feat: CDK re-write --DO NOT MERGE-- #328
Conversation
Added pre-commit hooks and other validation tools for this process
ASH Security Scan Report
Scan Metadata
SummaryScanner ResultsThe table below shows findings by scanner, with status based on severity thresholds and dependencies:
Top 10 HotspotsFiles with the highest number of security findings:
Detailed FindingsShow 20 of 64 actionable findingsFinding 1: CKV_AWS_111
Description: Code Snippet: Finding 2: CKV_DOCKER_3
Description: Code Snippet: Finding 3: CKV_DOCKER_2
Description: Code Snippet: Finding 4: CKV_DOCKER_3
Description: Code Snippet: Finding 5: CKV_DOCKER_2
Description: Code Snippet: Finding 6: CKV_DOCKER_7
Description: Code Snippet: Finding 7: CKV_DOCKER_2
Description: Code Snippet: Finding 8: CKV_DOCKER_3
Description: Code Snippet: Finding 9: CKV_DOCKER_2
Description: Code Snippet: Finding 10: CKV_DOCKER_3
Description: Code Snippet: Finding 11: CKV_DOCKER_2
Description: Code Snippet: Finding 12: CKV_DOCKER_3
Description: Code Snippet: Finding 13: CKV_DOCKER_2
Description: Code Snippet: Finding 14: CKV2_GHA_1
Description: Finding 15: CKV2_GHA_1
Description: Finding 16: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 17: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 18: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 19: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 20: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet:
Report generated by Automated Security Helper (ASH) at 2025-10-25T16:59:46+00:00 |
added PipelineArn output so initial Codebuild can succeed
…to CodeBuildStep - Remove CONFIG_BUCKET_KEY environment variable and replace with dynamic S3 key path construction - Add WORKING_FOLDER environment variable for configurable working directory - Update CDKPipeline interface to use workingFolder instead of configBucketKey - Replace ShellStep with CodeBuildStep for synthesis with Node.js 22.x runtime - Add proper build environment configuration and CodeBuild defaults - Grant read permissions to config bucket for pipeline role
- Add Lambda execution role with S3 permissions for bucket cleanup - Add Lambda function to empty S3 bucket on stack deletion - Add custom resource to trigger bucket cleanup during CloudFormation deletion - Change S3 bucket versioning from Enabled to Suspended - Update .gitignore to exclude .ash/ash_output directory
Changed CDK pipeline stack name from 'CDKPipeline' to 'OneObservabilityWorkshopPipeline' in workshop.ts
…s character - Fixed S3 bucket policy resource reference in codebuild-deployment-template.yaml by correcting the order of bucket ARN references - Removed erroneous 'q' character from buildspec command in the same template file
- Rename bucket cleanup components to generic resource cleanup functionality - Extend cleanup to handle EventBridge rules and Lambda permissions - Migrate Lambda functions from Node.js 22.x to Python 3.13 runtime - Replace static EventBridge rule with dynamic rule creation during build - Update IAM policies for EventBridge and Lambda cleanup permissions - Fix S3 resource ARN reference format - Remove static resources in favor of dynamic creation approach
Reformatted CloudFormation template YAML syntax by converting quoted strings to unquoted format, changing description block style from folded to literal, expanding inline conditional statements to multi-line format, and adding explicit function name to Lambda resource to prevent circular dependency.
- Add docs/ folder with README, CHANGELOG, and detailed template documentation - Add architecture and deployment flow diagrams (PNG files) - Add template documentation with implementation details, retry handling, and troubleshooting - Add templates folder README with quick start guide - Add new simplified CodeBuild deployment template with intelligent retry handling - Enhance IAM permissions in original template with S3 bucket access policies and CFN-NAG suppressions
* fix: improve CloudFormation signaling in CDK deployment template - Add explicit SUCCESS signal when pipeline monitoring detects completion - Prevent duplicate signaling in final success handling - Enhance logging for better visibility of signaling events * fix: replace CloudFormation signal-resource with direct wait handle URL calls Modified CloudFormation wait condition signaling mechanism in CodeBuild deployment template. Replaced direct aws cloudformation signal-resource commands with curl-based HTTP PUT requests to wait condition handle URLs. Changes include: - Retrieving wait condition handle URL using describe-stack-resource command - Using curl to send SUCCESS/FAILURE signals with JSON payload containing status, reason, unique ID, and data fields - Applied to both success and failure signaling paths in the deployment process * feat: add core infrastructure stage with enhanced configuration - Enhanced environment configuration with comprehensive documentation and type definitions - Added core infrastructure stage with VPC creation and networking setup - Improved pipeline structure with stage sequencing and tagging support - Updated CDK-nag suppressions for better compliance handling - Added comprehensive JSDoc documentation across all modified files - Restructured application entry point with better configuration management * feat: add CloudTrail construct with CloudWatch integration - Added CloudTrail construct with CloudWatch logs integration and anomaly detection (92 lines) - Updated environment configuration with CloudTrail integration (8 lines) - Enhanced workshop configuration with CloudTrail support (2 lines) - Updated main index with CloudTrail exports (1 line) - Modified pipeline configuration for CloudTrail deployment (2 lines) - Extended core stage with CloudTrail trail setup (15 lines) --------- Co-authored-by: Rafael Pereyra <[email protected]>
- Add explicit SUCCESS signal when pipeline monitoring detects completion - Prevent duplicate signaling in final success handling - Enhance logging for better visibility of signaling events
* refactor: improve CloudTrail construct configuration - Remove unused imports (DataResourceType, ReadWriteType) - Add includeLambdaEvents property to interface - Remove unused cloudTrailRole variable assignment - Replace custom S3 event selector with logAllS3DataEvents() method - Add Lambda data events logging when includeLambdaEvents is enabled * fix: improve pipeline retry logic in codebuild template - Added RETRY_LOOP_COUNT and MAX_RETRY_LOOPS variables for better retry tracking - Enhanced retry mechanism to distinguish between execution retries and loop retries - Reset retry loop counter when new pipeline execution is detected - Updated error messages to reflect the new retry loop logic - Changed maximum retry logic to use retry loops instead of execution count * feat: enhance logging capabilities for CloudTrail and VPC networking - Add unique resource naming for CloudTrail log groups to prevent conflicts - Implement configurable VPC Flow Logs with comprehensive log format - Add DNS Query Resolver Logs functionality for VPC - Enable optional log retention configuration across constructs - Update Core stack to enable logging features by default * fix: correct core stage tags structure in CDK pipeline Modified the core stage properties handling to properly wrap tags in a tags property instead of spreading them directly into the properties object. This ensures proper tag structure for the CoreStage constructor. * feat: add local development setup and enhance contributing guidelines - Added Apache-2.0 license header to CONTRIBUTING.md - Enhanced CONTRIBUTING.md with comprehensive documentation for security scanning, pre-commit hooks, and local development setup - Added new local CDK application entry point (src/cdk/bin/local.ts) for faster development workflow --------- Co-authored-by: Rafael Pereyra <[email protected]>
…nt tooling - Updated CONTRIBUTING.md with additional content (22 lines added) - Added new environment sample file (.env.sample) with 9 lines - Enhanced environment.ts configuration with 45 new lines - Extended local.ts deployment script with additional functionality - Added CloudTrail construct enhancements (12 lines) - Minor updates to network construct (2 lines) - Updated pipeline configuration (5 lines modified) - Created new applications stage with comprehensive setup (150 lines) - Added deployment check script with validation logic (66 lines)
* feat: integrate applications pipeline stage with CDK pipeline - Add APPLICATION_LIST import and configuration to workshop.ts - Enhance CDKPipeline with applicationList property and ApplicationsPipelineStage - Extract bucket key configuration to variable for reusability - Add comprehensive documentation and type definitions to applications.ts - Integrate Applications stage into main pipeline with proper tagging and source configuration * refactor: organize pipeline stages into Core wave Modified pipeline.ts to organize deployment stages into a wave structure. Added a 'Core' wave and moved both the Core stage and Applications stage into this wave for better deployment organization and sequencing. * docs: standardize JSDoc parameter names and configure TypeDoc - Update constructor parameter documentation from 'props' to 'properties' in CloudTrail and Network constructs - Add dedicated TypeDoc configuration for CDK documentation generation - Update root TypeDoc configuration to reference CDK entry point and README * feat: add RemovalPolicy.DESTROY to CloudTrail LogGroup Modified CloudTrail construct to add RemovalPolicy.DESTROY to the CloudWatch Logs LogGroup and imported RemovalPolicy from aws-cdk-lib. --------- Co-authored-by: Rafael Pereyra <[email protected]>
* From Aurora serverless to Instance (#327) * Switch from serverless v2 to instances * Bump aurora version * Ignore editor settings * Add action for CDK tests * Export reader endpoint * Update tests * Remove unit, merge lint and synth * Skip docker builds on unrelated changes * Update petlist to use aurora reader endpoint * Bump versions * Bump CDK version * feat: add comprehensive infrastructure constructs and deployment stages - Modified environment configuration files (environment.ts, local.ts, workshop.ts) to add new deployment configurations - Added new construct files for assets, database, DynamoDB, and queue infrastructure components - Enhanced network construct with additional networking capabilities - Updated pipeline configuration with new stages and deployment logic - Added new compute stage for application deployment - Renamed applications.ts to containers.ts with updated container deployment logic - Added new storage stage for data persistence infrastructure - Total: 643 additions, 24 deletions across 12 files * feat: upgrade container images and database version - Update all Dockerfiles to use AWS ECR Public Gallery base images - Upgrade Aurora PostgreSQL from v13.20 to v16.8 - Update pre-commit hook versions (mypy v1.17.1, cfn-python-lint v1.38.2, ASH v3.0.0) - Enhance database construct with configurable instance types and CDK NAG suppressions - Add utility functions for CDK infrastructure - Improve deployment check script with enhanced validation * build: update Python base image to ECR public registry Modified PetAdoptions/petadoptionshistory-py/Dockerfile to update the base Python image from python:3.8 to public.ecr.aws/docker/library/python:3.8.20-bullseye. * feat: add compute infrastructure with ECS and EKS support - Add ECS cluster construct with auto scaling group and security group - Add EKS cluster construct with managed node groups and add-ons - Create microservice base class and ECS service implementation - Add pay-for-adoption microservice with database integration - Enhance network construct to disable public IP mapping - Update queue construct with CloudFormation exports for resource sharing - Add compute stage to pipeline with ECS and EKS deployment - Include kubectl v33 layer dependency for EKS operations - Add applications stage structure for microservices deployment * feat: add serverless microservices and enhance CDK infrastructure - Add new Lambda construct for serverless functions - Create serverless status-updater construct - Add new microservices: list-adoptions, pet-search, and traffic-generator - Enhance pay-for-adoption microservice with additional features - Update database and DynamoDB constructs with expanded functionality - Refactor ECS service construct with improved configuration - Enhance microservice construct with expanded capabilities - Significantly expand applications stage with new service integrations - Update environment and local configuration with enhanced setup - Add utility functions for improved helper capabilities * feat: add VPC endpoints and enhance API Gateway security - Add VPC endpoints construct for API Gateway, DynamoDB, and Lambda services - Configure status updater API Gateway as private endpoint with VPC endpoint policy - Add request authorizer and access logging to API Gateway - Include CDK NAG suppressions for security compliance - Export VPC endpoint IDs for cross-stack references - Integrate VPC endpoints into network construct and applications stack * feat: add EKS support and petsite microservice - Added new constants file and EKS deployment construct for better configuration management - Created new petsite microservice with Kubernetes deployment manifest - Enhanced EKS construct with additional deployment capabilities - Updated microservice construct to support both ECS and EKS deployments - Modified application stage to integrate new petsite service - Updated development configuration with new VS Code launch settings - Refined utility functions and updated project dependencies - Updated pre-commit configuration and prettier ignore rules * docs: add comprehensive architecture documentation and diagrams - Add detailed architecture.md covering system overview, deployment stages, microservices architecture, and observability components - Add 16 architectural diagrams illustrating complete system architecture, deployment stages, microservices structure, and observability setup - Update CDK constructs and microservices with minor code improvements and configuration adjustments * feat: enhance observability demo with service discovery and configuration management - Add CloudMap namespace support for ECS service discovery - Implement SSM parameter outputs for assets, database, and DynamoDB - Enhance ECS service construct to support load balancer-less services - Add VPC endpoints for ServiceDiscovery with improved networking - Update microservice configurations with service discovery integration - Improve database construct with separate reader/writer endpoint outputs - Add EKS kubectl lambda role export for enhanced cluster management - Update Kubernetes manifests and application stage configurations * feat: add microservices stage and standardize resource tagging - Add standardized tagging to all microservice classes with app:owner, app:project, app:name, app:computType, and app:hostType tags - Add MicroservicesStage to CDK pipeline with proper stage sequencing and tagging - Move QueueResources from StorageStack to CoreStack for better architectural organization - Update pipeline interface to include microservicesProperties parameter - Add missing Utilities import in traffic-generator.ts * feat: add microservices configuration to CDK pipeline Added microservices configuration to CDK pipeline by importing MICROSERVICES_PLACEMENT and LAMBDA_FUNCTIONS from environment and passing them as microservicesProperties to the CDKPipeline constructor. * feat: update CDK infrastructure and dependencies - Updated CDK TypeScript files across bin, lib/constructs, lib/stages, and lib/utils directories - Modified package.json and package-lock.json with dependency updates - Total: 8 files changed, 252 insertions, 272 deletions * refactor: simplify deployment template architecture - Remove EventBridge-based pipeline monitoring system - Replace Lambda functions with direct CodePipeline status polling - Eliminate complex event-driven architecture for simpler inline monitoring - Remove codebuild-deployment-template-simplified.yaml file - Update documentation and container configurations - Streamline deployment process with reduced complexity * fix: improve logging permissions and autoscaling group tagging - Update pipeline log ARN to use wildcard pattern for broader log group access - Simplify CloudWatch logs policy resources configuration - Add PropagateAtLaunch support for AutoScaling Group tags - Improve code formatting in utilities * docs: add comprehensive JSDoc documentation to CDK infrastructure - Added module-level documentation with package descriptions for all 6 files - Enhanced interface and class documentation with detailed parameter descriptions - Documented enums, constants, and configuration objects throughout - Added inline comments for improved code readability - Improved constructor and method documentation with parameter and return types * docs: restructure documentation and add automated generation - Added GitHub Actions workflow for documentation generation - Updated .gitignore to exclude documentation build artifacts - Updated pre-commit configuration - Moved CHANGELOG.md from docs/ to root directory - Removed diagram documentation and PNG files from docs/diagrams/ - Added new modules documentation file - Enhanced list-adoptions microservice with improved error handling - Updated containers stage with additional configuration - Enhanced TypeDoc configuration files with better documentation settings --------- Co-authored-by: Rodrigue Koffi <[email protected]> Co-authored-by: Rafael Pereyra <[email protected]>
Added instrumentation.opentelemetry.io/inject-dotnet annotation to enable automatic .NET instrumentation injection for the petsite deployment.
- Update all path references from PetAdoptions/cdk/pet_stack/ to src/cdk/ - Update cache paths and working directories to match new structure - Add environment file setup step to copy .env.example to .env before CDK synth - Maintain all existing workflow functionality with updated paths
- Extended build-test.yml and cdk-test.yml workflows to trigger on both main and staging branches - Refactored docs.yml workflow to separate build and deploy jobs, with deployment only occurring on main branch pushes - Added conditional logic to prevent staging branch changes from deploying to GitHub Pages
Move environment file copy operation from CDK synth step to separate earlier step for better workflow organization
lewinkedrs
requested a deployment
to
acceptance
GitHub Actions
Waiting
* feat: added petsite output variable * feat: az selection for agentcore * fix: moved template parameter in metadata * fix: fixed AZ selection * fix: added describeAz permissions for synth * fix: added script to idenity subnets for agentcore * fix: used AWS_REGION from environment variables if available * feat: added debug line for .env file * feat: enabled petfood agent by default * fix: added debug output to the script * fix: added debug output to the script * fix: handled last line without newline * fix: removed debug entries * Feat/cloudtrail network (#439) * feat: implemented network events trail * feat: implemented network events trail
| "FunctionName": "${rCDKStackListerFunction}", | ||
| "Payload": {} | ||
| }, | ||
| "ResultPath": "$.stackList", |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.
Similar issue at line numbers 968, 977, 1024, 1037, 1042, 1098, 1111, and 1116.
* capture trace info * More logs and traces * fix: added parameter names to all services * More logs and traces * More logs and traces * More logs and traces * More logs and traces * fix: Remove manual OTel instrumentation to enable Application Signals for petlistadoptions-py * fix: Remove OTel instrumentation packages to use Application Signals ADOT layer * fix: Remove all OTel code to rely purely on Application Signals auto-instrumentation * fix: Add back FastAPI instrumentation for Application Signals HTTP metrics * fix: Use manual OTEL instrumentation for petlistadoptions (Application Signals Python auto-inst doesn't work for FastAPI) * fix: Use correct OTLP endpoint for CloudWatch Agent (4316 not 4317) * fix: Extract host:port from OTLP endpoint URL for gRPC exporter * petlist adoption with app signals * petlist adoption with app signals * petlist adoption with app signals * petlist adoption with app signals * petlist adoption with app signals --------- Co-authored-by: Siva Guruvareddiar <[email protected]> Co-authored-by: Rafael Pereyra <[email protected]> Co-authored-by: Rafael Pereyra <[email protected]>
* Skip agent-core * Allow specifying vpc cidr * Remove authorizer * Revert "Skip agent-core" This reverts commit 1a60128. * Pre-commit
| "FunctionName": "${rCDKStackListerFunction}", | ||
| "Payload": {} | ||
| }, | ||
| "ResultPath": "$.stackList", |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.
Similar issue at line numbers 981, 990, 1037, 1050, 1055, 1111, 1124, and 1129.
* upgrade to amazon-cloudwatch-observability addon version 4.4.0 (#392) * upgrade to latest version amazon-cloudwatch-observability addon * upgrade to latest version amazon-cloudwatch-observability addon * upgrade to latest version amazon-cloudwatch-observability addon --------- Co-authored-by: XXX <[email protected]> * feat:initial waf deployment * feat: added waf configuration * feat: added waf configuration * feat: added logs to waf * fix: added outputs and minor deployment fixes - Unique lambda log names to avoid conflict - Disabled Cludfront log auto-delete function since it's broken - Added retention policy to cloudfront logs * fix: changed region environment variable * cicd: fixed synth command and missing config * cicd: cleanup fix for CDK Bootstrap * fix: fixed unreachable state * fix: renamed apigw log * fix: set cloudfront buckets to retain * fix: removed agent core deployment * fix: removed s3 auto-cleanup * fix: petagent deployment default * fix: output name for CFN template * fix: AgentCore fixes --------- Co-authored-by: t_hibira <[email protected]> Co-authored-by: XXX <[email protected]>
| "FunctionName": "${rCDKStackListerFunction}", | ||
| "Payload": {} | ||
| }, | ||
| "ResultPath": "$.stackList", |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.
Similar issue at line numbers 981, 990, 1037, 1050, 1055, 1115, 1128, and 1133.
…#443) * Add trace attributes to aurora calls * Tone down attributes * Move aurora correlation from root to span * Fix content * Cleanup * Standardize logging
| if traceID != "" { | ||
| fmt.Printf("[INFO] trace_id=%s %s %s %s %s %d\n", traceID, r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code) | ||
| } else { | ||
| fmt.Printf("[INFO] %s %s %s %s %d\n", r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code) |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html
| // Extract trace ID from context | ||
| traceID := extractTraceIDFromContext(ctx) | ||
| if traceID != "" { | ||
| fmt.Printf("[INFO] trace_id=%s %s %s %s %s %d\n", traceID, r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code) |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html
| } | ||
|
|
||
| // Build resource identifier for Aurora correlation | ||
| resourceIdentifier := fmt.Sprintf("postgres|%s|%d", dbConfig.Host, dbConfig.Port) |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html
|
|
||
| // Build resource identifier for Aurora correlation | ||
| // Format: engine|host|port for CloudWatch Application Signals correlation | ||
| resourceIdentifier := fmt.Sprintf("postgres|%s|%d", dbConfig.Host, dbConfig.Port) |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html
* feat: enhance petfood agent microservice infrastructure - Enhanced petfood agent Python application - Updated CDK constants and environment configuration - Refactored petfood-agent microservice infrastructure - Modified application and container stage definitions * feat: bump dependencies
* feat: application improvements - Added parameter and secrets refresh to trigger more API connections - Added curl and aws-cli to all containers to enable validation from the containers * fix: build errors * fix: multiple fixes - Added parameter for traffic generator concurrent users - Added suppressions for support region stack * fix: several fixes on codebuild * fix: typo on buildspec * fix: path on pipeline status script * fix: Multiple fixes - increase assets bucket retention to 1 y - Removed lamnda log group name to avoid collision during re-deployments - Prevent deleting the step function if any of the stacks fails to delete * fix: Cleanup process fixes - Fail stack deletion if step function fails - Updated documentation * fix: improve cleanup and disable opensearch applications * fix: fixed describe execution permissions * fix: missing prefix for parameters on petsite * feat: enhance CDK deployment configuration and documentation - Enhanced CodeBuild CDK deployment documentation with 64 additions and 5 deletions - Updated local.ts configuration with minor changes - Refactored WAF construct with 23 additions and 12 deletions - Modified pipeline.ts with minimal changes - Updated application and core stage configurations - Improved bootstrap account script with 15 additions and 16 deletions * feat: improve build caching with local cache modes - Update cache paths to use dynamic working folder variable - Switch from S3 cache to local cache with Docker layer and source caching - Add partial build spec with LOCAL_DOCKER_LAYER_CACHE and LOCAL_SOURCE_CACHE modes - Fix cache key and paths to reference WORKING_FOLDER environment variable * feat: improve input validation and expand regional support - Add input validation loops in deploy-check.sh for bucket/object creation prompts - Expand AWS region support in validate-account.sh with 6 additional regions - Reorder region cases alphabetically for better maintainability * fix: correct GlobalWafStack constructor context reference Fixed incorrect context reference in GlobalWafStack constructor - changed 'this' to 'app' parameter. * enables cross-region reference. Fixed bootstrapping script * fix: removed build cache bucket * fix: removed local cache * fix: global acl reference * fix: removed build cache * fix: missing parameters in petsite * fix: parameter name for agentcore * fix: rollback change in parameter name for agentcore * fix: remove invalid output
#446) - Remove hardcoded CloudWatch log group names to prevent deployment conflicts - Add descriptive CloudFormation output descriptions for better resource identification - Remove unused Names import and logGroupName parameters - Add CDK-nag rule to enforce dynamic log group naming - Set default values for CloudFormation template parameters
| "FunctionName": "${rCDKStackListerFunction}", | ||
| "Payload": {} | ||
| }, | ||
| "ResultPath": "$.stackList", |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.
Similar issue at line numbers 849, 858, 860, 871, 876, 892, 897, 918, 923, and 1044.
| "Succeeded") | ||
| echo "Pipeline execution completed successfully!" | ||
| WAIT_HANDLE_URL=$(aws cloudformation describe-stack-resource --stack-name "$STACK_NAME" --logical-resource-id rCDKDeploymentWaitConditionHandle --query 'StackResourceDetail.PhysicalResourceId' --output text --region "$REGION") | ||
| curl -X PUT -H 'Content-Type:' --data-binary '{"Status":"SUCCESS","Reason":"Pipeline completed successfully","UniqueId":"'$(uuidgen)'","Data":"Pipeline execution finished"}' "$WAIT_HANDLE_URL" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Quote this to prevent word splitting.
* refactor: improve CDK infrastructure maintainability and documentation - Remove hardcoded CloudWatch log group names to prevent deployment conflicts - Add descriptive CloudFormation output descriptions for better resource identification - Remove unused Names import and logGroupName parameters - Add CDK-nag rule to enforce dynamic log group naming - Set default values for CloudFormation template parameters * feat: add exports management system and enhance CDK infrastructure - Modified CDK configuration constants and local deployment settings - Enhanced WAF construct and pipeline configuration - Improved status updater function and utility functions - Refined workshop nag pack rules - Added complete exports management system with Python script, dashboard template, and documentation - Updated CodeBuild deployment template * Feat/codeconnection (#448) * feat: add CodeConnection and Parameter Store integration - Add CodeConnection support for GitHub integration as alternative to S3 source - Implement Parameter Store configuration management for centralized config - Update CONTRIBUTING.md formatting (bullet points, spacing, emphasis) - Add comprehensive documentation for new integration features - Create reusable configuration retrieval script for pipeline steps - Update CloudFormation template with new parameters and IAM permissions - Modify CDK pipeline to support conditional source selection - Add fallback mechanisms for backward compatibility * feat: enhance configuration flexibility and add troubleshooting docs - Add troubleshooting section for CDK bootstrap stack deletion issues - Support environment variables for Parameter Store base path configuration - Add CodeConnection ARN support for GitHub integration - Update workshop template with consistent parameter defaults - Enable conditional source configuration (CodeConnection vs S3) in local deployment * refactor: simplify parameter store configuration management Modified parameter storage approach in AWS Systems Manager Parameter Store from individual key-value parameters to a single parameter containing the complete .env file content. Updated the retrieve-config.sh script to fetch a single parameter instead of using get-parameters-by-path, and modified the CodeBuild deployment template to store the entire .env file as one parameter rather than splitting it into multiple parameters. * feat: implement single parameter approach for Parameter Store integration Updated CodeConnection and Parameter Store integration with single parameter approach. Modified documentation to reflect new CloudFormation-managed parameter creation, updated CDK pipeline to use single parameter path with stack name, and enhanced CodeBuild template to create Parameter Store parameter as CloudFormation resource instead of manual creation. * fix: deployment issues * fix: added tags to initial stack * fix: pipeline error * fix: update environment validation and opensearch pipeline logging - Modified environment variable validation to accept either CONFIG_BUCKET or CODE_CONNECTION_ARN - Reordered CloudWatch log group creation before IAM role definition in OpenSearch pipeline - Fixed log group ARN references in IAM policies to use correct log group name * fix: rolled back log name for opensearch * fix: publish export error * fix: missing permissions for dashboard * fix: unterminated quoete * fix: missing permissions * fix: added shell for export dashboard * feat: enhance CDK infrastructure and deployment scripts - Updated constants configuration in bin/constants.ts - Enhanced asset constructs and petsite microservice - Modified pipeline configuration and status updater function - Significantly expanded manage-exports.py script with 654 additions - Enhanced retrieve-config.sh script with 318 additions - Total changes: 860 additions, 138 deletions across 7 files * feat: added debug flag for scripts * fix: script error handling logic * feat: improved dashboard * fix: missing permissions for dashboard * cicd: removed debug flag * fix: broad permissions for putobject * feat: improved console access links
| internal_prefixes = ["AWS::", "CDK::", "cdk-", "CdkBootstrap", "StagingBucket"] | ||
| return any(export_name.startswith(prefix) for prefix in internal_prefixes) | ||
|
|
||
| def _categorize_export(self, export_name: str) -> str: |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
The cyclomatic complexity of this function is 18. By comparison, 98% of the functions in the CodeGuru reference dataset have a lower cyclomatic complexity. This indicates the function has a high number of decisions and it can make the logic difficult to understand and test. We recommend that you simplify this function or break it into multiple functions.
| """Check if export value appears to be a URL.""" | ||
| return value.startswith(("http://", "https://")) | ||
|
|
||
| def _get_console_url( |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
The cyclomatic complexity of this function is 17. By comparison, 98% of the functions in the CodeGuru reference dataset have a lower cyclomatic complexity. This indicates the function has a high number of decisions and it can make the logic difficult to understand and test.
We recommend that you simplify this function or break it into multiple functions. For example, consider extracting the code block on lines 661-666 into a separate function.
| logger.info(f"Target regions for scanning: {regions}") | ||
| return regions | ||
|
|
||
| def extract_exports( |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
This function contains 128 lines of code, not including blank lines or lines with only comments, Python punctuation characters, identifiers, or literals. By comparison, 99% of the functions in the CodeGuru reference dataset contain fewer lines of code. Large functions might be difficult to read and have logic that is hard to understand and test.
We recommend that you simplify this function or break it into multiple functions. For example, consider extracting the code block on lines 521-529 into a separate function.
| "FunctionName": "${rCDKStackListerFunction}", | ||
| "Payload": {} | ||
| }, | ||
| "ResultPath": "$.stackList", |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.
Similar issue at line numbers 968, 977, 979, 990, 995, 1011, 1016, 1037, 1042, and 1163.
| if cloudfront_domain: | ||
| dashboard_url = f"{cloudfront_domain}/workshop-exports/index.html" | ||
| elif assets_bucket: | ||
| dashboard_url = f"https://{assets_bucket}.s3.amazonaws.com/workshop-exports/index.html" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential S3 bucket sniping vulnerability detected. This rule has identified S3 bucket references that could be vulnerable to bucket sniping attacks. Bucket sniping occurs when an attacker registers an S3 bucket name after finding it referenced in code but not yet created. This can lead to data exposure, malicious content hosting, or service disruption.
Recommendations:
- Create all referenced S3 buckets immediately
- Use organization-specific prefixes for bucket names
- Verify bucket ownership before use
- Consider using AWS Organizations S3 bucket naming rules
Discovered: workshop-exports
| **S3 upload fails**: Check bucket exists and permissions allow PutObject | ||
|
|
||
| ```bash | ||
| aws s3 ls s3://your-assets-bucket/ |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential S3 bucket sniping vulnerability detected. This rule has identified S3 bucket references that could be vulnerable to bucket sniping attacks. Bucket sniping occurs when an attacker registers an S3 bucket name after finding it referenced in code but not yet created. This can lead to data exposure, malicious content hosting, or service disruption.
Recommendations:
- Create all referenced S3 buckets immediately
- Use organization-specific prefixes for bucket names
- Verify bucket ownership before use
- Consider using AWS Organizations S3 bucket naming rules
Discovered: your-assets-bucket
| logger.info("CloudFront URL: %s", cloudfront_url) | ||
| return cloudfront_url | ||
|
|
||
| return s3_url |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Untrusted data must be properly encoded or sanitized before being
incorporated into web page content or used to generate dynamic output.
Failure to do so can result in Cross-Site Scripting (XSS) vulnerabilities,
enabling attackers to inject malicious scripts into the application. These
scripts, when executed in users' browsers, can lead to various security
breaches such as session hijacking, data theft, or unauthorized actions
performed within the victim's session context. To mitigate this risk,
use built-in template escaping mechanisms, HTML escape functions like
html.escape(), or dedicated security libraries such as Bleach.
Learn more: https://owasp.org/www-community/attacks/xss/
| log_debug "Attempting to retrieve parameter from SSM..." | ||
|
|
||
| local ssm_output | ||
| local ssm_error |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
ssm_error appears unused. Verify use (or export if used externally).
| if [[ "$LOG_LEVEL" == "DEBUG" ]]; then | ||
| log_debug "Existing .env contents:" | ||
| log_debug "----------------------------------------------" | ||
| cat ".env" | sed 's/\(.*=\).*/\1[REDACTED]/' >&2 |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Unnecessary use of 'cat' in shell scripts, can lead to inefficient code and reduced script performance. Instead of 'cat file | command', use input redirection 'command < file' or pass the filename directly command file when possible. This practice improves script efficiency, especially for commands that benefit from seekable input. It also enhances code readability and maintainability. For more information on secure coding practices, including shell scripting, refer to the OWASP Secure Coding Practices Quick Reference Guide: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
| if [[ "$LOG_LEVEL" == "DEBUG" ]]; then | ||
| log_debug "Configuration file contents:" | ||
| log_debug "----------------------------------------------" | ||
| cat "$TARGET_ENV_FILE" | sed 's/\(.*=\).*/\1[REDACTED]/' >&2 |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Unnecessary use of 'cat' in shell scripts, can lead to inefficient code and reduced script performance. Instead of 'cat file | command', use input redirection 'command < file' or pass the filename directly command file when possible. This practice improves script efficiency, especially for commands that benefit from seekable input. It also enhances code readability and maintainability. For more information on secure coding practices, including shell scripting, refer to the OWASP Secure Coding Practices Quick Reference Guide: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
7 participants
Added pre-commit hooks and other validation tools for this process
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.