chore: add cfn-nag to all yaml changes

.github/workflows/cfn-analysis.yml

@@ -0,0 +1,45 @@
+#
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+name: CloudFormation Scanning
+
+on:
+  pull_request:
+    branches:
+      - develop
+      - smart-develop
+
+jobs:
+  cfn-analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Use Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 12
+      - name: Install npm dependencies
+        run: yarn install
+      - name: Install serverless
+        run: npm install -g serverless
+      - name: Package main sls into cfn for analysis
+        run: |
+          serverless package --stage dev --region us-west-2 --useHapiValidator true --conceal
+      - name: cfn_nag on main serverless
+        uses: stelligent/cfn_nag@master
+        with:
+          input_path: .serverless/cloudformation-template-update-stack.json
+          extra_args: -o json  
+      - name: Package auditLogMover sls into cfn for analysis
+        run: |
+          cd auditLogMover
+          yarn install
+          serverless package --stage dev --region us-west-2 --conceal
+      - name: cfn_nag on auditLog serverless
+        uses: stelligent/cfn_nag@master
+        with:
+          input_path: auditLogMover/.serverless/cloudformation-template-update-stack.json
+          extra_args: -o json

.github/workflows/codeql-analysis.yml

@@ -13,6 +13,10 @@ on:
     paths-ignore:
       - '**/*.md'
       - '**/*.txt'
+  push:
+    branches:
+      - develop
+      - smart-develop
   schedule:
     - cron: '0 0 * * *'
 

auditLogMover/serverless.yaml

@@ -17,6 +17,7 @@ provider:
   stage: dev
   region: us-west-2
   memorySize: 256
+  logRetentionInDays: 3653 # 10 years
   stackTags:
     FHIR_SERVICE: 'fhir-service-${self:custom.region}-${self:custom.stage}'
   environment:
@@ -28,7 +29,12 @@ provider:
 
   iamRoleStatements:
     - Action:
-        - 'logs:*'
+        - 'logs:CreateExportTask'
+        - 'logs:DeleteLogStream'
+        - 'logs:DescribeLogStreams'
+        - 'logs:CreateLogStream'
+        - 'logs:CreateLogGroup'
+        - 'logs:PutLogEvents'
       Effect: 'Allow'
       Resource:
         Fn::ImportValue: CloudwatchExecutionLogGroup-${opt:stage, self:provider.stage}-Arn
@@ -37,7 +43,8 @@ provider:
       Effect: 'Allow'
       Resource: '*'
     - Action:
-        - 's3:*'
+        - 's3:PutObject'
+        - 's3:ListBucket'
       Effect: Allow
       Resource:
         - !GetAtt AuditLogsBucket.Arn
@@ -106,6 +113,11 @@ resources:
 
     AuditLogMoverExportFailureAlarm:
       Type: AWS::CloudWatch::Alarm
+      Metadata:
+        cfn_nag:
+          rules_to_suppress:
+            - id: W28
+              reason: 'We want to explicitly create an alarm name'
       Properties:
         AlarmDescription: Alarm when there is a exportCloudwatchLogs-Failure'
         AlarmName: FhirSolution.${self:custom.stage}.AuditLogMover.ExportFailureAlarm
@@ -125,6 +137,11 @@ resources:
 
     AuditLogMoverDeleteFailureAlarm:
       Type: AWS::CloudWatch::Alarm
+      Metadata:
+        cfn_nag:
+          rules_to_suppress:
+            - id: W28
+              reason: 'We want to explicitly create an alarm name'
       Properties:
         AlarmDescription: Alarm when there is a deleteCloudwatchLogs-Failure'
         AlarmName: FhirSolution.${self:custom.stage}.AuditLogMover.DeleteFailureAlarm

cloudformation/alarms.yaml

@@ -6,6 +6,11 @@
 Resources:
   DDBToESErrorAlarm:
     Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reaon: 'We want to explicitly create an alarm name'
     Properties:
       AlarmDescription: Alarm when the Stream errors is more than 1 unit for 15 minutes out of the past 25 minutes. Streams do have retry logic
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, DDBToESLambdaErrorAlarm]]
@@ -25,6 +30,11 @@ Resources:
       Unit: Count  
   DDBToESIteratorAgeAlarm:
     Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmDescription: Alarm if the oldest record in the batch when processed was older than 1 minute.
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, DDBToESIteratorAgeAlarm]]
@@ -44,6 +54,11 @@ Resources:
       Unit: Seconds
   DdbToEsDLQDepthAlarm: 
     Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties: 
       AlarmDescription: Alarm if queue depth increases to >= 1 messages
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, DDBToESDLQDepthAlarm]]
@@ -61,6 +76,11 @@ Resources:
       Unit: Count
   FhirLambdaErrorAlarm:
     Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmDescription: Alarm when Fhir errors is more than 1
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, FhirLambdaErrorAlarm]]
@@ -79,6 +99,11 @@ Resources:
       Unit: Count
   FhirLambdaLatencyAlarm:
     Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmDescription: Alarm when Fhir average latency is more than 2.5s; 2 times
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirLambdaLatencyAlarm]]
@@ -99,6 +124,11 @@ Resources:
   ApiGateway5XXErrorAlarm:
     DependsOn: ApiGatewayRestApi
     Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmDescription: Alarm when Api GW has more than 1 5xx errors; 3 times
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, ApiGateway5XXErrorAlarm]]
@@ -119,6 +149,11 @@ Resources:
   ApiGateway4XXErrorAlarm:
     DependsOn: ApiGatewayRestApi
     Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmDescription: Alarm when Api GW has more than 1 4xx errors; 3 times
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, ApiGateway4XXErrorAlarm]]
@@ -139,6 +174,11 @@ Resources:
   ApiGatewayLatencyAlarm:
     DependsOn: ApiGatewayRestApi
     Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmDescription: Alarm when Api GW average latency is more than 3s; 2 times
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, ApiGatewayLatencyAlarm]]
@@ -157,7 +197,12 @@ Resources:
       TreatMissingData: notBreaching
       Unit: Milliseconds
   ClusterStatusRedAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, FhirESClusterStatusRedAlarm]]
       AlarmDescription: 'Primary and replica shards of at least one index are not allocated to nodes in a cluster.'
@@ -175,7 +220,12 @@ Resources:
       Statistic: Maximum
       Threshold: 0
   ClusterStatusYellowAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Condition: isNotDev
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterStatusYellowAlarm]]
@@ -194,7 +244,12 @@ Resources:
       Statistic: Maximum
       Threshold: 0
   ClusterCPUUtilizationTooHighAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, FhirESClusterCPUUtilAlarm]]
       AlarmDescription: 'Average CPU utilization over last 10 minutes too high.'
@@ -211,7 +266,12 @@ Resources:
       Statistic: Average
       Threshold: 80
   ClusterMasterCPUUtilizationTooHighAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Condition: isNotDev
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterMasterCPUUtilAlarm]]
@@ -229,7 +289,12 @@ Resources:
       Statistic: Average
       Threshold: 50
   ClusterFreeStorageSpaceTooLowAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterFreeStorageSpaceTooLowAlarm]]
       AlarmDescription: 'Cluster is running out of storage space.'
@@ -246,7 +311,12 @@ Resources:
       Statistic: Minimum
       Threshold: !If [isDev, 2500, 22500] # in MB; aiming for alarm at 25% remaining
   ClusterIndexWritesBlockedTooHighAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterIndexWritesBlockedTooHighAlarm]]
       AlarmDescription: 'Cluster is blocking incoming write requests.'
@@ -263,7 +333,12 @@ Resources:
       Statistic: Maximum
       Threshold: 0
   ClusterJVMMemoryPressureTooHighAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterJVMMemoryAlarm]]
       AlarmDescription: 'Average JVM memory pressure over last 10 minutes too high.'
@@ -280,7 +355,12 @@ Resources:
       Statistic: Average
       Threshold: 80
   ClusterMasterJVMMemoryPressureTooHighAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Condition: isNotDev
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterMasterJVMMemoryAlarm]]
@@ -298,7 +378,12 @@ Resources:
       Statistic: Average
       Threshold: 80
   ClusterMasterNotReachableFromNodeAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Condition: isNotDev
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterMasterNotReachableFromNodeAlarm]]
@@ -316,7 +401,12 @@ Resources:
       Statistic: Minimum
       Threshold: 1
   ClusterAutomatedSnapshotFailureTooHighAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Condition: isNotDev
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterSnapshotFailureAlarm]]
@@ -334,7 +424,12 @@ Resources:
       Statistic: Maximum
       Threshold: 0
   ClusterKibanaHealthyNodesTooLowAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Condition: isDev
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, Low, FhirESClusterKibanaAlarm]]
@@ -353,7 +448,12 @@ Resources:
       Statistic: Minimum
       Threshold: 1
   ClusterKMSKeyErrorAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, FhirESClusterKMSErrorAlarm]]
       AlarmDescription: 'KMS customer master key used to encrypt data at rest has been disabled.'
@@ -370,7 +470,12 @@ Resources:
       Statistic: Maximum
       Threshold: 0
   ClusterKMSKeyInaccessibleAlarm:
-    Type: 'AWS::CloudWatch::Alarm'
+    Type: AWS::CloudWatch::Alarm
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: 'We want to explicitly create an alarm name'
     Properties:
       AlarmName: !Join ['.', [FhirSolution, !Ref Stage, High, FhirESClusterKMSInaccessibleAlarm]]
       AlarmDescription: 'KMS customer master key used to encrypt data at rest has been deleted or revoked its grants to Amazon ES.'