Fix: [AEA-4348] - set up cfn guard (#162)

## Summary

- Routine Change

### Details

- set up cfn_guard

---------

Co-authored-by: Kris Szlapa <kris.szlapa1@nhs.net>
Co-authored-by: Adam Brown <adam.brown41@nhs.net>

Author: 3 people

.github/workflows/quality_checks.yml

@@ -52,6 +52,20 @@ jobs:
       - name: run lint
         run: make lint
 
+      - name: Run cfn-guard
+        run: make cfn-guard
+  
+      - name: show cfn-guard output
+        if: failure()
+        run: find cfn_guard_output -type f -print0 | xargs -0 cat
+  
+      - uses: actions/upload-artifact@v4
+        name: upload cfn_guard_output
+        if: failure()
+        with:
+          name: cfn_guard_output
+          path: cfn_guard_output
+
       - name: run tests and Sonar scan
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any

.gitignore

@@ -42,3 +42,4 @@ node_modules/
 .jekyll-cache
 .jekyll-metadata
 vendor
+cfn_guard_output/

Makefile

@@ -108,3 +108,6 @@ aws-configure:
 
 aws-login:
 	aws sso login --sso-session sso-session
+
+cfn-guard:
+	./scripts/run_cfn_guard.sh

README.md

@@ -185,6 +185,8 @@ These are used to do common commands
 - `lint-githubactions` runs lint for github actions
 - `lint-githubactions-scriptns` runs lint for github actions scripts
 - `test` runs unit tests for all code
+- `cfn-guard` runs cfn-guard for sam and cloudformation templates
+
 
 #### Compiling
 

SAMtemplates/lambda_resources.yaml

@@ -109,6 +109,10 @@ Resources:
 
   LambdaLogGroup:
     Type: "AWS::Logs::LogGroup"
+    Metadata:
+      guard:
+        SuppressedRules:
+          - CW_LOGGROUP_RETENTION_PERIOD_CHECK
     Properties:
       LogGroupName: !Sub "/aws/lambda/${LambdaName}"
       RetentionInDays: !Ref LogRetentionDays

SAMtemplates/main_template.yaml

@@ -75,6 +75,12 @@ Resources:
           AWS_LAMBDA_LOG_LEVEL: !Ref LogLevel
           POWERTOOLS_LOG_LEVEL: !Ref LogLevel
           PROFILE_MANIFEST_FILE: uk_core.manifest.json
+    Metadata:
+      guard:
+        SuppressedRules:
+          - LAMBDA_DLQ_CHECK
+          - LAMBDA_INSIDE_VPC
+          - LAMBDA_CONCURRENCY_CHECK
 
 Outputs:
   FHIRValidatorUKCoreLambdaName:

scripts/run_cfn_guard.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+rm -rf /tmp/ruleset
+rm -rf cfn_guard_output
+
+wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip  >/dev/null 2>&1
+unzip /tmp/ruleset.zip -d /tmp/ruleset/  >/dev/null 2>&1 
+
+curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh >/dev/null 2>&1
+
+mkdir -p cfn_guard_output
+
+declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
+for ruleset in "${rulesets[@]}"
+    do
+
+    while IFS= read -r -d '' file
+    do
+        echo "checking SAM template $file with ruleset $ruleset"
+        mkdir -p "$(dirname cfn_guard_output/"$file")"
+
+        # transform the SAM template to cloudformation and then run through cfn-guard
+        SAM_OUPUT=$(sam validate -t "$file" --region eu-west-2 --debug 2>&1 | \
+            grep -Pazo '(?s)AWSTemplateFormatVersion.*\n\/' | tr -d '\0')
+        echo "${SAM_OUPUT::-1}" | ~/.guard/bin/cfn-guard validate \
+            --rules "/tmp/ruleset/output/$ruleset.guard" \
+            --show-summary fail \
+            > "cfn_guard_output/${file}_${ruleset}.txt"
+
+    done <   <(find ./SAMtemplates -name '*.y*ml' -print0)
+
+done
+
+rm -rf /tmp/ruleset