report nag errors

apps/tests/aws-runtime-cdk/eventual.json

@@ -0,0 +1,5 @@
+{
+  "projectType": "aws-cdk",
+  "synth": "npx cdk synth --app \"ts-node --esm ./src/app.mts\"",
+  "deploy": "../aws-runtime/scripts/deploy"
+}

apps/tests/aws-runtime-cdk/package.json

@@ -5,11 +5,13 @@
   "version": "0.0.0",
   "main": "lib/index.js",
   "scripts": {
-    "cdk": "cdk"
+    "cdk": "cdk",
+    "nag": "ts-node-esm ./scripts/report-violations.ts"
   },
   "dependencies": {
     "@aws-cdk/aws-apigatewayv2-alpha": "^2.80.0-alpha.0",
     "aws-cdk-lib": "2.80.0",
+    "cdk-nag": "^2.27.164",
     "constructs": "10.1.154"
   },
   "devDependencies": {

apps/tests/aws-runtime-cdk/scripts/report-violations.ts

@@ -0,0 +1,45 @@
+import hipaa from "../cdk.out/HIPAA.Security-eventual-tests-NagReport.json" assert { type: "json" };
+import awsSolutions from "../cdk.out/HIPAA.Security-eventual-tests-NagReport.json" assert { type: "json" };
+
+type Report = typeof hipaa | typeof awsSolutions;
+
+report(hipaa);
+report(awsSolutions);
+
+function report(report: Report) {
+  const nonCompliant = report.lines.filter(
+    (line) => line.compliance === "Non-Compliant"
+  );
+  type Violation = (typeof nonCompliant)[number];
+
+  const byResource = nonCompliant.reduce<{
+    [resourceID: string]: Violation[];
+  }>((resources, line) => {
+    resources[line.resourceId] = resources[line.resourceId] ?? [];
+    resources[line.resourceId]!.push(line);
+    return resources;
+  }, {});
+
+  const resourceIDs = Object.keys(byResource).sort();
+  for (const resourceID of resourceIDs) {
+    console.log(
+      `# ${resourceID
+        .replace("eventual-tests/testService", "")
+        .replace("eventual-tests/", "")}`
+    );
+    printErrors(byResource[resourceID]!);
+  }
+
+  // printErrors(nonCompliant);
+
+  function printErrors(error: Violation[]) {
+    const uniqueErrors = Array.from(
+      new Set(error.map((line) => format(line.ruleInfo)))
+    );
+    console.log(uniqueErrors.sort().join("\n"));
+  }
+
+  function format(line: string) {
+    return `- [ ] ${line.replace(/- \(Control.*/g, "")}`;
+  }
+}

apps/tests/aws-runtime-cdk/src/app.mts

@@ -13,10 +13,17 @@ import {
 } from "aws-cdk-lib/aws-iam";
 import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Queue } from "aws-cdk-lib/aws-sqs";
-import { Duration } from "aws-cdk-lib/core";
+import { Aspects, Duration } from "aws-cdk-lib/core";
 import { createRequire as topLevelCreateRequire } from "module";
 import path from "path";
 import { ChaosExtension } from "./chaos-extension.js";
+import {
+  AwsSolutionsChecks,
+  HIPAASecurityChecks,
+  NagReportFormat,
+  NagPack,
+  NagPackProps,
+} from "cdk-nag";
 
 import type * as testServiceRuntime from "tests-runtime";
 
@@ -33,6 +40,23 @@ if (!assumeRoleArn) {
 
 const app = new App();
 
+// these run linting rules on the CDK code and should all pass to enforce compliance
+enableNagPack(AwsSolutionsChecks);
+enableNagPack(HIPAASecurityChecks);
+function enableNagPack<P extends NagPackProps>(
+  Pack: new (props: P) => NagPack,
+  props?: P
+) {
+  Aspects.of(app).add(
+    new Pack({
+      reports: true,
+      reportFormats: [NagReportFormat.CSV, NagReportFormat.JSON],
+      verbose: true,
+      ...props,
+    } as P)
+  );
+}
+
 const stack = new Stack(app, "eventual-tests");
 
 const role = new Role(stack, "testRole", {

package.json

@@ -25,6 +25,7 @@
     "test:local": "pnpm -r --filter tests-runtime run test:local-start",
     "typecheck": "tsc -b",
     "watch": "tsc -b -w",
+    "nag": "pnpm --filter tests-cdk run nag",
     "export": "turbo run export"
   },
   "devDependencies": {

packages/@eventual/aws-cdk/src/command-service.ts

@@ -162,19 +162,13 @@ export class CommandService<Service = any> {
       "Commands"
     );
 
+    this.integrationRole = new Role(commandsSystemScope, "IntegrationRole", {
+      assumedBy: new ServicePrincipal("apigateway.amazonaws.com"),
+    });
+
     // Service => Commands
     const commandsScope = new Construct(props.serviceScope, "Commands");
 
-    const policies = new ManagedPolicies(
-      commandsSystemScope,
-      "Policies",
-      props
-    );
-    this.invokeHttpServicePolicy = policies.createManagedPolicy(
-      "invoke-http-service-policy"
-    );
-    this.grantInvokeHttpServiceApiInline(this.invokeHttpServicePolicy);
-
     this.serviceCommands = synthesizeAPI(
       commandsScope,
       [...this.props.build.commands, this.props.build.commandDefault].map(
@@ -208,10 +202,26 @@ export class CommandService<Service = any> {
       this.configureSystemCommandHandler();
     });
 
-    this.integrationRole = new Role(commandsSystemScope, "IntegrationRole", {
-      assumedBy: new ServicePrincipal("apigateway.amazonaws.com"),
+    this.specification = createSpecification();
+
+    // Service => Gateway
+    this.gateway = new SpecHttpApi(props.serviceScope, "Gateway", {
+      apiDefinition: ApiDefinition.fromInline(this.specification),
+      ...props.apiOverrides,
     });
 
+    const policies = new ManagedPolicies(
+      commandsSystemScope,
+      "Policies",
+      props
+    );
+    this.invokeHttpServicePolicy = policies.createManagedPolicy(
+      "invoke-http-service-policy"
+    );
+    this.grantInvokeHttpServiceApiInline(
+      this.invokeHttpServicePolicy.grantPrincipal
+    );
+
     policies.createManagedPolicy("integration-policy", {
       description:
         "Allows API Gateway to invoke the service's Lambda Functions",
@@ -231,14 +241,6 @@ export class CommandService<Service = any> {
       ],
     });
 
-    this.specification = createSpecification();
-
-    // Service => Gateway
-    this.gateway = new SpecHttpApi(props.serviceScope, "Gateway", {
-      apiDefinition: ApiDefinition.fromInline(this.specification),
-      ...props.apiOverrides,
-    });
-
     this.gateway.node.addDependency(this.integrationRole);
 
     this.finalize();
@@ -447,9 +449,10 @@ export class CommandService<Service = any> {
 
   @grant()
   public grantInvokeHttpServiceApiInline(grantable: IGrantable) {
-    grantable.grantPrincipal.addToPrincipalPolicy(
+    const result = grantable.grantPrincipal.addToPrincipalPolicy(
       this.executeApiPolicyStatement()
     );
+    return result;
   }
 
   private executeApiPolicyStatement() {

packages/@eventual/aws-cdk/src/entity-service.ts

@@ -97,7 +97,7 @@ export class EntityService<Service> {
   public readonly transactions: ServiceTransactions<Service>;
   public readonly transactionWorker?: Function;
 
-  private readonly invokeTransactionsPolicy: ManagedPolicy;
+  private readonly invokeTransactionsPolicy: ManagedPolicy | undefined;
   private readonly readWritePolicy: ManagedPolicy;
 
   constructor(private props: EntityServiceProps<Service>) {
@@ -107,6 +107,26 @@ export class EntityService<Service> {
       "EntityService"
     );
 
+    const policies = new ManagedPolicies(
+      entityServiceConstruct,
+      "Policies",
+      props
+    );
+    if (this.transactionWorker) {
+      this.invokeTransactionsPolicy = policies.createManagedPolicy(
+        "invoke-transactions-policy",
+        {
+          description:
+            "Allows the service to invoke the Entity Transaction worker",
+        }
+      );
+      this.grantInvokeTransactionsInline(this.invokeTransactionsPolicy);
+    }
+    this.readWritePolicy = policies.createManagedPolicy("read-write-data", {
+      description: "Allows access to read/write entity data stored in DynamoDB",
+    });
+    this.grantReadWriteEntityTablesInline(this.readWritePolicy);
+
     this.entities = Object.fromEntries(
       props.build.entities.entities.map((d) => [
         d.name,
@@ -153,24 +173,6 @@ export class EntityService<Service> {
         this.transactionWorker
       );
     }
-
-    const policies = new ManagedPolicies(
-      entityServiceConstruct,
-      "Policies",
-      props
-    );
-    this.invokeTransactionsPolicy = policies.createManagedPolicy(
-      "invoke-http-service-policy",
-      {
-        description:
-          "Allows the service to invoke the Entity Transaction worker",
-      }
-    );
-    this.grantInvokeTransactionsInline(this.invokeTransactionsPolicy);
-    this.readWritePolicy = policies.createManagedPolicy("read-write-data", {
-      description: "Allows access to read/write entity data stored in DynamoDB",
-    });
-    this.grantReadWriteEntityTablesInline(this.readWritePolicy);
   }
 
   public configureReadWriteEntityTable(func: Function) {
@@ -221,7 +223,9 @@ export class EntityService<Service> {
   }
 
   public grantInvokeTransactions(grantee: IGrantable) {
-    attachPolicy(grantee, this.invokeTransactionsPolicy);
+    if (this.invokeTransactionsPolicy) {
+      attachPolicy(grantee, this.invokeTransactionsPolicy);
+    }
   }
 
   public grantInvokeTransactionsInline(grantee: IGrantable) {