feat: CDK re-write --DO NOT MERGE-- #328
Conversation
Added pre-commit hooks and other validation tools for this process
ASH Security Scan Report
Scan Metadata
SummaryScanner ResultsThe table below shows findings by scanner, with status based on severity thresholds and dependencies:
Top 10 HotspotsFiles with the highest number of security findings:
Detailed FindingsShow 20 of 64 actionable findingsFinding 1: CKV_AWS_111
Description: Code Snippet: Finding 2: CKV_DOCKER_2
Description: Code Snippet: Finding 3: CKV_DOCKER_2
Description: Code Snippet: Finding 4: CKV_DOCKER_3
Description: Code Snippet: Finding 5: CKV_DOCKER_2
Description: Code Snippet: Finding 6: CKV_DOCKER_3
Description: Code Snippet: Finding 7: CKV_DOCKER_3
Description: Code Snippet: Finding 8: CKV_DOCKER_2
Description: Code Snippet: Finding 9: CKV_DOCKER_3
Description: Code Snippet: Finding 10: CKV_DOCKER_2
Description: Code Snippet: Finding 11: CKV_DOCKER_7
Description: Code Snippet: Finding 12: CKV_DOCKER_2
Description: Code Snippet: Finding 13: CKV_DOCKER_3
Description: Code Snippet: Finding 14: CKV2_GHA_1
Description: Finding 15: CKV2_GHA_1
Description: Finding 16: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 17: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 18: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 19: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 20: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet:
Report generated by Automated Security Helper (ASH) at 2025-10-30T20:51:46+00:00 |
added PipelineArn output so initial Codebuild can succeed
…to CodeBuildStep - Remove CONFIG_BUCKET_KEY environment variable and replace with dynamic S3 key path construction - Add WORKING_FOLDER environment variable for configurable working directory - Update CDKPipeline interface to use workingFolder instead of configBucketKey - Replace ShellStep with CodeBuildStep for synthesis with Node.js 22.x runtime - Add proper build environment configuration and CodeBuild defaults - Grant read permissions to config bucket for pipeline role
- Add Lambda execution role with S3 permissions for bucket cleanup - Add Lambda function to empty S3 bucket on stack deletion - Add custom resource to trigger bucket cleanup during CloudFormation deletion - Change S3 bucket versioning from Enabled to Suspended - Update .gitignore to exclude .ash/ash_output directory
Changed CDK pipeline stack name from 'CDKPipeline' to 'OneObservabilityWorkshopPipeline' in workshop.ts
…s character - Fixed S3 bucket policy resource reference in codebuild-deployment-template.yaml by correcting the order of bucket ARN references - Removed erroneous 'q' character from buildspec command in the same template file
- Rename bucket cleanup components to generic resource cleanup functionality - Extend cleanup to handle EventBridge rules and Lambda permissions - Migrate Lambda functions from Node.js 22.x to Python 3.13 runtime - Replace static EventBridge rule with dynamic rule creation during build - Update IAM policies for EventBridge and Lambda cleanup permissions - Fix S3 resource ARN reference format - Remove static resources in favor of dynamic creation approach
Reformatted CloudFormation template YAML syntax by converting quoted strings to unquoted format, changing description block style from folded to literal, expanding inline conditional statements to multi-line format, and adding explicit function name to Lambda resource to prevent circular dependency.
- Add docs/ folder with README, CHANGELOG, and detailed template documentation - Add architecture and deployment flow diagrams (PNG files) - Add template documentation with implementation details, retry handling, and troubleshooting - Add templates folder README with quick start guide - Add new simplified CodeBuild deployment template with intelligent retry handling - Enhance IAM permissions in original template with S3 bucket access policies and CFN-NAG suppressions
* fix: improve CloudFormation signaling in CDK deployment template - Add explicit SUCCESS signal when pipeline monitoring detects completion - Prevent duplicate signaling in final success handling - Enhance logging for better visibility of signaling events * fix: replace CloudFormation signal-resource with direct wait handle URL calls Modified CloudFormation wait condition signaling mechanism in CodeBuild deployment template. Replaced direct aws cloudformation signal-resource commands with curl-based HTTP PUT requests to wait condition handle URLs. Changes include: - Retrieving wait condition handle URL using describe-stack-resource command - Using curl to send SUCCESS/FAILURE signals with JSON payload containing status, reason, unique ID, and data fields - Applied to both success and failure signaling paths in the deployment process * feat: add core infrastructure stage with enhanced configuration - Enhanced environment configuration with comprehensive documentation and type definitions - Added core infrastructure stage with VPC creation and networking setup - Improved pipeline structure with stage sequencing and tagging support - Updated CDK-nag suppressions for better compliance handling - Added comprehensive JSDoc documentation across all modified files - Restructured application entry point with better configuration management * feat: add CloudTrail construct with CloudWatch integration - Added CloudTrail construct with CloudWatch logs integration and anomaly detection (92 lines) - Updated environment configuration with CloudTrail integration (8 lines) - Enhanced workshop configuration with CloudTrail support (2 lines) - Updated main index with CloudTrail exports (1 line) - Modified pipeline configuration for CloudTrail deployment (2 lines) - Extended core stage with CloudTrail trail setup (15 lines) --------- Co-authored-by: Rafael Pereyra <[email protected]>
- Add explicit SUCCESS signal when pipeline monitoring detects completion - Prevent duplicate signaling in final success handling - Enhance logging for better visibility of signaling events
* refactor: improve CloudTrail construct configuration - Remove unused imports (DataResourceType, ReadWriteType) - Add includeLambdaEvents property to interface - Remove unused cloudTrailRole variable assignment - Replace custom S3 event selector with logAllS3DataEvents() method - Add Lambda data events logging when includeLambdaEvents is enabled * fix: improve pipeline retry logic in codebuild template - Added RETRY_LOOP_COUNT and MAX_RETRY_LOOPS variables for better retry tracking - Enhanced retry mechanism to distinguish between execution retries and loop retries - Reset retry loop counter when new pipeline execution is detected - Updated error messages to reflect the new retry loop logic - Changed maximum retry logic to use retry loops instead of execution count * feat: enhance logging capabilities for CloudTrail and VPC networking - Add unique resource naming for CloudTrail log groups to prevent conflicts - Implement configurable VPC Flow Logs with comprehensive log format - Add DNS Query Resolver Logs functionality for VPC - Enable optional log retention configuration across constructs - Update Core stack to enable logging features by default * fix: correct core stage tags structure in CDK pipeline Modified the core stage properties handling to properly wrap tags in a tags property instead of spreading them directly into the properties object. This ensures proper tag structure for the CoreStage constructor. * feat: add local development setup and enhance contributing guidelines - Added Apache-2.0 license header to CONTRIBUTING.md - Enhanced CONTRIBUTING.md with comprehensive documentation for security scanning, pre-commit hooks, and local development setup - Added new local CDK application entry point (src/cdk/bin/local.ts) for faster development workflow --------- Co-authored-by: Rafael Pereyra <[email protected]>
…nt tooling - Updated CONTRIBUTING.md with additional content (22 lines added) - Added new environment sample file (.env.sample) with 9 lines - Enhanced environment.ts configuration with 45 new lines - Extended local.ts deployment script with additional functionality - Added CloudTrail construct enhancements (12 lines) - Minor updates to network construct (2 lines) - Updated pipeline configuration (5 lines modified) - Created new applications stage with comprehensive setup (150 lines) - Added deployment check script with validation logic (66 lines)
* feat: integrate applications pipeline stage with CDK pipeline - Add APPLICATION_LIST import and configuration to workshop.ts - Enhance CDKPipeline with applicationList property and ApplicationsPipelineStage - Extract bucket key configuration to variable for reusability - Add comprehensive documentation and type definitions to applications.ts - Integrate Applications stage into main pipeline with proper tagging and source configuration * refactor: organize pipeline stages into Core wave Modified pipeline.ts to organize deployment stages into a wave structure. Added a 'Core' wave and moved both the Core stage and Applications stage into this wave for better deployment organization and sequencing. * docs: standardize JSDoc parameter names and configure TypeDoc - Update constructor parameter documentation from 'props' to 'properties' in CloudTrail and Network constructs - Add dedicated TypeDoc configuration for CDK documentation generation - Update root TypeDoc configuration to reference CDK entry point and README * feat: add RemovalPolicy.DESTROY to CloudTrail LogGroup Modified CloudTrail construct to add RemovalPolicy.DESTROY to the CloudWatch Logs LogGroup and imported RemovalPolicy from aws-cdk-lib. --------- Co-authored-by: Rafael Pereyra <[email protected]>
* From Aurora serverless to Instance (#327) * Switch from serverless v2 to instances * Bump aurora version * Ignore editor settings * Add action for CDK tests * Export reader endpoint * Update tests * Remove unit, merge lint and synth * Skip docker builds on unrelated changes * Update petlist to use aurora reader endpoint * Bump versions * Bump CDK version * feat: add comprehensive infrastructure constructs and deployment stages - Modified environment configuration files (environment.ts, local.ts, workshop.ts) to add new deployment configurations - Added new construct files for assets, database, DynamoDB, and queue infrastructure components - Enhanced network construct with additional networking capabilities - Updated pipeline configuration with new stages and deployment logic - Added new compute stage for application deployment - Renamed applications.ts to containers.ts with updated container deployment logic - Added new storage stage for data persistence infrastructure - Total: 643 additions, 24 deletions across 12 files * feat: upgrade container images and database version - Update all Dockerfiles to use AWS ECR Public Gallery base images - Upgrade Aurora PostgreSQL from v13.20 to v16.8 - Update pre-commit hook versions (mypy v1.17.1, cfn-python-lint v1.38.2, ASH v3.0.0) - Enhance database construct with configurable instance types and CDK NAG suppressions - Add utility functions for CDK infrastructure - Improve deployment check script with enhanced validation * build: update Python base image to ECR public registry Modified PetAdoptions/petadoptionshistory-py/Dockerfile to update the base Python image from python:3.8 to public.ecr.aws/docker/library/python:3.8.20-bullseye. * feat: add compute infrastructure with ECS and EKS support - Add ECS cluster construct with auto scaling group and security group - Add EKS cluster construct with managed node groups and add-ons - Create microservice base class and ECS service implementation - Add pay-for-adoption microservice with database integration - Enhance network construct to disable public IP mapping - Update queue construct with CloudFormation exports for resource sharing - Add compute stage to pipeline with ECS and EKS deployment - Include kubectl v33 layer dependency for EKS operations - Add applications stage structure for microservices deployment * feat: add serverless microservices and enhance CDK infrastructure - Add new Lambda construct for serverless functions - Create serverless status-updater construct - Add new microservices: list-adoptions, pet-search, and traffic-generator - Enhance pay-for-adoption microservice with additional features - Update database and DynamoDB constructs with expanded functionality - Refactor ECS service construct with improved configuration - Enhance microservice construct with expanded capabilities - Significantly expand applications stage with new service integrations - Update environment and local configuration with enhanced setup - Add utility functions for improved helper capabilities * feat: add VPC endpoints and enhance API Gateway security - Add VPC endpoints construct for API Gateway, DynamoDB, and Lambda services - Configure status updater API Gateway as private endpoint with VPC endpoint policy - Add request authorizer and access logging to API Gateway - Include CDK NAG suppressions for security compliance - Export VPC endpoint IDs for cross-stack references - Integrate VPC endpoints into network construct and applications stack * feat: add EKS support and petsite microservice - Added new constants file and EKS deployment construct for better configuration management - Created new petsite microservice with Kubernetes deployment manifest - Enhanced EKS construct with additional deployment capabilities - Updated microservice construct to support both ECS and EKS deployments - Modified application stage to integrate new petsite service - Updated development configuration with new VS Code launch settings - Refined utility functions and updated project dependencies - Updated pre-commit configuration and prettier ignore rules * docs: add comprehensive architecture documentation and diagrams - Add detailed architecture.md covering system overview, deployment stages, microservices architecture, and observability components - Add 16 architectural diagrams illustrating complete system architecture, deployment stages, microservices structure, and observability setup - Update CDK constructs and microservices with minor code improvements and configuration adjustments * feat: enhance observability demo with service discovery and configuration management - Add CloudMap namespace support for ECS service discovery - Implement SSM parameter outputs for assets, database, and DynamoDB - Enhance ECS service construct to support load balancer-less services - Add VPC endpoints for ServiceDiscovery with improved networking - Update microservice configurations with service discovery integration - Improve database construct with separate reader/writer endpoint outputs - Add EKS kubectl lambda role export for enhanced cluster management - Update Kubernetes manifests and application stage configurations * feat: add microservices stage and standardize resource tagging - Add standardized tagging to all microservice classes with app:owner, app:project, app:name, app:computType, and app:hostType tags - Add MicroservicesStage to CDK pipeline with proper stage sequencing and tagging - Move QueueResources from StorageStack to CoreStack for better architectural organization - Update pipeline interface to include microservicesProperties parameter - Add missing Utilities import in traffic-generator.ts * feat: add microservices configuration to CDK pipeline Added microservices configuration to CDK pipeline by importing MICROSERVICES_PLACEMENT and LAMBDA_FUNCTIONS from environment and passing them as microservicesProperties to the CDKPipeline constructor. * feat: update CDK infrastructure and dependencies - Updated CDK TypeScript files across bin, lib/constructs, lib/stages, and lib/utils directories - Modified package.json and package-lock.json with dependency updates - Total: 8 files changed, 252 insertions, 272 deletions * refactor: simplify deployment template architecture - Remove EventBridge-based pipeline monitoring system - Replace Lambda functions with direct CodePipeline status polling - Eliminate complex event-driven architecture for simpler inline monitoring - Remove codebuild-deployment-template-simplified.yaml file - Update documentation and container configurations - Streamline deployment process with reduced complexity * fix: improve logging permissions and autoscaling group tagging - Update pipeline log ARN to use wildcard pattern for broader log group access - Simplify CloudWatch logs policy resources configuration - Add PropagateAtLaunch support for AutoScaling Group tags - Improve code formatting in utilities * docs: add comprehensive JSDoc documentation to CDK infrastructure - Added module-level documentation with package descriptions for all 6 files - Enhanced interface and class documentation with detailed parameter descriptions - Documented enums, constants, and configuration objects throughout - Added inline comments for improved code readability - Improved constructor and method documentation with parameter and return types * docs: restructure documentation and add automated generation - Added GitHub Actions workflow for documentation generation - Updated .gitignore to exclude documentation build artifacts - Updated pre-commit configuration - Moved CHANGELOG.md from docs/ to root directory - Removed diagram documentation and PNG files from docs/diagrams/ - Added new modules documentation file - Enhanced list-adoptions microservice with improved error handling - Updated containers stage with additional configuration - Enhanced TypeDoc configuration files with better documentation settings --------- Co-authored-by: Rodrigue Koffi <[email protected]> Co-authored-by: Rafael Pereyra <[email protected]>
Added instrumentation.opentelemetry.io/inject-dotnet annotation to enable automatic .NET instrumentation injection for the petsite deployment.
- Update all path references from PetAdoptions/cdk/pet_stack/ to src/cdk/ - Update cache paths and working directories to match new structure - Add environment file setup step to copy .env.example to .env before CDK synth - Maintain all existing workflow functionality with updated paths
- Extended build-test.yml and cdk-test.yml workflows to trigger on both main and staging branches - Refactored docs.yml workflow to separate build and deploy jobs, with deployment only occurring on main branch pushes - Added conditional logic to prevent staging branch changes from deploying to GitHub Pages
Move environment file copy operation from CDK synth step to separate earlier step for better workflow organization
| if traceID != "" { | ||
| fmt.Printf("[INFO] trace_id=%s %s %s %s %s %d\n", traceID, r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code) | ||
| } else { | ||
| fmt.Printf("[INFO] %s %s %s %s %d\n", r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code) |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html
| // Extract trace ID from context | ||
| traceID := extractTraceIDFromContext(ctx) | ||
| if traceID != "" { | ||
| fmt.Printf("[INFO] trace_id=%s %s %s %s %s %d\n", traceID, r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code) |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html
| } | ||
|
|
||
| // Build resource identifier for Aurora correlation | ||
| resourceIdentifier := fmt.Sprintf("postgres|%s|%d", dbConfig.Host, dbConfig.Port) |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html
* feat: enhance petfood agent microservice infrastructure - Enhanced petfood agent Python application - Updated CDK constants and environment configuration - Refactored petfood-agent microservice infrastructure - Modified application and container stage definitions * feat: bump dependencies
* feat: application improvements - Added parameter and secrets refresh to trigger more API connections - Added curl and aws-cli to all containers to enable validation from the containers * fix: build errors * fix: multiple fixes - Added parameter for traffic generator concurrent users - Added suppressions for support region stack * fix: several fixes on codebuild * fix: typo on buildspec * fix: path on pipeline status script * fix: Multiple fixes - increase assets bucket retention to 1 y - Removed lamnda log group name to avoid collision during re-deployments - Prevent deleting the step function if any of the stacks fails to delete * fix: Cleanup process fixes - Fail stack deletion if step function fails - Updated documentation * fix: improve cleanup and disable opensearch applications * fix: fixed describe execution permissions * fix: missing prefix for parameters on petsite * feat: enhance CDK deployment configuration and documentation - Enhanced CodeBuild CDK deployment documentation with 64 additions and 5 deletions - Updated local.ts configuration with minor changes - Refactored WAF construct with 23 additions and 12 deletions - Modified pipeline.ts with minimal changes - Updated application and core stage configurations - Improved bootstrap account script with 15 additions and 16 deletions * feat: improve build caching with local cache modes - Update cache paths to use dynamic working folder variable - Switch from S3 cache to local cache with Docker layer and source caching - Add partial build spec with LOCAL_DOCKER_LAYER_CACHE and LOCAL_SOURCE_CACHE modes - Fix cache key and paths to reference WORKING_FOLDER environment variable * feat: improve input validation and expand regional support - Add input validation loops in deploy-check.sh for bucket/object creation prompts - Expand AWS region support in validate-account.sh with 6 additional regions - Reorder region cases alphabetically for better maintainability * fix: correct GlobalWafStack constructor context reference Fixed incorrect context reference in GlobalWafStack constructor - changed 'this' to 'app' parameter. * enables cross-region reference. Fixed bootstrapping script * fix: removed build cache bucket * fix: removed local cache * fix: global acl reference * fix: removed build cache * fix: missing parameters in petsite * fix: parameter name for agentcore * fix: rollback change in parameter name for agentcore * fix: remove invalid output
#446) - Remove hardcoded CloudWatch log group names to prevent deployment conflicts - Add descriptive CloudFormation output descriptions for better resource identification - Remove unused Names import and logGroupName parameters - Add CDK-nag rule to enforce dynamic log group naming - Set default values for CloudFormation template parameters
| "FunctionName": "${rCDKStackListerFunction}", | ||
| "Payload": {} | ||
| }, | ||
| "ResultPath": "$.stackList", |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.
Similar issue at line numbers 849, 858, 860, 871, 876, 892, 897, 918, 923, and 1044.
| "Succeeded") | ||
| echo "Pipeline execution completed successfully!" | ||
| WAIT_HANDLE_URL=$(aws cloudformation describe-stack-resource --stack-name "$STACK_NAME" --logical-resource-id rCDKDeploymentWaitConditionHandle --query 'StackResourceDetail.PhysicalResourceId' --output text --region "$REGION") | ||
| curl -X PUT -H 'Content-Type:' --data-binary '{"Status":"SUCCESS","Reason":"Pipeline completed successfully","UniqueId":"'$(uuidgen)'","Data":"Pipeline execution finished"}' "$WAIT_HANDLE_URL" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Quote this to prevent word splitting.
* refactor: improve CDK infrastructure maintainability and documentation - Remove hardcoded CloudWatch log group names to prevent deployment conflicts - Add descriptive CloudFormation output descriptions for better resource identification - Remove unused Names import and logGroupName parameters - Add CDK-nag rule to enforce dynamic log group naming - Set default values for CloudFormation template parameters * feat: add exports management system and enhance CDK infrastructure - Modified CDK configuration constants and local deployment settings - Enhanced WAF construct and pipeline configuration - Improved status updater function and utility functions - Refined workshop nag pack rules - Added complete exports management system with Python script, dashboard template, and documentation - Updated CodeBuild deployment template * Feat/codeconnection (#448) * feat: add CodeConnection and Parameter Store integration - Add CodeConnection support for GitHub integration as alternative to S3 source - Implement Parameter Store configuration management for centralized config - Update CONTRIBUTING.md formatting (bullet points, spacing, emphasis) - Add comprehensive documentation for new integration features - Create reusable configuration retrieval script for pipeline steps - Update CloudFormation template with new parameters and IAM permissions - Modify CDK pipeline to support conditional source selection - Add fallback mechanisms for backward compatibility * feat: enhance configuration flexibility and add troubleshooting docs - Add troubleshooting section for CDK bootstrap stack deletion issues - Support environment variables for Parameter Store base path configuration - Add CodeConnection ARN support for GitHub integration - Update workshop template with consistent parameter defaults - Enable conditional source configuration (CodeConnection vs S3) in local deployment * refactor: simplify parameter store configuration management Modified parameter storage approach in AWS Systems Manager Parameter Store from individual key-value parameters to a single parameter containing the complete .env file content. Updated the retrieve-config.sh script to fetch a single parameter instead of using get-parameters-by-path, and modified the CodeBuild deployment template to store the entire .env file as one parameter rather than splitting it into multiple parameters. * feat: implement single parameter approach for Parameter Store integration Updated CodeConnection and Parameter Store integration with single parameter approach. Modified documentation to reflect new CloudFormation-managed parameter creation, updated CDK pipeline to use single parameter path with stack name, and enhanced CodeBuild template to create Parameter Store parameter as CloudFormation resource instead of manual creation. * fix: deployment issues * fix: added tags to initial stack * fix: pipeline error * fix: update environment validation and opensearch pipeline logging - Modified environment variable validation to accept either CONFIG_BUCKET or CODE_CONNECTION_ARN - Reordered CloudWatch log group creation before IAM role definition in OpenSearch pipeline - Fixed log group ARN references in IAM policies to use correct log group name * fix: rolled back log name for opensearch * fix: publish export error * fix: missing permissions for dashboard * fix: unterminated quoete * fix: missing permissions * fix: added shell for export dashboard * feat: enhance CDK infrastructure and deployment scripts - Updated constants configuration in bin/constants.ts - Enhanced asset constructs and petsite microservice - Modified pipeline configuration and status updater function - Significantly expanded manage-exports.py script with 654 additions - Enhanced retrieve-config.sh script with 318 additions - Total changes: 860 additions, 138 deletions across 7 files * feat: added debug flag for scripts * fix: script error handling logic * feat: improved dashboard * fix: missing permissions for dashboard * cicd: removed debug flag * fix: broad permissions for putobject * feat: improved console access links
| internal_prefixes = ["AWS::", "CDK::", "cdk-", "CdkBootstrap", "StagingBucket"] | ||
| return any(export_name.startswith(prefix) for prefix in internal_prefixes) | ||
|
|
||
| def _categorize_export(self, export_name: str) -> str: |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
The cyclomatic complexity of this function is 18. By comparison, 98% of the functions in the CodeGuru reference dataset have a lower cyclomatic complexity. This indicates the function has a high number of decisions and it can make the logic difficult to understand and test. We recommend that you simplify this function or break it into multiple functions.
| """Check if export value appears to be a URL.""" | ||
| return value.startswith(("http://", "https://")) | ||
|
|
||
| def _get_console_url( |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
The cyclomatic complexity of this function is 17. By comparison, 98% of the functions in the CodeGuru reference dataset have a lower cyclomatic complexity. This indicates the function has a high number of decisions and it can make the logic difficult to understand and test.
We recommend that you simplify this function or break it into multiple functions. For example, consider extracting the code block on lines 661-666 into a separate function.
| logger.info(f"Target regions for scanning: {regions}") | ||
| return regions | ||
|
|
||
| def extract_exports( |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
This function contains 128 lines of code, not including blank lines or lines with only comments, Python punctuation characters, identifiers, or literals. By comparison, 99% of the functions in the CodeGuru reference dataset contain fewer lines of code. Large functions might be difficult to read and have logic that is hard to understand and test.
We recommend that you simplify this function or break it into multiple functions. For example, consider extracting the code block on lines 521-529 into a separate function.
| "FunctionName": "${rCDKStackListerFunction}", | ||
| "Payload": {} | ||
| }, | ||
| "ResultPath": "$.stackList", |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.
Similar issue at line numbers 968, 977, 979, 990, 995, 1011, 1016, 1037, 1042, and 1163.
| if cloudfront_domain: | ||
| dashboard_url = f"{cloudfront_domain}/workshop-exports/index.html" | ||
| elif assets_bucket: | ||
| dashboard_url = f"https://{assets_bucket}.s3.amazonaws.com/workshop-exports/index.html" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential S3 bucket sniping vulnerability detected. This rule has identified S3 bucket references that could be vulnerable to bucket sniping attacks. Bucket sniping occurs when an attacker registers an S3 bucket name after finding it referenced in code but not yet created. This can lead to data exposure, malicious content hosting, or service disruption.
Recommendations:
- Create all referenced S3 buckets immediately
- Use organization-specific prefixes for bucket names
- Verify bucket ownership before use
- Consider using AWS Organizations S3 bucket naming rules
Discovered: workshop-exports
| **S3 upload fails**: Check bucket exists and permissions allow PutObject | ||
|
|
||
| ```bash | ||
| aws s3 ls s3://your-assets-bucket/ |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential S3 bucket sniping vulnerability detected. This rule has identified S3 bucket references that could be vulnerable to bucket sniping attacks. Bucket sniping occurs when an attacker registers an S3 bucket name after finding it referenced in code but not yet created. This can lead to data exposure, malicious content hosting, or service disruption.
Recommendations:
- Create all referenced S3 buckets immediately
- Use organization-specific prefixes for bucket names
- Verify bucket ownership before use
- Consider using AWS Organizations S3 bucket naming rules
Discovered: your-assets-bucket
| logger.info("CloudFront URL: %s", cloudfront_url) | ||
| return cloudfront_url | ||
|
|
||
| return s3_url |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Untrusted data must be properly encoded or sanitized before being
incorporated into web page content or used to generate dynamic output.
Failure to do so can result in Cross-Site Scripting (XSS) vulnerabilities,
enabling attackers to inject malicious scripts into the application. These
scripts, when executed in users' browsers, can lead to various security
breaches such as session hijacking, data theft, or unauthorized actions
performed within the victim's session context. To mitigate this risk,
use built-in template escaping mechanisms, HTML escape functions like
html.escape(), or dedicated security libraries such as Bleach.
Learn more: https://owasp.org/www-community/attacks/xss/
| log_debug "Attempting to retrieve parameter from SSM..." | ||
|
|
||
| local ssm_output | ||
| local ssm_error |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
ssm_error appears unused. Verify use (or export if used externally).
| if [[ "$LOG_LEVEL" == "DEBUG" ]]; then | ||
| log_debug "Existing .env contents:" | ||
| log_debug "----------------------------------------------" | ||
| cat ".env" | sed 's/\(.*=\).*/\1[REDACTED]/' >&2 |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Unnecessary use of 'cat' in shell scripts, can lead to inefficient code and reduced script performance. Instead of 'cat file | command', use input redirection 'command < file' or pass the filename directly command file when possible. This practice improves script efficiency, especially for commands that benefit from seekable input. It also enhances code readability and maintainability. For more information on secure coding practices, including shell scripting, refer to the OWASP Secure Coding Practices Quick Reference Guide: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
| if [[ "$LOG_LEVEL" == "DEBUG" ]]; then | ||
| log_debug "Configuration file contents:" | ||
| log_debug "----------------------------------------------" | ||
| cat "$TARGET_ENV_FILE" | sed 's/\(.*=\).*/\1[REDACTED]/' >&2 |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Unnecessary use of 'cat' in shell scripts, can lead to inefficient code and reduced script performance. Instead of 'cat file | command', use input redirection 'command < file' or pass the filename directly command file when possible. This practice improves script efficiency, especially for commands that benefit from seekable input. It also enhances code readability and maintainability. For more information on secure coding practices, including shell scripting, refer to the OWASP Secure Coding Practices Quick Reference Guide: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
…449) - Pass configuration parameter name to DDB seeding step in pipeline - Add comprehensive error validation in get-parameter.sh script - Improve error handling in seed-dynamodb.sh for invalid table names - Add better logging and error messages for debugging - Support configuration parameter retrieval in seeding process
* fix: enhance DynamoDB seeding with error handling and config support - Pass configuration parameter name to DDB seeding step in pipeline - Add comprehensive error validation in get-parameter.sh script - Improve error handling in seed-dynamodb.sh for invalid table names - Add better logging and error messages for debugging - Support configuration parameter retrieval in seeding process * refactor: simplify DynamoDB seeding configuration Simplified DynamoDB seeding configuration by removing configurationParameterName parameter and streamlining environment variable handling. Updated pipeline.ts to remove unused parameter passing, modified storage.ts to use direct environment variable export instead of configuration parameter retrieval, and refactored get-parameter.sh script to rely on environment variables rather than parsing TypeScript files. * fix: pipeline status parsing error * fix: dependency for delete step function * fix: pipeline status parsing error * fix: improve error handling and datetime serialization in CodeBuild deployment template - Replace generic States.ALL error catch with specific States.TaskFailed handling - Add CheckDescribeError choice state to differentiate ValidationError from other failures - Add DeletionFailed state for proper non-validation error handling - Import datetime module and serialize CloudFormation stack timestamps to ISO format - Fix datetime serialization issues for CreationTime, LastUpdatedTime, and DeletionTime fields * feat: added awsApplication Tag * fix: export lambda * feat: removed awsApplication tag * fix: export retriever function improvement
| "FunctionName": "${rCDKStackListerFunction}", | ||
| "Payload": {} | ||
| }, | ||
| "ResultPath": "$.stackList", |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.
Similar issue at line numbers 959, 968, 970, 981, 986, 995, 1013, 1018, 1039, and 1165.
* Change some styling * Fix build warning * Add formatting, parameter ARN for Waggle * fix: pre-commit issues * fix: renamed parameter for petfood agent --------- Co-authored-by: Rafael Pereyra <[email protected]>
* fix: enabled multi-region trail * feat: added listsecret permission to task * feat: add CloudFront log group to assets construct - Added LogGroup import from aws-cdk-lib/aws-logs - Added optional logRetentionDays property to AssetsProperties interface - Created CloudFrontLogGroup with configurable retention (defaults to ONE_WEEK) - Added comment explaining manual console configuration requirement due to CDK limitation - Set RemovalPolicy.DESTROY for the log group
…oyment scripts (#455) - Enhanced CONTRIBUTING.md with additional guidelines - Expanded application redeployment documentation with more detailed instructions - Updated petfood agent Python implementation - Modified CDK configurations for pay-for-adoption and petfood-agent microservices - Improved redeploy application script with enhanced functionality
7 participants
Added pre-commit hooks and other validation tools for this process
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.