aws-samples · shapirov103 · Aug 27, 2024 · Oct 24, 2024 · Oct 24, 2024 · Oct 25, 2024
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -12,9 +12,9 @@ module.exports = {
         "@typescript-eslint/no-explicit-any": "off",
         "@typescript-eslint/explicit-module-boundary-types": "off",
         "@typescript-eslint/no-non-null-assertion": "off",
-        "@typescript-eslint/no-unused-vars": [1, {"argsIgnorePattern": "^_"}],
+        "@typescript-eslint/no-unused-vars": [1, { "argsIgnorePattern": "^_" }],
         indent: ['error', 4],
         "prefer-const": "off",
-        "semi": ['error',"always"],
+        "semi": ['error', "always"],
     },
 };
diff --git a/bin/cdk-nag.ts b/bin/cdk-nag.ts
@@ -0,0 +1,10 @@
+import * as cdk from 'aws-cdk-lib';
+import { AwsSolutionsChecks } from 'cdk-nag';
+import { configureApp } from '../lib/common/construct-utils';
+import CdkNagConstruct from '../lib/cdk-nag-construct';
+
+
+const app = configureApp();
+cdk.Aspects.of(app).add(new AwsSolutionsChecks()); // run CDK-nag
+
+new CdkNagConstruct(app, "cdk-nag-validation", app.account!);
diff --git a/cdk.json b/cdk.json
@@ -1,5 +1,5 @@
 {
-    "app": "npx ts-node dist/lib/common/default-main.js",
+    "app": "npx ts-node dist/lib/common/default-main.js"
     "context": {
         "conformitron.amp.endpoint": "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-77b8828d-0985-49e0-9268-2e0e8f3ba758/",
         "conformitron.amp.arn":"arn:aws:aps:us-east-1:975050283200:workspace/ws-77b8828d-0985-49e0-9268-2e0e8f3ba758",
@@ -29,4 +29,4 @@
         ]
     }
   }
-}
+}
diff --git a/jest.config.js b/jest.config.js
@@ -1,7 +1,7 @@
 module.exports = {
-  roots: ['<rootDir>/test'],
-  testMatch: ['**/*.test.ts'],
-  transform: {
-    '^.+\\.tsx?$': 'ts-jest'
-  }
+    roots: ['<rootDir>/test'],
+    testMatch: ['**/*.test.ts'],
+    transform: {
+        '^.+\\.tsx?$': 'ts-jest'
+    }
 };
diff --git a/lib/amp-monitoring/index.ts b/lib/amp-monitoring/index.ts
@@ -11,20 +11,20 @@ import * as team from '../teams/multi-account-monitoring';
  * Demonstrates how to leverage more than one node group along with Fargate profiles.
  */
 export default class AmpMonitoringConstruct {
-    build(scope: Construct, id: string, account?: string, region?: string ) {
+    build(scope: Construct, id: string, account?: string, region?: string) {
         // Setup platform team
-        const accountID = account ?? process.env.CDK_DEFAULT_ACCOUNT! ;
-        const awsRegion =  region ?? process.env.CDK_DEFAULT_REGION! ;
- 
+        const accountID = account ?? process.env.CDK_DEFAULT_ACCOUNT!;
+        const awsRegion = region ?? process.env.CDK_DEFAULT_REGION!;
+
         const stackID = `${id}-blueprint`;
         this.create(scope, accountID, awsRegion)
             .build(scope, stackID);
     }
 
-    create(scope: Construct, account?: string, region?: string ) {
+    create(scope: Construct, account?: string, region?: string) {
         // Setup platform team
-        const accountID = account ?? process.env.CDK_DEFAULT_ACCOUNT! ;
-        const awsRegion =  region ?? process.env.CDK_DEFAULT_REGION! ;
+        const accountID = account ?? process.env.CDK_DEFAULT_ACCOUNT!;
+        const awsRegion = region ?? process.env.CDK_DEFAULT_REGION!;
         const ampWorkspaceName = "multi-account-monitoring";
         const ampPrometheusEndpoint = (blueprints.getNamedResource(ampWorkspaceName) as unknown as amp.CfnWorkspace).attrPrometheusEndpoint;
 

diff --git a/lib/aws-batch-on-eks-construct/index.ts b/lib/aws-batch-on-eks-construct/index.ts
@@ -5,7 +5,7 @@ import { PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam';
 
 export default class BatchOnEKSConstruct {
     build(scope: Construct, id: string, teams: BatchEksTeam[]) {
-        
+
         const batchIamPolicy = new PolicyStatement({
             effect: Effect.ALLOW,
             actions: [
@@ -25,9 +25,9 @@ export default class BatchOnEKSConstruct {
             .account(process.env.CDK_DEFAULT_ACCOUNT!)
             .region(process.env.CDK_DEFAULT_REGION!)
             .addOns(
-                new blueprints.AwsBatchAddOn(), 
+                new blueprints.AwsBatchAddOn(),
                 new blueprints.AwsForFluentBitAddOn({
-                    iamPolicies:[batchIamPolicy],
+                    iamPolicies: [batchIamPolicy],
                     values: {
                         cloudWatch: {
                             enabled: true,

diff --git a/lib/backstage-construct/backstage-secret-addon.ts b/lib/backstage-construct/backstage-secret-addon.ts
@@ -91,14 +91,14 @@ export class BackstageSecretAddOn implements blueprints.ClusterAddOn {
                                 secretKey: "POSTGRES_PASSWORD",
                                 remoteRef: {
                                     key: databaseInstanceCredentialsSecretName,
-                                    property:  "password"
+                                    property: "password"
                                 }
                             },
                             {
                                 secretKey: "POSTGRES_USER",
                                 remoteRef: {
                                     key: databaseInstanceCredentialsSecretName,
-                                    property:  "username"
+                                    property: "username"
                                 }
                             },
                         ],

diff --git a/lib/backstage-construct/database-credentials.ts b/lib/backstage-construct/database-credentials.ts
@@ -1,4 +1,4 @@
-import { Secret,ISecret } from 'aws-cdk-lib/aws-secretsmanager';
+import { Secret, ISecret } from 'aws-cdk-lib/aws-secretsmanager';
 import { ResourceContext, ResourceProvider } from '@aws-quickstart/eks-blueprints';
 
 export interface DatabaseInstanceCredentialsProviderProps {

diff --git a/lib/backstage-construct/index.ts b/lib/backstage-construct/index.ts
@@ -26,8 +26,8 @@ export class BackstageConstruct extends Construct {
             databaseSecretTargetName: blueprints.utils.valueFromContext(scope, "backstage.database.secret.target.name", "backstage-database-secret"),
         };
 
-        const subdomain = props.backstageLabel+"."+props.parentDomain;
-    
+        const subdomain = props.backstageLabel + "." + props.parentDomain;
+
         const databaseInstanceCredentialsProviderProps = {
             username: props.username
         } as DatabaseInstanceCredentialsProviderProps;
@@ -82,6 +82,6 @@ export class BackstageConstruct extends Construct {
             .addOns(...addOns)
             .version('auto')
             .teams()
-            .build(scope, props.backstageLabel+"-blueprint");
+            .build(scope, props.backstageLabel + "-blueprint");
     }
 }
diff --git a/lib/backstage-construct/rds-database-instance.ts b/lib/backstage-construct/rds-database-instance.ts
@@ -40,10 +40,10 @@ export class DatabaseInstanceProvider implements ResourceProvider<rds.IDatabaseI
             throw new Error("VPC not found in context");
         }
 
-        const dbSecurityGroup = new SecurityGroup(context.scope, id+"-security-group", {
+        const dbSecurityGroup = new SecurityGroup(context.scope, id + "-security-group", {
             vpc: vpc
         });
-        
+
         dbSecurityGroup.addIngressRule(Peer.ipv4(vpc.vpcCidrBlock), Port.tcp(this.props.databaseInstancePort), "Connect from within VPC");
 
         const rdsConfig: rds.DatabaseInstanceProps = {
@@ -55,7 +55,7 @@ export class DatabaseInstanceProvider implements ResourceProvider<rds.IDatabaseI
             securityGroups: [dbSecurityGroup],
             credentials: rds.Credentials.fromSecret(databaseCredentialsSecret),
         };
-      
-        return new rds.DatabaseInstance(context.scope, id+"-database-instance", rdsConfig);
+
+        return new rds.DatabaseInstance(context.scope, id + "-database-instance", rdsConfig);
     }
 }
diff --git a/lib/bottlerocket-construct/index.ts b/lib/bottlerocket-construct/index.ts
@@ -8,18 +8,18 @@ import * as team from '../teams';
  * and leverage container-optimized Bottlerocket OS: https://aws.amazon.com/bottlerocket/
  */
 export default class BottlerocketConstruct {
-    
+
     build(scope: Construct, id: string) {
- 
+
         const stackID = `${id}-blueprint`;
         const accountID = process.env.CDK_DEFAULT_ACCOUNT!;
         const platformTeam = new team.TeamPlatform(accountID);
- 
+
         const clusterProvider = new blueprints.MngClusterProvider({
             version: eks.KubernetesVersion.V1_25,
             amiType: eks.NodegroupAmiType.BOTTLEROCKET_X86_64
         });
-        
+
         blueprints.EksBlueprint.builder()
             .account(accountID)
             .region('us-east-1')

diff --git a/lib/cdk-nag-construct/index.ts b/lib/cdk-nag-construct/index.ts
@@ -0,0 +1,69 @@
+import { Construct } from 'constructs';
+import * as blueprints from '@aws-quickstart/eks-blueprints';
+import { ArnPrincipal } from 'aws-cdk-lib/aws-iam';
+import { NagSuppressionsConfig } from './nag-rules';
+import { KubernetesVersion } from 'aws-cdk-lib/aws-eks';
+
+
+export default class CdkNagConstruct {
+
+    constructor(scope: Construct, id: string, account: string) {
+        const stackId = `${id}-blueprint`;
+
+        const addOns: Array<blueprints.ClusterAddOn> = [
+            new blueprints.addons.SSMAgentAddOn(),
+            new blueprints.addons.CoreDnsAddOn('auto'),
+            new blueprints.addons.KubeProxyAddOn("v1.29.1-eksbuild.2"),
+            new blueprints.addons.EbsCsiDriverAddOn(),
+        ];
+
+        const applicationTeams: Array<EKSaaPApplicationTeam> = [
+            new EKSaaPApplicationTeam("one", [
+                new ArnPrincipal(`arn:aws:iam::${account}:role/its-user`)
+            ]),
+            new EKSaaPApplicationTeam("two", [
+                new ArnPrincipal(`arn:aws:iam::${account}:role/its-user`)
+            ])
+        ];
+
+        const platformTeam = new EKSaaPPlatformTeam([
+            new ArnPrincipal(`arn:aws:iam::${account}:role/its-admin`)
+        ]);
+
+        const promise = blueprints.EksBlueprint.builder()
+            .addOns(...addOns)
+            .version(KubernetesVersion.V1_29)
+            .teams(platformTeam, ...applicationTeams)
+            .useDefaultSecretEncryption(true)
+            .compatibilityMode(true)
+            .buildAsync(scope, stackId);
+
+        promise.then(stack => new NagSuppressionsConfig(stack));
+    }
+}
+
+export class EKSaaPPlatformTeam extends blueprints.PlatformTeam {
+    constructor(
+        allowedArnPrincipals: Array<ArnPrincipal>,
+        name?: string
+    ) {
+        super({
+            name: name ?? "infrastructure",
+            users: allowedArnPrincipals
+        });
+    }
+}
+
+export class EKSaaPApplicationTeam extends blueprints.ApplicationTeam {
+    constructor(
+        name: string,
+        allowedArnPrincipals: Array<ArnPrincipal>,
+        namespace?: string
+    ) {
+        super({
+            name,
+            namespace,
+            users: allowedArnPrincipals
+        });
+    }
+}