Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: cdk-nag failing on non-existent resource #344

Closed
moserda opened this issue Feb 1, 2024 · 0 comments
Closed

Bug: cdk-nag failing on non-existent resource #344

moserda opened this issue Feb 1, 2024 · 0 comments
Assignees
@moserda
Labels
bug Something isn't working

Comments

@moserda
Copy link

moserda commented Feb 1, 2024

Hi,
#310 introduced a bug with the cdk-nag suppressions when the VPC/private subnets are configured with less than 3 AZs.

Error: Suppression path "/testestGenAIChatBotStack/UserInterface/PrivateWebsite/DescribeNetworkInterfaces-2/CustomResourcePolicy/Resource" did not match any resource. This can occur when a resource does not exist or if a suppression is applied before a resource is created.

Root cause seem to be the hard-coded suppression rules in https://github.com/aws-samples/aws-genai-llm-chatbot/blob/20828628f83fca299cf3775deb62014a4957dbac/lib/aws-genai-llm-chatbot-stack.ts#L420C1-L435C9. If there are != 3 private subnets containing the VPC Endpoints, the suppressions will fail.

      NagSuppressions.addResourceSuppressionsByPath(
          this,
          [
            `/${this.stackName}/UserInterface/PrivateWebsite/DescribeNetworkInterfaces-0/CustomResourcePolicy/Resource`,
            `/${this.stackName}/UserInterface/PrivateWebsite/DescribeNetworkInterfaces-1/CustomResourcePolicy/Resource`,
            `/${this.stackName}/UserInterface/PrivateWebsite/DescribeNetworkInterfaces-2/CustomResourcePolicy/Resource`,
            `/${this.stackName}/UserInterface/PrivateWebsite/describeVpcEndpoints/CustomResourcePolicy/Resource`,
          ],
          [
            {
              id: "AwsSolutions-IAM5",
              reason:
                "Custom Resource requires permissions to Describe VPC Endpoint Network Interfaces",
            },
          ]
      );

I suggest to create the suppressions dynamically the same way the VPC Endpoints are created, e.g. something like

      const paths = [];
      for(let index = 0; index < shared.vpc.availabilityZones.length; index++) {
        paths.push(`/${this.stackName}/UserInterface/PrivateWebsite/DescribeNetworkInterfaces-${index}/CustomResourcePolicy/Resource`,)
      }
      paths.push(`/${this.stackName}/UserInterface/PrivateWebsite/describeVpcEndpoints/CustomResourcePolicy/Resource`,)
      NagSuppressions.addResourceSuppressionsByPath(
          this,
          paths,
          [
            {
              id: "AwsSolutions-IAM5",
              reason:
                "Custom Resource requires permissions to Describe VPC Endpoint Network Interfaces",
            },
          ]
      );

Happy to submit a PR for this.
@bigadsoleiman bigadsoleiman added the bug Something isn't working label Feb 1, 2024
moserda pushed a commit to moserda/aws-genai-llm-chatbot that referenced this issue Feb 1, 2024
Fix aws-samples#344. Dynamically create cdk-nag suppression based on …
aeb5875 
…AZ number
@moserda moserda mentioned this issue Feb 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@moserda moserda

Labels
bug Something isn't working
Projects
AWS GenAI Chatbot
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@moserda @bigadsoleiman