[IT-3326] Update python version for PyPlate (#405)

AWS no longer supports python 3.6 so we need to Update the python version for the pyplate lambda * update linters * fix linter error E3045 A bucket with AccessControl set should also have OwnershipControl configured
Sage-Bionetworks · Feb 29, 2024 · db28ab8 · db28ab8
1 parent 97d320a
commit db28ab8
Show file tree

Hide file tree

Showing 10 changed files with 31 additions and 17 deletions.
diff --git a/.cfnlintrc.yaml b/.cfnlintrc.yaml
@@ -2,5 +2,7 @@ ignore_checks:
   - E1001
   - E2531
   - E3001
+  - W2001
+  - W3045
 ignore_templates:
   - templates/tags/*.json
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,20 +1,20 @@
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.5.0
     hooks:
     -   id: end-of-file-fixer
     -   id: trailing-whitespace
     -   id: check-ast
 -   repo: https://github.com/adrienverge/yamllint
-    rev: v1.28.0
+    rev: v1.34.0
     hooks:
     -   id: yamllint
 -   repo: https://github.com/awslabs/cfn-python-lint
-    rev: v0.68.0
+    rev: v0.85.1
     hooks:
     -   id: cfn-python-lint
         files: templates/.*\.(json|yml|yaml)$
 -   repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.3.1
+    rev: v1.5.4
     hooks:
     -   id: remove-tabs
diff --git a/templates/Config/config.yaml b/templates/Config/config.yaml
@@ -1,13 +1,6 @@
 # From https://github.com/org-formation/org-formation-reference/blob/master/src/templates/080-aws-config-inventory/config.yml
 AWSTemplateFormatVersion: '2010-09-09'
 
-# This is an org-formation file, not a cloudformation file therefore some cfn-lint rules do not apply
-# rules reference: https://github.com/aws-cloudformation/cfn-python-lint/blob/master/docs/rules.md#rules-1
-Metadata:
-  cfn-lint:
-    config:
-      ignore_checks: [W2001]
-
 Parameters:
   resourcePrefix:
     Type: String
@@ -34,6 +27,9 @@ Resources:
         BlockPublicPolicy: true
         IgnorePublicAcls: true
         RestrictPublicBuckets: true
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketEncryption:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:

diff --git a/templates/GuardDuty/guard-duty.yaml b/templates/GuardDuty/guard-duty.yaml
@@ -24,6 +24,9 @@ Resources:
     Properties:
       BucketName: !Sub '${resourcePrefix}-guardduty-finding'
       AccessControl: Private
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true

diff --git a/templates/GuardDuty/trusted-ips-bucket.yaml b/templates/GuardDuty/trusted-ips-bucket.yaml
@@ -1,11 +1,6 @@
 # From https://github.com/org-formation/org-formation-reference/tree/master/src/templates/070-guard-duty
 AWSTemplateFormatVersion: '2010-09-09'
 
-Metadata:
-  cfn-lint:
-    config:
-      ignore_checks: [W2001]
-
 Parameters:
   resourcePrefix:
     Type: String

diff --git a/templates/PyPlate/python.yaml b/templates/PyPlate/python.yaml
@@ -69,7 +69,7 @@ Resources:
               return macro_response
 
       Handler: index.handler
-      Runtime: python3.6
+      Runtime: python3.9
       Role: !GetAtt TransformExecutionRole.Arn
   TransformFunctionPermissions:
     Type: AWS::Lambda::Permission

diff --git a/templates/S3/public-bucket.yaml b/templates/S3/public-bucket.yaml
@@ -5,6 +5,9 @@ Resources:
     DeletionPolicy: Delete
     Properties:
       AccessControl: PublicRead
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
   BucketPolicy:
     Type: "AWS::S3::BucketPolicy"
     Properties:

diff --git a/templates/managed-s3Web.yaml b/templates/managed-s3Web.yaml
@@ -18,13 +18,19 @@ Resources:
     Type: 'AWS::S3::Bucket'
     Properties:
       AccessControl: LogDeliveryWrite
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Join
         - '.'
         - [!Ref SubDomainName, !Ref DomainName, 'logs']
   WebsiteBucket:
     Type: AWS::S3::Bucket
     Properties:
       AccessControl: PublicRead
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Join
         - '.'
         - [!Ref SubDomainName, !Ref DomainName]

diff --git a/templates/managed-s3WebCloudfront.yaml b/templates/managed-s3WebCloudfront.yaml
@@ -23,13 +23,19 @@ Resources:
     Type: 'AWS::S3::Bucket'
     Properties:
       AccessControl: LogDeliveryWrite
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Join
         - '.'
         - [!Ref SubDomainName, !Ref DomainName, 'logs']
   WebsiteBucket:
     Type: AWS::S3::Bucket
     Properties:
       AccessControl: PublicRead
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Join
         - '.'
         - [!Ref SubDomainName, !Ref DomainName]

diff --git a/templates/s3-redirector.yaml b/templates/s3-redirector.yaml
@@ -38,6 +38,9 @@ Resources:
     Type: AWS::S3::Bucket
     Properties:
       AccessControl: PublicRead
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Ref SourceHostName
       WebsiteConfiguration:
         IndexDocument: index.html