From db28ab835b6dce76b0f6ee4f289a1422745cd579 Mon Sep 17 00:00:00 2001
From: Khai Do <3697686+zaro0508@users.noreply.github.com>
Date: Thu, 29 Feb 2024 08:31:58 -0800
Subject: [PATCH] [IT-3326] Update python version for PyPlate (#405)

AWS no longer supports python 3.6 so we need to Update the python version for the pyplate lambda

* update linters
* fix linter error
  E3045 A bucket with AccessControl set should also have OwnershipControl configured
---
 .cfnlintrc.yaml                             |  2 ++
 .pre-commit-config.yaml                     |  8 ++++----
 templates/Config/config.yaml                | 10 +++-------
 templates/GuardDuty/guard-duty.yaml         |  3 +++
 templates/GuardDuty/trusted-ips-bucket.yaml |  5 -----
 templates/PyPlate/python.yaml               |  2 +-
 templates/S3/public-bucket.yaml             |  3 +++
 templates/managed-s3Web.yaml                |  6 ++++++
 templates/managed-s3WebCloudfront.yaml      |  6 ++++++
 templates/s3-redirector.yaml                |  3 +++
 10 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/.cfnlintrc.yaml b/.cfnlintrc.yaml
index 1cfa5278..a7bfbe68 100644
--- a/.cfnlintrc.yaml
+++ b/.cfnlintrc.yaml
@@ -2,5 +2,7 @@ ignore_checks:
   - E1001
   - E2531
   - E3001
+  - W2001
+  - W3045
 ignore_templates:
   - templates/tags/*.json
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7f077cfb..99e61c8b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,20 +1,20 @@
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.5.0
     hooks:
     -   id: end-of-file-fixer
     -   id: trailing-whitespace
     -   id: check-ast
 -   repo: https://github.com/adrienverge/yamllint
-    rev: v1.28.0
+    rev: v1.34.0
     hooks:
     -   id: yamllint
 -   repo: https://github.com/awslabs/cfn-python-lint
-    rev: v0.68.0
+    rev: v0.85.1
     hooks:
     -   id: cfn-python-lint
         files: templates/.*\.(json|yml|yaml)$
 -   repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.3.1
+    rev: v1.5.4
     hooks:
     -   id: remove-tabs
diff --git a/templates/Config/config.yaml b/templates/Config/config.yaml
index 7d7819e8..3c7c44da 100644
--- a/templates/Config/config.yaml
+++ b/templates/Config/config.yaml
@@ -1,13 +1,6 @@
 # From https://github.com/org-formation/org-formation-reference/blob/master/src/templates/080-aws-config-inventory/config.yml
 AWSTemplateFormatVersion: '2010-09-09'
 
-# This is an org-formation file, not a cloudformation file therefore some cfn-lint rules do not apply
-# rules reference: https://github.com/aws-cloudformation/cfn-python-lint/blob/master/docs/rules.md#rules-1
-Metadata:
-  cfn-lint:
-    config:
-      ignore_checks: [W2001]
-
 Parameters:
   resourcePrefix:
     Type: String
@@ -34,6 +27,9 @@ Resources:
         BlockPublicPolicy: true
         IgnorePublicAcls: true
         RestrictPublicBuckets: true
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketEncryption:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
diff --git a/templates/GuardDuty/guard-duty.yaml b/templates/GuardDuty/guard-duty.yaml
index a967e73e..6322985f 100644
--- a/templates/GuardDuty/guard-duty.yaml
+++ b/templates/GuardDuty/guard-duty.yaml
@@ -24,6 +24,9 @@ Resources:
     Properties:
       BucketName: !Sub '${resourcePrefix}-guardduty-finding'
       AccessControl: Private
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
diff --git a/templates/GuardDuty/trusted-ips-bucket.yaml b/templates/GuardDuty/trusted-ips-bucket.yaml
index cee0b88a..8b3b08e6 100644
--- a/templates/GuardDuty/trusted-ips-bucket.yaml
+++ b/templates/GuardDuty/trusted-ips-bucket.yaml
@@ -1,11 +1,6 @@
 # From https://github.com/org-formation/org-formation-reference/tree/master/src/templates/070-guard-duty
 AWSTemplateFormatVersion: '2010-09-09'
 
-Metadata:
-  cfn-lint:
-    config:
-      ignore_checks: [W2001]
-
 Parameters:
   resourcePrefix:
     Type: String
diff --git a/templates/PyPlate/python.yaml b/templates/PyPlate/python.yaml
index 60976c71..f5bc01be 100644
--- a/templates/PyPlate/python.yaml
+++ b/templates/PyPlate/python.yaml
@@ -69,7 +69,7 @@ Resources:
               return macro_response
 
       Handler: index.handler
-      Runtime: python3.6
+      Runtime: python3.9
       Role: !GetAtt TransformExecutionRole.Arn
   TransformFunctionPermissions:
     Type: AWS::Lambda::Permission
diff --git a/templates/S3/public-bucket.yaml b/templates/S3/public-bucket.yaml
index f8cbe711..79ce3530 100644
--- a/templates/S3/public-bucket.yaml
+++ b/templates/S3/public-bucket.yaml
@@ -5,6 +5,9 @@ Resources:
     DeletionPolicy: Delete
     Properties:
       AccessControl: PublicRead
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
   BucketPolicy:
     Type: "AWS::S3::BucketPolicy"
     Properties:
diff --git a/templates/managed-s3Web.yaml b/templates/managed-s3Web.yaml
index aa0dcf38..a34bcad9 100644
--- a/templates/managed-s3Web.yaml
+++ b/templates/managed-s3Web.yaml
@@ -18,6 +18,9 @@ Resources:
     Type: 'AWS::S3::Bucket'
     Properties:
       AccessControl: LogDeliveryWrite
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Join
         - '.'
         - [!Ref SubDomainName, !Ref DomainName, 'logs']
@@ -25,6 +28,9 @@ Resources:
     Type: AWS::S3::Bucket
     Properties:
       AccessControl: PublicRead
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Join
         - '.'
         - [!Ref SubDomainName, !Ref DomainName]
diff --git a/templates/managed-s3WebCloudfront.yaml b/templates/managed-s3WebCloudfront.yaml
index 8040f7b2..98219f7b 100644
--- a/templates/managed-s3WebCloudfront.yaml
+++ b/templates/managed-s3WebCloudfront.yaml
@@ -23,6 +23,9 @@ Resources:
     Type: 'AWS::S3::Bucket'
     Properties:
       AccessControl: LogDeliveryWrite
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Join
         - '.'
         - [!Ref SubDomainName, !Ref DomainName, 'logs']
@@ -30,6 +33,9 @@ Resources:
     Type: AWS::S3::Bucket
     Properties:
       AccessControl: PublicRead
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Join
         - '.'
         - [!Ref SubDomainName, !Ref DomainName]
diff --git a/templates/s3-redirector.yaml b/templates/s3-redirector.yaml
index 4445678e..ca5741d4 100644
--- a/templates/s3-redirector.yaml
+++ b/templates/s3-redirector.yaml
@@ -38,6 +38,9 @@ Resources:
     Type: AWS::S3::Bucket
     Properties:
       AccessControl: PublicRead
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
       BucketName: !Ref SourceHostName
       WebsiteConfiguration:
         IndexDocument: index.html