release v1.2.0 (#25)

Co-authored-by: Verinder Singh <verind@amazon.com>

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## [1.2.0] - 2023-08-08
+
+### Added
+
+- Integrated CfnGuard and Checkov as additional IaC scanning tools for pattern validation.
+- Added user role based access to the solution UI
+
+### Fixed
+
+- Pull request comments max size issue.
+
 ## [1.1.0] - 2023-05-03
 
 ### Added

README.md

@@ -178,7 +178,15 @@ By default, all solution data (S3 buckets, DynamoDB tables) will be removed when
 
 **Identity Provider configuration (optional)**
 
-Users can sign into the solution web UI either directly through the user pool, or federate through a third-party identity provider (IdP) that supports OpenID Connect authentication. To federate through a third-party identity provider via OpenID Connect, add the following parameters to `source/cdk.json`:
+Users can sign into the solution web UI either directly through the user pool, or federate through a third-party identity provider (IdP) that supports OpenID Connect authentication. 
+
+The solution by default creates two user groups in Amazon Cognito user pool:
+- SYSTEM_ADMIN: This user group has permissions to access all pages in the UI. The default user created by the solution is automatically added to this group when the solution is deployed. 
+- PATTERN_PUBLISHER: This group has permissions to create, update and view patterns. This group also allows you to view pattern attributes. To update or delete pattern attributes you would need to be in SYSTEM_ADMIN group.     
+
+If you are federating through a third-party identity provider via OpenID Connect, please add a claim type of `group` in your IdP and map the roles that should relate to `SYSTEM_ADMIN` and `PATTERN_PUBLISHER` roles in Amazon Cognito. In absence of this mapping the federated user would only have read only access to the solution UI.
+
+To federate through a third-party identity provider via OpenID Connect, add the following parameters to `source/cdk.json`:
 
 ```
 "identityProviderInfo": {
@@ -202,11 +210,14 @@ Example: Identity provider configuration to federate through Auth0.
     "oidcIssuer": "https://dev-abcdefgx.us.auth0.com",
     "attributeMapping": {
       "email": "EMAIL",
-      "username": "sub"
+      "username": "sub",
+      "custom:groups": "groups"
     }
   }
 ```
 
+It's important to note that if you want to use user groups from your IdP please make sure you add `attributeMapping` to map your groups claim name with `custom:groups` (as in the example above).
+
 **AWS WAF configuration (optional)**
 
 This solution provisions AWS WAF Web ACL for API Gateway resources, by default. For a CloudFront distribution WAF Web ACL, the solution allows users to associate their existing AWS WAF Web ACL for CloudFront with the CloudFront distribution created by the solution. Refer to the configuration options below for configuring your AWS WAF Web ACL. Note: The WAF configuration is optional. If you need to configure it, add this information to `source/cdk.json`.
@@ -231,6 +242,35 @@ Example WAF Configuration:
 }
 ```
 
+**Security scanning tool configuration (optional)**
+
+This solution uses [CfnNag](https://github.com/stelligent/cfn_nag) as the default IaC security scanning tool. In addition to CfnNag, this solution also supports below security scanning tools:
+
+- [AWS CloudFormation Guard](https://github.com/aws-cloudformation/cloudformation-guard):
+AWS CloudFormation Guard is a policy-as-code evaluation tool that is open source and can be used for checking the security posture of AWS CloudFormation templates. The solution also supports [AWS Rule Registry](https://github.com/aws-cloudformation/aws-guard-rules-registry) and allows users to configure [managed rule sets](https://github.com/aws-cloudformation/aws-guard-rules-registry#managed-rule-sets) against which the CloudFormation templates should be evaluated. 
+
+- [Checkov](https://www.checkov.io/): 
+Checkov is another policy-as-code security evaluation tool which has over 1000 built in policies that covers security and compliance best practices for AWS
+
+If you need to configure it, add this information to `source/cdk.json`.
+
+```
+"securityScanTool": {
+    "name": "<Security scan tool name. Valid values are CfnNag, CfnGuard, Checkov>",
+    "cfnGuardManagedRuleSets": [(This is optional and only applicable if the name property is 'CfnGuard'. If not specified it defaults to 'wa-Security-Pillar' and 'wa-Reliability-Pillar'). A list of AWS managed rule sets against which the security posture of CloudFormation template needs to be evaluated.]
+}
+```
+
+Example securityScanTool configuration:
+
+```
+"securityScanTool": {
+    "name": "CfnGuard",
+    "cfnGuardManagedRuleSets": [ "wa-Security-Pillar" ]
+}
+```
+
+
 ### Build and deploy
 
 1. Clone the solution source code from the GitHub repository.

source/.eslintrc.js

@@ -18,7 +18,7 @@ module.exports = {
         tsconfigRootDir: __dirname,
         project: ['./tsconfig.json'],
     },
-    plugins: ['@typescript-eslint', 'header'],
+    plugins: ['@typescript-eslint', 'header', 'import'],
     rules: {
         'header/header': [2, path.join(__dirname, 'LicenseHeader.txt')],
 
@@ -35,7 +35,7 @@ module.exports = {
             { selector: 'typeLike', format: ['PascalCase'] },
         ],
         '@typescript-eslint/no-confusing-void-expression': ['error'],
-        '@typescript-eslint/no-duplicate-imports': ['error'],
+        'import/no-duplicates': ['error'],
         '@typescript-eslint/no-empty-interface': ['warn'],
         '@typescript-eslint/no-inferrable-types': ['warn'],
         '@typescript-eslint/no-invalid-void-type': ['error'],

source/bin/blueprint-service-infra.ts

@@ -58,6 +58,15 @@ if (githubConfig && !githubConfig.githubOrganization) {
     throw new Error('githubConfig is missing GitHubOrganization');
 }
 
+// Validate securityScanTool config input, if not provided, use CfnNag as default
+const supportedScanningTools = ['CfnNag', 'CfnGuard', 'Checkov'];
+let securityScanTool = app.node.tryGetContext('securityScanTool');
+securityScanTool = securityScanTool ?? { name: 'CfnNag' };
+
+if (!supportedScanningTools.includes(securityScanTool.name)) {
+    throw new Error(`Unsupported security scanning tool: ${securityScanTool.name}`);
+}
+
 const stackName = 'ApoStack';
 
 const blueprintStack = new BlueprintStack(app, {
@@ -77,6 +86,7 @@ const blueprintStack = new BlueprintStack(app, {
     wafInfo,
     removalPolicy,
     logLevel,
+    securityScanTool,
 });
 
 Aspects.of(app).add(new AwsSolutionsChecks());
@@ -89,7 +99,7 @@ Aspects.of(app).add(
         solutionName,
         applicationType: 'AWS-Solutions',
         applicationName: 'Application-Pattern-Orchestrator-on-AWS',
-    })
+    }),
 );
 
 // CFk Nag suppression for UpdateBlueprintInfrastructureProjectRole default policy
@@ -102,7 +112,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'The IAM permission has wildcard attached as suffix to specific permission.',
         },
     ],
-    true
+    true,
 );
 
 // CFk Nag suppression for BlueprintArtifactsApiRole default policy
@@ -115,7 +125,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'The IAM permission has wildcard attached as suffix to specific permission.',
         },
     ],
-    true
+    true,
 );
 
 // CFk Nag suppression for CDKBucketDeployment service role
@@ -128,7 +138,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'Needs managed policy AWSLambdaBasicExecutionRole',
         },
     ],
-    true
+    true,
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -139,7 +149,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'The IAM permission has wildcard attached as suffix to specific permission.',
         },
     ],
-    true
+    true,
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -150,7 +160,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'Needs managed policy AWSLambdaBasicExecutionRole',
         },
     ],
-    true
+    true,
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -161,7 +171,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'The IAM permission has wildcard attached as suffix to specific permission.',
         },
     ],
-    true
+    true,
 );
 
 // CFk Nag suppression for LogRetention default policy
@@ -174,7 +184,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'Needs managed policy AWSLambdaBasicExecutionRole.',
         },
     ],
-    true
+    true,
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -185,7 +195,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'Autogenerated by CDK.',
         },
     ],
-    true
+    true,
 );
 
 // CFk Nag suppression for UpdateBlueprintInfraStatusLambda default policy
@@ -198,7 +208,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'The IAM permission has wildcard attached as suffix to specific permission.',
         },
     ],
-    true
+    true,
 );
 
 // CDK Nag CloudFront Distribution Suppression
@@ -219,7 +229,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             reason: 'This is subject to customer and it uses Cloudfront certificates',
         },
     ],
-    true
+    true,
 );
 
 // CDK Nag API Gateway suppressions
@@ -235,7 +245,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -249,7 +259,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -263,7 +273,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -277,7 +287,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -291,7 +301,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -305,7 +315,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -319,7 +329,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -333,7 +343,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -347,7 +357,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 NagSuppressions.addResourceSuppressionsByPath(
     blueprintStack,
@@ -361,7 +371,7 @@ NagSuppressions.addResourceSuppressionsByPath(
             id: 'AwsSolutions-COG4',
             reason: 'API Gateway OPTIONS method is created implicitly by CDK',
         },
-    ]
+    ],
 );
 
 // CfnNag suppressions

source/blueprint-infrastructure/.eslintrc.js

@@ -18,7 +18,7 @@ module.exports = {
         tsconfigRootDir: __dirname,
         project: ['./tsconfig.json'],
     },
-    plugins: ['@typescript-eslint', 'header'],
+    plugins: ['@typescript-eslint', 'header', 'import'],
     rules: {
         'header/header': [2, path.join(__dirname, 'LicenseHeader.txt')],
 
@@ -35,7 +35,7 @@ module.exports = {
             { selector: 'typeLike', format: ['PascalCase'] },
         ],
         '@typescript-eslint/no-confusing-void-expression': ['error'],
-        '@typescript-eslint/no-duplicate-imports': ['error'],
+        'import/no-duplicates': ['error'],
         '@typescript-eslint/no-empty-interface': ['warn'],
         '@typescript-eslint/no-inferrable-types': ['warn'],
         '@typescript-eslint/no-invalid-void-type': ['error'],

source/blueprint-infrastructure/bin/blueprint-infrastructure.ts

@@ -32,7 +32,7 @@ const blueprintId: string = app.node.tryGetContext('blueprintId');
 const blueprintType: BlueprintType = app.node.tryGetContext('blueprintType');
 
 const blueprintInfrastructureSharedConfigJson = app.node.tryGetContext(
-    'blueprintInfrastructureSharedConfigJson'
+    'blueprintInfrastructureSharedConfigJson',
 );
 
 const repositoryName = app.node.tryGetContext('repositoryName');
@@ -65,7 +65,7 @@ if (githubConnectionArn && githubRepositoryOwner) {
 const infraStack = new BlueprintInfrastructureStack(
     app,
     `BlueprintInfrastructureStack${blueprintId}`,
-    blueprintInfraStackProps
+    blueprintInfraStackProps,
 );
 Aspects.of(infraStack).add(new CfnNagCustomResourceSuppressionAspect());
 Aspects.of(infraStack).add(new CfnNagServiceRoleDefaultPolicyResourceSuppressionAspect());

source/blueprint-infrastructure/lambda/codepipeline/blueprint/common.ts

@@ -17,7 +17,7 @@ import { DynamoDBDocumentClient, GetCommand } from '@aws-sdk/lib-dynamodb';
 
 export async function getPatternById(
     ddbDocClient: DynamoDBDocumentClient,
-    patternId: string
+    patternId: string,
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
 ): Promise<Record<string, any> | undefined> {
     const params = {