From 8081dc332e5366039b368d687347b2c2229ff0a1 Mon Sep 17 00:00:00 2001 From: louiseli1 Date: Fri, 20 Sep 2024 11:33:35 +0100 Subject: [PATCH 1/2] BAU: Add lint to sam validate --- .github/workflows/post-merge-deploy-to-dev.yml | 2 +- .github/workflows/secure-post-merge.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/post-merge-deploy-to-dev.yml b/.github/workflows/post-merge-deploy-to-dev.yml index 91ba940..9ea6579 100644 --- a/.github/workflows/post-merge-deploy-to-dev.yml +++ b/.github/workflows/post-merge-deploy-to-dev.yml @@ -26,7 +26,7 @@ jobs: aws-region: eu-west-2 - name: SAM Validate - run: sam validate --region ${{ env.AWS_REGION }} -t deploy/template.yaml + run: sam validate --region ${{ env.AWS_REGION }} -t deploy/template.yaml --lint - name: Login to Amazon ECR id: login-ecr diff --git a/.github/workflows/secure-post-merge.yml b/.github/workflows/secure-post-merge.yml index f90a763..66db4ac 100644 --- a/.github/workflows/secure-post-merge.yml +++ b/.github/workflows/secure-post-merge.yml @@ -26,7 +26,7 @@ jobs: aws-region: eu-west-2 - name: SAM Validate - run: sam validate --region ${{ env.AWS_REGION }} -t deploy/template.yaml + run: sam validate --region ${{ env.AWS_REGION }} -t deploy/template.yaml --lint # Likely source of node warning # https://github.com/aws-actions/amazon-ecr-login/issues/586 From 9c0ba2e50e8623974ce226ade5b0fff9071ddb82 Mon Sep 17 00:00:00 2001 From: louiseli1 Date: Fri, 20 Sep 2024 11:48:01 +0100 Subject: [PATCH 2/2] Add step to pre-merge --- .github/workflows/pre-merge-checks.yml | 5 +++++ .pre-commit-config.yaml | 4 ++-- .secrets.baseline | 8 ++++---- deploy/template.yaml | 10 +++++++++- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pre-merge-checks.yml b/.github/workflows/pre-merge-checks.yml index 00ecb99..ccca007 100644 --- a/.github/workflows/pre-merge-checks.yml +++ b/.github/workflows/pre-merge-checks.yml @@ -24,12 +24,17 @@ jobs: run-premerge-checks: runs-on: ubuntu-latest + env: + AWS_REGION: eu-west-2 steps: - name: Check out repository code uses: actions/checkout@v4 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: SAM Validate + run: sam validate --region ${{ env.AWS_REGION }} -t deploy/template.yaml --lint + - name: Use Node.js 20.x uses: actions/setup-node@v4 with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dd1adf3..54361d7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,12 +9,12 @@ repos: args: [ --allow-missing-credentials ] - id: detect-private-key - repo: https://github.com/awslabs/cfn-python-lint - rev: v1.5.0 # The version of cfn-lint to use + rev: v1.15.2 # The version of cfn-lint to use hooks: - id: cfn-python-lint files: .template\.yaml$ - repo: https://github.com/bridgecrewio/checkov.git - rev: '3.2.174' + rev: '3.2.256' hooks: - id: checkov verbose: true diff --git a/.secrets.baseline b/.secrets.baseline index a64dce0..6625981 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -267,23 +267,23 @@ "filename": "deploy/template.yaml", "hashed_secret": "b63bf00edb07af6ffba7f7ceb7ed573a913271f7", "is_verified": false, - "line_number": 620 + "line_number": 628 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "42af5cf9fcf4f09147c032a0fb4877f5cf626bbc", "is_verified": false, - "line_number": 621 + "line_number": 629 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "7584a31168b8e8f62d9b84b7b95d239b99fad815", "is_verified": false, - "line_number": 623 + "line_number": 631 } ] }, - "generated_at": "2024-10-04T13:38:50Z" + "generated_at": "2024-10-18T08:56:25Z" } diff --git a/deploy/template.yaml b/deploy/template.yaml index c313642..db60faa 100644 --- a/deploy/template.yaml +++ b/deploy/template.yaml @@ -173,6 +173,11 @@ Resources: Type: AWS::S3::Bucket #checkov:skip=CKV_AWS_18: This is the bucket where our access logs go and AWS advise not sending a bucket's access logs to itself. + Metadata: + cfn-lint: + config: + ignore_checks: + - W3045 # Using a legacy 'AccessControl: LogDeliveryWrite' setup for now Properties: BucketName: !Join - "-" @@ -443,7 +448,10 @@ Resources: - !Ref "Environment" - desiredTaskCount EnableECSManagedTags: false - HealthCheckGracePeriodSeconds: 60 + HealthCheckGracePeriodSeconds: !If + - UseCanaryDeployment + - !Ref AWS::NoValue + - 60 LaunchType: FARGATE LoadBalancers: !If - UseCanaryDeployment