Chore: [AEA-0000] - fix adding cfn guard suppressions to not overwrite all of metadata (#492)

## Summary

- Routine Change

### Details

- fix adding cfn guard supressions to not overwrite all of metadata
- more trivy supressions

Author: anthony-nhs

.trivyignore.yaml

@@ -23,3 +23,12 @@ vulnerabilities:
   - id: CVE-2025-61729
     statement: downstream dependency for asdf/go - waiting for new asdf release
     expired_at: 2026-06-01
+  - id: CVE-2025-61726
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
+  - id: CVE-2025-61728
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
+  - id: CVE-2026-25128
+    statement: downstream dependency for fast-xml-parser - waiting for aws-sdk release
+    expired_at: 2026-06-01

packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts

@@ -17,6 +17,7 @@ import {
 } from "aws-cdk-lib/aws-lambda"
 import {join} from "node:path"
 import {createSharedLambdaResources} from "./lambdaSharedResources"
+import {addSuppressions} from "../utils/helpers"
 
 export interface PythonLambdaFunctionProps {
   /**
@@ -207,15 +208,11 @@ export class PythonLambdaFunction extends Construct {
 
     // Suppress CFN guard rules for Lambda function
     const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-    cfnLambda.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "LAMBDA_DLQ_CHECK",
-          "LAMBDA_INSIDE_VPC",
-          "LAMBDA_CONCURRENCY_CHECK"
-        ]
-      }
-    }
+    addSuppressions([cfnLambda], [
+      "LAMBDA_DLQ_CHECK",
+      "LAMBDA_INSIDE_VPC",
+      "LAMBDA_CONCURRENCY_CHECK"
+    ])
 
     // Create policy for external services to invoke this Lambda
     const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {

packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts

@@ -15,6 +15,7 @@ import {NodejsFunction, NodejsFunctionProps} from "aws-cdk-lib/aws-lambda-nodejs
 import {Construct} from "constructs"
 import {join} from "node:path"
 import {createSharedLambdaResources} from "./lambdaSharedResources"
+import {addSuppressions} from "../utils/helpers"
 
 export interface TypescriptLambdaFunctionProps {
   /**
@@ -231,15 +232,11 @@ export class TypescriptLambdaFunction extends Construct {
     })
 
     const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-    cfnLambda.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "LAMBDA_DLQ_CHECK",
-          "LAMBDA_INSIDE_VPC",
-          "LAMBDA_CONCURRENCY_CHECK"
-        ]
-      }
-    }
+    addSuppressions([cfnLambda], [
+      "LAMBDA_DLQ_CHECK",
+      "LAMBDA_INSIDE_VPC",
+      "LAMBDA_CONCURRENCY_CHECK"
+    ])
 
     const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
       description: `execute lambda ${functionName}`,

packages/cdkConstructs/src/constructs/lambdaSharedResources.ts

@@ -13,6 +13,7 @@ import {
 } from "aws-cdk-lib/aws-iam"
 import {NagSuppressions} from "cdk-nag"
 import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
+import {addSuppressions} from "../utils/helpers"
 
 export interface SharedLambdaResourceProps {
   readonly functionName: string
@@ -65,13 +66,7 @@ export const createSharedLambdaResources = (
   })
 
   const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
-  cfnlogGroup.cfnOptions.metadata = {
-    guard: {
-      SuppressedRules: [
-        "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
-      ]
-    }
-  }
+  addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
 
   new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
     destinationArn: splunkDeliveryStream.streamArn,