Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do NagSuppressions have to be applied inside Stack constructor only? #1670

Open
anentropic opened this issue Apr 24, 2024 · 1 comment
Open

Do NagSuppressions have to be applied inside Stack constructor only? #1670

anentropic opened this issue Apr 24, 2024 · 1 comment
Labels
documentation Improvements or additions to documentation

Comments

@anentropic
Copy link

Describe your issue?

I had an ever-growing list of NagSuppressions rules that were at the bottom of the __init__ method of my Stacks

I also use a bunch of custom Constructs, for example I have one called RDSMySQLWithProxyAndBastion, used in several stacks

It seemed like my code would be tidier if I moved the suppressions into the Construct so I didn't have to repeat them in every Stack where they were used

But when I did this the suppressions stopped working

e.g. I had a suppression like:

class MyStack(Stack):
    def __init__(...):
        db_proxy_bastion = RDSMySQLWithProxyAndBastion(...)
        ...
        NagSuppressions.add_resource_suppressions(
            db_proxy_bastion.rds_instance,
            [
                NagPackSuppression(
                    id="AwsSolutions-RDS11",
                    reason="No point using non-default port for db when RDS Proxy re-exposes on default port.",
                ),
            ],
        )

then I moved it into the custom construct and amended the target like:

class RDSMySQLWithProxyAndBastion(Construct):
    def __init__(...):
        self.rds_instance = rds.DatabaseInstance(...)
        ...
        NagSuppressions.add_resource_suppressions(
            self.rds_instance,
            [
                NagPackSuppression(
                    id="AwsSolutions-RDS11",
                    reason="No point using non-default port for db when RDS Proxy re-exposes on default port.",
                ),
            ],
        )

Now when I synth it's as if the suppressions aren't applied:

[Error at /mystack/Database/MySQL/Resource] AwsSolutions-RDS11: The RDS instance or Aurora DB cluster uses the default endpoint port. Port obfuscation (using a non default endpoint port) adds an additional layer of defense against non-targeted attacks (i.e. MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432, etc).

I can't see anything obviously wrong, I'm applying it to the same object just from a different place in the code

I didn't see anything in the docs which stated that it has to be applied from within the Stack body but I know CDK does some weird things under the hood

Am I missing something obvious? Or this is expected behaviour?
@anentropic anentropic added documentation Improvements or additions to documentation needs-triage This issue or PR still needs to be triaged. labels Apr 24, 2024
@dontirun dontirun removed the needs-triage This issue or PR still needs to be triaged. label Apr 25, 2024
@dontirun
Copy link
Collaborator

NagSupressions work within a construct scope, I've done this in my own constructs. I can't see anything obvious in the snippet you've provided. Is there a larger sample you can share?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anentropic @dontirun