Skip to content

Commit 18db8c4

Browse files
authored
Chore: [AEA-0000] - fix adding cfn guard suppressions to not overwrite all of metadata (#492)
## Summary - Routine Change ### Details - fix adding cfn guard supressions to not overwrite all of metadata - more trivy supressions
1 parent c6b5b7e commit 18db8c4

4 files changed

Lines changed: 23 additions & 25 deletions

File tree

.trivyignore.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,3 +23,12 @@ vulnerabilities:
2323
- id: CVE-2025-61729
2424
statement: downstream dependency for asdf/go - waiting for new asdf release
2525
expired_at: 2026-06-01
26+
- id: CVE-2025-61726
27+
statement: downstream dependency for asdf/go - waiting for new asdf release
28+
expired_at: 2026-06-01
29+
- id: CVE-2025-61728
30+
statement: downstream dependency for asdf/go - waiting for new asdf release
31+
expired_at: 2026-06-01
32+
- id: CVE-2026-25128
33+
statement: downstream dependency for fast-xml-parser - waiting for aws-sdk release
34+
expired_at: 2026-06-01

packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import {
1717
} from "aws-cdk-lib/aws-lambda"
1818
import {join} from "node:path"
1919
import {createSharedLambdaResources} from "./lambdaSharedResources"
20+
import {addSuppressions} from "../utils/helpers"
2021

2122
export interface PythonLambdaFunctionProps {
2223
/**
@@ -207,15 +208,11 @@ export class PythonLambdaFunction extends Construct {
207208

208209
// Suppress CFN guard rules for Lambda function
209210
const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
210-
cfnLambda.cfnOptions.metadata = {
211-
guard: {
212-
SuppressedRules: [
213-
"LAMBDA_DLQ_CHECK",
214-
"LAMBDA_INSIDE_VPC",
215-
"LAMBDA_CONCURRENCY_CHECK"
216-
]
217-
}
218-
}
211+
addSuppressions([cfnLambda], [
212+
"LAMBDA_DLQ_CHECK",
213+
"LAMBDA_INSIDE_VPC",
214+
"LAMBDA_CONCURRENCY_CHECK"
215+
])
219216

220217
// Create policy for external services to invoke this Lambda
221218
const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {

packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ import {NodejsFunction, NodejsFunctionProps} from "aws-cdk-lib/aws-lambda-nodejs
1515
import {Construct} from "constructs"
1616
import {join} from "node:path"
1717
import {createSharedLambdaResources} from "./lambdaSharedResources"
18+
import {addSuppressions} from "../utils/helpers"
1819

1920
export interface TypescriptLambdaFunctionProps {
2021
/**
@@ -231,15 +232,11 @@ export class TypescriptLambdaFunction extends Construct {
231232
})
232233

233234
const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
234-
cfnLambda.cfnOptions.metadata = {
235-
guard: {
236-
SuppressedRules: [
237-
"LAMBDA_DLQ_CHECK",
238-
"LAMBDA_INSIDE_VPC",
239-
"LAMBDA_CONCURRENCY_CHECK"
240-
]
241-
}
242-
}
235+
addSuppressions([cfnLambda], [
236+
"LAMBDA_DLQ_CHECK",
237+
"LAMBDA_INSIDE_VPC",
238+
"LAMBDA_CONCURRENCY_CHECK"
239+
])
243240

244241
const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
245242
description: `execute lambda ${functionName}`,

packages/cdkConstructs/src/constructs/lambdaSharedResources.ts

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import {
1313
} from "aws-cdk-lib/aws-iam"
1414
import {NagSuppressions} from "cdk-nag"
1515
import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
16+
import {addSuppressions} from "../utils/helpers"
1617

1718
export interface SharedLambdaResourceProps {
1819
readonly functionName: string
@@ -65,13 +66,7 @@ export const createSharedLambdaResources = (
6566
})
6667

6768
const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
68-
cfnlogGroup.cfnOptions.metadata = {
69-
guard: {
70-
SuppressedRules: [
71-
"CW_LOGGROUP_RETENTION_PERIOD_CHECK"
72-
]
73-
}
74-
}
69+
addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
7570

7671
new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
7772
destinationArn: splunkDeliveryStream.streamArn,

0 commit comments

Comments
 (0)