(params).promise(); - return data.Body?.toString() || ''; - } catch (err) { - console.error('Error reading settings file from S3:', err); - throw err; - } + const params = { + Bucket: bucketName, + Key: key + }; + + try { + const data = await s3.getObject(params).promise(); + return data.Body?.toString() || ''; + } catch (err) { + console.error('Error reading settings file from S3:', err); + throw err; + } } /** @@ -26,12 +26,12 @@ async function readSettingsFromS3(bucketName: string, key: string): Promise { const cluster = clusterInfo.cluster; - const configmap = new KubernetesManifest(cluster, 'amazon-vpc-cni', { cluster: cluster, - manifest : [{ + const configmap = new KubernetesManifest(cluster, 'amazon-vpc-cni', { + cluster: cluster, + manifest: [{ apiVersion: "v1", kind: "ConfigMap", metadata: { name: "amazon-vpc-cni", namespace: "kube-system", }, - data:{ + data: { "enable-windows-ipam": "true" }, - }], overwrite: true }); + }], overwrite: true + }); return Promise.resolve(configmap); } diff --git a/lib/workloads-codecommit-construct/index.ts b/lib/workloads-codecommit-construct/index.ts index 8b5c9752..3d405b81 100644 --- a/lib/workloads-codecommit-construct/index.ts +++ b/lib/workloads-codecommit-construct/index.ts @@ -19,7 +19,7 @@ export default class WorkloadsCodeCommitConstruct extends Construct { const stackId = `${id}-blueprint`; - const bootstrapRepo : blueprints.ApplicationRepository = { + const bootstrapRepo: blueprints.ApplicationRepository = { repoUrl, targetRevision: 'main', credentialsSecretName: repoName + '-codecommit-secret', diff --git a/lib/workloads-codecommit-construct/lambda/index.js b/lib/workloads-codecommit-construct/lambda/index.js index 7429be98..3ccec079 100644 --- a/lib/workloads-codecommit-construct/lambda/index.js +++ b/lib/workloads-codecommit-construct/lambda/index.js @@ -11,7 +11,7 @@ const https = require('https'); // eslint-disable-line } */ -exports.handler = async function(event) { +exports.handler = async function (event) { const eventSourceARNarray = event.Records[0].eventSourceARN.split(':'); const repoName = eventSourceARNarray[eventSourceARNarray.length - 1]; const ref = event.Records[0].codecommit.references[0].ref; @@ -38,7 +38,7 @@ exports.handler = async function(event) { }, }; - const promise = new Promise(function(resolve, reject) { + const promise = new Promise(function (resolve, reject) { process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0; const req = https.request(options, (res) => { resolve(res.statusCode); diff --git a/package.json b/package.json index b7a93d8d..9a4b6ec0 100644 --- a/package.json +++ b/package.json @@ -1,59 +1,59 @@ { - "name": "eks-blueprints-patterns", - "version": "1.2.0", - "main": "dist/lib/common/default-main.js", - "types": "dist/lib/common/default-main.d.ts", - "scripts": { - "build": "rm -rf dist && tsc --skipLibCheck", - "watch": "tsc -w", - "test": "jest", - "cdk": "cdk", - "nginx": "cdk --app \"npx ts-node bin/nginx.ts\"", - "lint": "npx eslint . --ext .js,.jsx,.ts,.tsx" - }, - "devDependencies": { - "@types/jest": "^29.5.11", - "@types/node": "^20.10.5", - "@typescript-eslint/eslint-plugin": "^6.15.0", - "@typescript-eslint/parser": "^6.15.0", - "copyfiles": "^2.4.1", - "eslint": "^8.56.0", - "jest": "^29.7.0", - "ts-jest": "^29.1.1", - "ts-node": "^10.9.2", - "typescript": "^5.3.3" - }, - "dependencies": { - "@aws-quickstart/eks-blueprints": "1.15.1", - "@aws-sdk/client-config-service": "^3.576.0", - "@aws-sdk/client-eks": "^3.478.0", - "@aws-sdk/client-s3": "3.624.0", - "@aws-sdk/credential-providers": "3.624.0", - "@claranet-ch/konveyor-eks-blueprint-addon": "^1.0.2", - "@datadog/datadog-eks-blueprints-addon": "^0.1.2", - "@dynatrace/dynatrace-eks-blueprints-addon": "^0.0.4", - "@granulate/gmaestro-eks-blueprints-addon": "^1.0.16", - "@instana/aws-eks-blueprint-addon": "^1.0.4", - "@kastenhq/kasten-eks-blueprints-addon": "^1.0.1", - "@keptn/keptn-controlplane-eks-blueprints-addon": "^0.5.0", - "@komodor/komodor-eks-blueprints-addon": "^1.2.0", - "@kubecost/kubecost-eks-blueprints-addon": "^0.1.8", - "@newrelic/newrelic-eks-blueprints-addon": "^1.0.9", - "@paralus/paralus-eks-blueprints-addon": "^0.1.5", - "@rafaysystems/rafay-eks-blueprints-addon": "^0.0.2", - "@snyk-partners/snyk-monitor-eks-blueprints-addon": "^1.1.1", - "aws-cdk": "2.147.3", - "aws-cdk-lib": "2.147.3", - "cdk-nag": "^2.28.151", - "eks-blueprints-cdk-kubeflow-ext": "0.1.9", - "source-map-support": "^0.5.21" - }, - "overrides": { - "@aws-quickstart/eks-blueprints": "1.15.1", - "aws-cdk": "2.147.3", - "aws-cdk-lib": "2.147.3", - "xml2js": "0.5.0", - "@aws-cdk/core": "../_EXCLUDED_", - "axios": "^1.6.2" - } -} + "name": "eks-blueprints-patterns", + "version": "1.2.0", + "main": "dist/lib/common/default-main.js", + "types": "dist/lib/common/default-main.d.ts", + "scripts": { + "build": "rm -rf dist && tsc --skipLibCheck", + "watch": "tsc -w", + "test": "jest", + "cdk": "cdk", + "nginx": "cdk --app \"npx ts-node bin/nginx.ts\"", + "lint": "npx eslint . --ext .js,.jsx,.ts,.tsx" + }, + "devDependencies": { + "@types/jest": "^29.5.11", + "@types/node": "^20.10.5", + "@typescript-eslint/eslint-plugin": "^6.15.0", + "@typescript-eslint/parser": "^6.15.0", + "copyfiles": "^2.4.1", + "eslint": "^8.56.0", + "jest": "^29.7.0", + "ts-jest": "^29.1.1", + "ts-node": "^10.9.2", + "typescript": "^5.3.3" + }, + "dependencies": { + "@aws-quickstart/eks-blueprints": "1.15.1", + "@aws-sdk/client-config-service": "^3.576.0", + "@aws-sdk/client-eks": "^3.478.0", + "@aws-sdk/client-s3": "3.624.0", + "@aws-sdk/credential-providers": "3.624.0", + "@claranet-ch/konveyor-eks-blueprint-addon": "^1.0.2", + "@datadog/datadog-eks-blueprints-addon": "^0.1.2", + "@dynatrace/dynatrace-eks-blueprints-addon": "^0.0.4", + "@granulate/gmaestro-eks-blueprints-addon": "^1.0.16", + "@instana/aws-eks-blueprint-addon": "^1.0.4", + "@kastenhq/kasten-eks-blueprints-addon": "^1.0.1", + "@keptn/keptn-controlplane-eks-blueprints-addon": "^0.5.0", + "@komodor/komodor-eks-blueprints-addon": "^1.2.0", + "@kubecost/kubecost-eks-blueprints-addon": "^0.1.8", + "@newrelic/newrelic-eks-blueprints-addon": "^1.0.9", + "@paralus/paralus-eks-blueprints-addon": "^0.1.5", + "@rafaysystems/rafay-eks-blueprints-addon": "^0.0.2", + "@snyk-partners/snyk-monitor-eks-blueprints-addon": "^1.1.1", + "aws-cdk": "2.147.3", + "aws-cdk-lib": "2.147.3", + "cdk-nag": "^2.28.151", + "eks-blueprints-cdk-kubeflow-ext": "0.1.9", + "source-map-support": "^0.5.21" + }, + "overrides": { + "@aws-quickstart/eks-blueprints": "1.15.1", + "aws-cdk": "2.147.3", + "aws-cdk-lib": "2.147.3", + "xml2js": "0.5.0", + "@aws-cdk/core": "../_EXCLUDED_", + "axios": "^1.6.2" + } +} \ No newline at end of file From da075154ca8b581beae13c81dec7e38caa12ae30 Mon Sep 17 00:00:00 2001 From: shapirov103 Date: Fri, 25 Oct 2024 14:36:58 -0400 Subject: [PATCH 3/3] formatting and removed redundant code --- lib/cdk-nag-construct/nag-rules.ts | 10 +++++----- lib/custom-networking-ipv4-construct/index.ts | 6 +++--- lib/starter-construct/index.ts | 19 ------------------- 3 files changed, 8 insertions(+), 27 deletions(-) diff --git a/lib/cdk-nag-construct/nag-rules.ts b/lib/cdk-nag-construct/nag-rules.ts index cfc702ee..252e6b95 100644 --- a/lib/cdk-nag-construct/nag-rules.ts +++ b/lib/cdk-nag-construct/nag-rules.ts @@ -241,10 +241,10 @@ export class NagSuppressionsConfig { NagSuppressions.addResourceSuppressionsByPath( stack, `/${stack.stackName}/team-twoAccessRole/DefaultPolicy/Resource`, [ - { - id: 'AwsSolutions-IAM5', - reason: 'This wildcard is just for eks:ListClusters so that is ok', - }, - ]); + { + id: 'AwsSolutions-IAM5', + reason: 'This wildcard is just for eks:ListClusters so that is ok', + }, + ]); }; }; \ No newline at end of file diff --git a/lib/custom-networking-ipv4-construct/index.ts b/lib/custom-networking-ipv4-construct/index.ts index fe88e20e..ad570f97 100644 --- a/lib/custom-networking-ipv4-construct/index.ts +++ b/lib/custom-networking-ipv4-construct/index.ts @@ -36,9 +36,9 @@ export default class CustomNetworkingIPv4Construct { awsVpcK8sCniCustomNetworkCfg: true, eniConfigLabelDef: 'topology.kubernetes.io/zone' }), - new blueprints.AwsLoadBalancerControllerAddOn(), - new blueprints.CoreDnsAddOn(), - new blueprints.KubeProxyAddOn(), + new blueprints.AwsLoadBalancerControllerAddOn(), + new blueprints.CoreDnsAddOn(), + new blueprints.KubeProxyAddOn(), ) .resourceProvider(blueprints.GlobalResources.Vpc, new blueprints.VpcProvider(undefined, { primaryCidr: "10.2.0.0/16", diff --git a/lib/starter-construct/index.ts b/lib/starter-construct/index.ts index 264d73b2..b22a477e 100644 --- a/lib/starter-construct/index.ts +++ b/lib/starter-construct/index.ts @@ -2,25 +2,6 @@ import { Construct } from 'constructs'; import * as blueprints from '@aws-quickstart/eks-blueprints'; -import * as AWS from 'aws-sdk'; - -const s3 = new AWS.S3(); - -async function readSettingsFromS3(bucketName: string, key: string): Promise { - const params = { - Bucket: bucketName, - Key: key - }; - - try { - const data = await s3.getObject(params).promise(); - return data.Body?.toString() || ''; - } catch (err) { - console.error('Error reading settings file from S3:', err); - throw err; - } -} - /** * Example starter with placeholders to add addOns and teams. */