From de300279daa076dde8c6fb65fe8df59753117a01 Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 11:16:58 -0500 Subject: [PATCH 1/9] Add initial sample of checkov action --- .github/workflows/deploy.yml | 109 +++++++++++++++++++++++++++++++++-- pyproject.toml | 2 + 2 files changed, 106 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7b06ab2..fe46671 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -9,18 +9,36 @@ env: AWS_DEFAULT_OUTPUT: json jobs: - deploy-cdk: - name: Deploy CDK + code-quality: + name: Check coding standards runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout steps: - uses: actions/checkout@v3 - run: echo "Job triggered by ${{ github.event_name }} event." - run: echo "Job running on a ${{ runner.os }} server hosted by GitHub." - run: echo "Branch name is ${{ github.ref }} and repository is ${{ github.repository }}." + - uses: actions/setup-python@v4 + with: + python-version: 3.11 + - name: Install Poetry + uses: snok/install-poetry@v1 + with: + virtualenvs-create: true + virtualenvs-in-project: true + installer-parallel: true + - name: Install Poetry dependencies + run: poetry install --no-interaction + - name: Check code formatting + run: poetry run poe black-check + cdk-synth: + name: CDK Synth + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: python-version: 3.11 @@ -69,6 +87,87 @@ jobs: source .venv/bin/activate cdk synth + - name: Archive CDK Synth results + uses: actions/upload-artifact@v3 + with: + name: cdk-synth-folder + path: ./cdk.out + + iac-checkov: + name: IaC Checkov Validations + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Dowload CDK Synth results + uses: actions/download-artifact@v3 + with: + name: cdk-synth-folder + path: ./cdk.out + + - name: Run Checkov action + id: checkov + uses: bridgecrewio/checkov-action@12 + with: + directory: .cdk.out/ + framework: cloudformation + soft_fail: true # optional: do not return an error code if there are failed checks + skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list + quiet: true # optional: display only failed checks + log_level: WARNING # optional: set log level. Default WARNING + + cdk-deploy: + name: Deploy CDK + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 + with: + python-version: 3.11 + + - name: Install Poetry + uses: snok/install-poetry@v1 + with: + virtualenvs-create: true + virtualenvs-in-project: true + installer-parallel: true + + - name: Install Poetry dependencies + run: poetry install --no-interaction + + - name: Set up NodeJs + uses: actions/setup-node@v3 + with: + node-version: "20" + + - name: Install CDK + run: | + npm install -g aws-cdk + + # # MY OLD AUTH CONFIG (NOW WITH GITHUB OIDC TOKEN) + # - name: Configure AWS credentials + # uses: aws-actions/configure-aws-credentials@master + # with: + # aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} + # aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} + # aws-region: "us-east-1" + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_DEFAULT_REGION }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: myGitHubActions + + # Sample STS get caller identity for tests + - name: sts get-caller-identity + run: | + aws sts get-caller-identity + # NOTE: for now no manual approvals are required - name: Deploy to AWS run: | diff --git a/pyproject.toml b/pyproject.toml index 44459a1..53d900d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -38,6 +38,8 @@ local-fastapi = "uvicorn src.lambdas.api.main:app --reload" test-unit = ["_make","_test_unit", "_coverage_html"] test-unit-lambdas = ["_test_unit_lambdas", "_coverage_html"] test-unit-cdk = ["_make","_test_unit_cdk", "_coverage_html"] +black-format = "black ." +black-check = "black . --check --diff -v" _make = "make all" _test_unit = "coverage run -m pytest tests/unit" _test_unit_lambdas = "coverage run -m pytest tests/unit/lambdas" From 9f55bf3b1ee74abb2d9e6a24ecac29a6b7eb5a4a Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 11:21:14 -0500 Subject: [PATCH 2/9] Fix cicd refs, add black formater and updated job dependencies --- .github/workflows/deploy.yml | 5 +- poetry.lock | 173 +++++++++++++++++++++++++++++++++-- pyproject.toml | 1 + 3 files changed, 171 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index fe46671..6368193 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -34,6 +34,7 @@ jobs: cdk-synth: name: CDK Synth runs-on: ubuntu-latest + needs: code-quality permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout @@ -96,6 +97,7 @@ jobs: iac-checkov: name: IaC Checkov Validations runs-on: ubuntu-latest + needs: cdk-synth steps: - uses: actions/checkout@v3 @@ -107,7 +109,7 @@ jobs: - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@12 + uses: bridgecrewio/checkov-action@v12 with: directory: .cdk.out/ framework: cloudformation @@ -119,6 +121,7 @@ jobs: cdk-deploy: name: Deploy CDK runs-on: ubuntu-latest + needs: iac-checkov if: github.ref == 'refs/heads/main' permissions: id-token: write # This is required for requesting the JWT diff --git a/poetry.lock b/poetry.lock index 1e02d1a..41db157 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,9 +1,10 @@ -# This file is automatically @generated by Poetry 1.6.1 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand. [[package]] name = "anyio" version = "3.7.0" description = "High level compatibility layer for multiple asynchronous event loop implementations" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -25,6 +26,7 @@ trio = ["trio (<0.22)"] name = "attrs" version = "23.1.0" description = "Classes Without Boilerplate" +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -43,6 +45,7 @@ tests-no-zope = ["cloudpickle", "hypothesis", "mypy (>=1.1.1)", "pympler", "pyte name = "aws-cdk-asset-awscli-v1" version = "2.2.198" description = "A library that contains the AWS CLI for use in Lambda Layers" +category = "main" optional = false python-versions = "~=3.7" files = [ @@ -59,6 +62,7 @@ typeguard = ">=2.13.3,<2.14.0" name = "aws-cdk-asset-kubectl-v20" version = "2.1.2" description = "A library that contains kubectl for use in Lambda Layers" +category = "main" optional = false python-versions = "~=3.7" files = [ @@ -75,6 +79,7 @@ typeguard = ">=2.13.3,<2.14.0" name = "aws-cdk-asset-node-proxy-agent-v5" version = "2.0.165" description = "@aws-cdk/asset-node-proxy-agent-v5" +category = "main" optional = false python-versions = "~=3.7" files = [ @@ -91,6 +96,7 @@ typeguard = ">=2.13.3,<2.14.0" name = "aws-cdk-lib" version = "2.83.1" description = "Version 2 of the AWS Cloud Development Kit library" +category = "main" optional = false python-versions = "~=3.7" files = [ @@ -111,6 +117,7 @@ typeguard = ">=2.13.3,<2.14.0" name = "aws-lambda-powertools" version = "2.18.0" description = "Powertools for AWS Lambda (Python) is a developer toolkit to implement Serverless best practices and increase developer velocity." +category = "dev" optional = false python-versions = ">=3.7.4,<4.0.0" files = [ @@ -135,6 +142,7 @@ validation = ["fastjsonschema (>=2.14.5,<3.0.0)"] name = "aws-xray-sdk" version = "2.12.0" description = "The AWS X-Ray SDK for Python (the SDK) enables Python developers to record and emit information from within their applications to the AWS X-Ray service." +category = "dev" optional = false python-versions = "*" files = [ @@ -146,10 +154,58 @@ files = [ botocore = ">=1.11.3" wrapt = "*" +[[package]] +name = "black" +version = "23.9.1" +description = "The uncompromising code formatter." +category = "main" +optional = false +python-versions = ">=3.8" +files = [ + {file = "black-23.9.1-cp310-cp310-macosx_10_16_arm64.whl", hash = "sha256:d6bc09188020c9ac2555a498949401ab35bb6bf76d4e0f8ee251694664df6301"}, + {file = "black-23.9.1-cp310-cp310-macosx_10_16_universal2.whl", hash = "sha256:13ef033794029b85dfea8032c9d3b92b42b526f1ff4bf13b2182ce4e917f5100"}, + {file = "black-23.9.1-cp310-cp310-macosx_10_16_x86_64.whl", hash = "sha256:75a2dc41b183d4872d3a500d2b9c9016e67ed95738a3624f4751a0cb4818fe71"}, + {file = "black-23.9.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:13a2e4a93bb8ca74a749b6974925c27219bb3df4d42fc45e948a5d9feb5122b7"}, + {file = "black-23.9.1-cp310-cp310-win_amd64.whl", hash = "sha256:adc3e4442eef57f99b5590b245a328aad19c99552e0bdc7f0b04db6656debd80"}, + {file = "black-23.9.1-cp311-cp311-macosx_10_16_arm64.whl", hash = "sha256:8431445bf62d2a914b541da7ab3e2b4f3bc052d2ccbf157ebad18ea126efb91f"}, + {file = "black-23.9.1-cp311-cp311-macosx_10_16_universal2.whl", hash = "sha256:8fc1ddcf83f996247505db6b715294eba56ea9372e107fd54963c7553f2b6dfe"}, + {file = "black-23.9.1-cp311-cp311-macosx_10_16_x86_64.whl", hash = "sha256:7d30ec46de88091e4316b17ae58bbbfc12b2de05e069030f6b747dfc649ad186"}, + {file = "black-23.9.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:031e8c69f3d3b09e1aa471a926a1eeb0b9071f80b17689a655f7885ac9325a6f"}, + {file = "black-23.9.1-cp311-cp311-win_amd64.whl", hash = "sha256:538efb451cd50f43aba394e9ec7ad55a37598faae3348d723b59ea8e91616300"}, + {file = "black-23.9.1-cp38-cp38-macosx_10_16_arm64.whl", hash = "sha256:638619a559280de0c2aa4d76f504891c9860bb8fa214267358f0a20f27c12948"}, + {file = "black-23.9.1-cp38-cp38-macosx_10_16_universal2.whl", hash = "sha256:a732b82747235e0542c03bf352c126052c0fbc458d8a239a94701175b17d4855"}, + {file = "black-23.9.1-cp38-cp38-macosx_10_16_x86_64.whl", hash = "sha256:cf3a4d00e4cdb6734b64bf23cd4341421e8953615cba6b3670453737a72ec204"}, + {file = "black-23.9.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cf99f3de8b3273a8317681d8194ea222f10e0133a24a7548c73ce44ea1679377"}, + {file = "black-23.9.1-cp38-cp38-win_amd64.whl", hash = "sha256:14f04c990259576acd093871e7e9b14918eb28f1866f91968ff5524293f9c573"}, + {file = "black-23.9.1-cp39-cp39-macosx_10_16_arm64.whl", hash = "sha256:c619f063c2d68f19b2d7270f4cf3192cb81c9ec5bc5ba02df91471d0b88c4c5c"}, + {file = "black-23.9.1-cp39-cp39-macosx_10_16_universal2.whl", hash = "sha256:6a3b50e4b93f43b34a9d3ef00d9b6728b4a722c997c99ab09102fd5efdb88325"}, + {file = "black-23.9.1-cp39-cp39-macosx_10_16_x86_64.whl", hash = "sha256:c46767e8df1b7beefb0899c4a95fb43058fa8500b6db144f4ff3ca38eb2f6393"}, + {file = "black-23.9.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:50254ebfa56aa46a9fdd5d651f9637485068a1adf42270148cd101cdf56e0ad9"}, + {file = "black-23.9.1-cp39-cp39-win_amd64.whl", hash = "sha256:403397c033adbc45c2bd41747da1f7fc7eaa44efbee256b53842470d4ac5a70f"}, + {file = "black-23.9.1-py3-none-any.whl", hash = "sha256:6ccd59584cc834b6d127628713e4b6b968e5f79572da66284532525a042549f9"}, + {file = "black-23.9.1.tar.gz", hash = "sha256:24b6b3ff5c6d9ea08a8888f6977eae858e1f340d7260cf56d70a49823236b62d"}, +] + +[package.dependencies] +click = ">=8.0.0" +mypy-extensions = ">=0.4.3" +packaging = ">=22.0" +pathspec = ">=0.9.0" +platformdirs = ">=2" +tomli = {version = ">=1.1.0", markers = "python_version < \"3.11\""} +typing-extensions = {version = ">=4.0.1", markers = "python_version < \"3.11\""} + +[package.extras] +colorama = ["colorama (>=0.4.3)"] +d = ["aiohttp (>=3.7.4)"] +jupyter = ["ipython (>=7.8.0)", "tokenize-rt (>=3.2.0)"] +uvloop = ["uvloop (>=0.15.2)"] + [[package]] name = "boto3" version = "1.26.160" description = "The AWS SDK for Python" +category = "dev" optional = false python-versions = ">= 3.7" files = [ @@ -169,6 +225,7 @@ crt = ["botocore[crt] (>=1.21.0,<2.0a0)"] name = "botocore" version = "1.29.160" description = "Low-level, data-driven core of boto 3." +category = "dev" optional = false python-versions = ">= 3.7" files = [ @@ -188,6 +245,7 @@ crt = ["awscrt (==0.16.9)"] name = "cattrs" version = "23.1.2" description = "Composable complex class support for attrs and dataclasses." +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -213,6 +271,7 @@ ujson = ["ujson (>=5.4.0,<6.0.0)"] name = "certifi" version = "2023.7.22" description = "Python package for providing Mozilla's CA Bundle." +category = "dev" optional = false python-versions = ">=3.6" files = [ @@ -224,6 +283,7 @@ files = [ name = "cffi" version = "1.15.1" description = "Foreign Function Interface for Python calling C code." +category = "dev" optional = false python-versions = "*" files = [ @@ -300,6 +360,7 @@ pycparser = "*" name = "charset-normalizer" version = "3.1.0" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." +category = "dev" optional = false python-versions = ">=3.7.0" files = [ @@ -384,6 +445,7 @@ files = [ name = "click" version = "8.1.3" description = "Composable command line interface toolkit" +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -398,6 +460,7 @@ colorama = {version = "*", markers = "platform_system == \"Windows\""} name = "colorama" version = "0.4.6" description = "Cross-platform colored terminal text." +category = "main" optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" files = [ @@ -409,6 +472,7 @@ files = [ name = "constructs" version = "10.2.60" description = "A programming model for software-defined state" +category = "main" optional = false python-versions = "~=3.7" files = [ @@ -425,6 +489,7 @@ typeguard = ">=2.13.3,<2.14.0" name = "coverage" version = "7.2.7" description = "Code coverage measurement for Python" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -497,6 +562,7 @@ toml = ["tomli"] name = "cryptography" version = "41.0.3" description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -542,6 +608,7 @@ test-randomorder = ["pytest-randomly"] name = "dnspython" version = "2.3.0" description = "DNS toolkit" +category = "dev" optional = false python-versions = ">=3.7,<4.0" files = [ @@ -562,6 +629,7 @@ wmi = ["wmi (>=1.5.1,<2.0.0)"] name = "email-validator" version = "2.0.0.post2" description = "A robust email address syntax and deliverability validation library." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -577,6 +645,7 @@ idna = ">=2.0.0" name = "exceptiongroup" version = "1.1.1" description = "Backport of PEP 654 (exception groups)" +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -591,6 +660,7 @@ test = ["pytest (>=6)"] name = "fastapi" version = "0.98.0" description = "FastAPI framework, high performance, easy to learn, fast to code, ready for production" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -618,6 +688,7 @@ all = ["email-validator (>=1.1.1)", "httpx (>=0.23.0)", "itsdangerous (>=1.1.0)" name = "fastjsonschema" version = "2.17.1" description = "Fastest Python implementation of JSON schema" +category = "dev" optional = false python-versions = "*" files = [ @@ -632,6 +703,7 @@ devel = ["colorama", "json-spec", "jsonschema", "pylint", "pytest", "pytest-benc name = "h11" version = "0.14.0" description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -643,6 +715,7 @@ files = [ name = "httpcore" version = "0.17.2" description = "A minimal low-level HTTP client." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -654,16 +727,17 @@ files = [ anyio = ">=3.0,<5.0" certifi = "*" h11 = ">=0.13,<0.15" -sniffio = "==1.*" +sniffio = ">=1.0.0,<2.0.0" [package.extras] http2 = ["h2 (>=3,<5)"] -socks = ["socksio (==1.*)"] +socks = ["socksio (>=1.0.0,<2.0.0)"] [[package]] name = "httptools" version = "0.5.0" description = "A collection of framework independent HTTP protocol utils." +category = "dev" optional = false python-versions = ">=3.5.0" files = [ @@ -717,6 +791,7 @@ test = ["Cython (>=0.29.24,<0.30.0)"] name = "httpx" version = "0.24.1" description = "The next generation HTTP client." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -732,14 +807,15 @@ sniffio = "*" [package.extras] brotli = ["brotli", "brotlicffi"] -cli = ["click (==8.*)", "pygments (==2.*)", "rich (>=10,<14)"] +cli = ["click (>=8.0.0,<9.0.0)", "pygments (>=2.0.0,<3.0.0)", "rich (>=10,<14)"] http2 = ["h2 (>=3,<5)"] -socks = ["socksio (==1.*)"] +socks = ["socksio (>=1.0.0,<2.0.0)"] [[package]] name = "idna" version = "3.4" description = "Internationalized Domain Names in Applications (IDNA)" +category = "dev" optional = false python-versions = ">=3.5" files = [ @@ -751,6 +827,7 @@ files = [ name = "importlib-resources" version = "5.12.0" description = "Read resources from Python packages" +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -769,6 +846,7 @@ testing = ["flake8 (<5)", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-chec name = "iniconfig" version = "2.0.0" description = "brain-dead simple config-ini parsing" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -780,6 +858,7 @@ files = [ name = "itsdangerous" version = "2.1.2" description = "Safely pass data to untrusted environments and back." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -791,6 +870,7 @@ files = [ name = "jinja2" version = "3.1.2" description = "A very fast and expressive template engine." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -808,6 +888,7 @@ i18n = ["Babel (>=2.7)"] name = "jmespath" version = "1.0.1" description = "JSON Matching Expressions" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -819,6 +900,7 @@ files = [ name = "jsii" version = "1.84.0" description = "Python client for jsii runtime" +category = "main" optional = false python-versions = "~=3.7" files = [ @@ -839,6 +921,7 @@ typing-extensions = ">=3.7,<5.0" name = "mangum" version = "0.17.0" description = "AWS Lambda support for ASGI applications" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -853,6 +936,7 @@ typing-extensions = "*" name = "markupsafe" version = "2.1.3" description = "Safely add untrusted strings to HTML/XML markup." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -912,6 +996,7 @@ files = [ name = "moto" version = "4.1.12" description = "" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -954,10 +1039,23 @@ server = ["PyYAML (>=5.1)", "aws-xray-sdk (>=0.93,!=0.96)", "cfn-lint (>=0.40.0) ssm = ["PyYAML (>=5.1)"] xray = ["aws-xray-sdk (>=0.93,!=0.96)", "setuptools"] +[[package]] +name = "mypy-extensions" +version = "1.0.0" +description = "Type system extensions for programs checked with the mypy type checker." +category = "main" +optional = false +python-versions = ">=3.5" +files = [ + {file = "mypy_extensions-1.0.0-py3-none-any.whl", hash = "sha256:4392f6c0eb8a5668a69e23d168ffa70f0be9ccfd32b5cc2d26a34ae5b844552d"}, + {file = "mypy_extensions-1.0.0.tar.gz", hash = "sha256:75dbf8955dc00442a438fc4d0666508a9a97b6bd41aa2f0ffe9d2f2725af0782"}, +] + [[package]] name = "orjson" version = "3.9.1" description = "Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1013,6 +1111,7 @@ files = [ name = "packaging" version = "23.1" description = "Core utilities for Python packages" +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -1024,6 +1123,7 @@ files = [ name = "pastel" version = "0.2.1" description = "Bring colors to your terminal." +category = "dev" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" files = [ @@ -1031,10 +1131,39 @@ files = [ {file = "pastel-0.2.1.tar.gz", hash = "sha256:e6581ac04e973cac858828c6202c1e1e81fee1dc7de7683f3e1ffe0bfd8a573d"}, ] +[[package]] +name = "pathspec" +version = "0.11.2" +description = "Utility library for gitignore style pattern matching of file paths." +category = "main" +optional = false +python-versions = ">=3.7" +files = [ + {file = "pathspec-0.11.2-py3-none-any.whl", hash = "sha256:1d6ed233af05e679efb96b1851550ea95bbb64b7c490b0f5aa52996c11e92a20"}, + {file = "pathspec-0.11.2.tar.gz", hash = "sha256:e0d8d0ac2f12da61956eb2306b69f9469b42f4deb0f3cb6ed47b9cce9996ced3"}, +] + +[[package]] +name = "platformdirs" +version = "3.10.0" +description = "A small Python package for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." +category = "main" +optional = false +python-versions = ">=3.7" +files = [ + {file = "platformdirs-3.10.0-py3-none-any.whl", hash = "sha256:d7c24979f292f916dc9cbf8648319032f551ea8c49a4c9bf2fb556a02070ec1d"}, + {file = "platformdirs-3.10.0.tar.gz", hash = "sha256:b45696dab2d7cc691a3226759c0d3b00c47c8b6e293d96f6436f733303f77f6d"}, +] + +[package.extras] +docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.1)", "sphinx-autodoc-typehints (>=1.24)"] +test = ["appdirs (==1.4.4)", "covdefaults (>=2.3)", "pytest (>=7.4)", "pytest-cov (>=4.1)", "pytest-mock (>=3.11.1)"] + [[package]] name = "pluggy" version = "1.2.0" description = "plugin and hook calling mechanisms for python" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1050,6 +1179,7 @@ testing = ["pytest", "pytest-benchmark"] name = "poethepoet" version = "0.20.0" description = "A task runner that works well with poetry." +category = "dev" optional = false python-versions = ">=3.8" files = [ @@ -1068,6 +1198,7 @@ poetry-plugin = ["poetry (>=1.0,<2.0)"] name = "publication" version = "0.0.3" description = "Publication helps you maintain public-api-friendly modules by preventing unintentional access to private implementation details via introspection." +category = "main" optional = false python-versions = "*" files = [ @@ -1079,6 +1210,7 @@ files = [ name = "pycparser" version = "2.21" description = "C parser in Python" +category = "dev" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" files = [ @@ -1090,6 +1222,7 @@ files = [ name = "pydantic" version = "1.10.9" description = "Data validation and settings management using python type hints" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1142,6 +1275,7 @@ email = ["email-validator (>=1.0.3)"] name = "pytest" version = "7.4.0" description = "pytest: simple powerful testing with Python" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1164,6 +1298,7 @@ testing = ["argcomplete", "attrs (>=19.2.0)", "hypothesis (>=3.56)", "mock", "no name = "pytest-mock" version = "3.11.1" description = "Thin-wrapper around the mock package for easier use with pytest" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1181,6 +1316,7 @@ dev = ["pre-commit", "pytest-asyncio", "tox"] name = "python-dateutil" version = "2.8.2" description = "Extensions to the standard Python datetime module" +category = "main" optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" files = [ @@ -1195,6 +1331,7 @@ six = ">=1.5" name = "python-dotenv" version = "1.0.0" description = "Read key-value pairs from a .env file and set them as environment variables" +category = "dev" optional = false python-versions = ">=3.8" files = [ @@ -1209,6 +1346,7 @@ cli = ["click (>=5.0)"] name = "python-multipart" version = "0.0.6" description = "A streaming multipart parser for Python" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1223,6 +1361,7 @@ dev = ["atomicwrites (==1.2.1)", "attrs (==19.2.0)", "coverage (==6.5.0)", "hatc name = "pyyaml" version = "6.0" description = "YAML parser and emitter for Python" +category = "dev" optional = false python-versions = ">=3.6" files = [ @@ -1272,6 +1411,7 @@ files = [ name = "requests" version = "2.31.0" description = "Python HTTP for Humans." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1293,6 +1433,7 @@ use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"] name = "responses" version = "0.23.1" description = "A utility library for mocking out the `requests` Python library." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1313,6 +1454,7 @@ tests = ["coverage (>=6.0.0)", "flake8", "mypy", "pytest (>=7.0.0)", "pytest-asy name = "s3transfer" version = "0.6.1" description = "An Amazon S3 Transfer Manager" +category = "dev" optional = false python-versions = ">= 3.7" files = [ @@ -1330,6 +1472,7 @@ crt = ["botocore[crt] (>=1.20.29,<2.0a.0)"] name = "six" version = "1.16.0" description = "Python 2 and 3 compatibility utilities" +category = "main" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" files = [ @@ -1341,6 +1484,7 @@ files = [ name = "sniffio" version = "1.3.0" description = "Sniff out which async library your code is running under" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1352,6 +1496,7 @@ files = [ name = "starlette" version = "0.27.0" description = "The little ASGI library that shines." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1370,6 +1515,7 @@ full = ["httpx (>=0.22.0)", "itsdangerous", "jinja2", "python-multipart", "pyyam name = "tomli" version = "2.0.1" description = "A lil' TOML parser" +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -1381,6 +1527,7 @@ files = [ name = "typeguard" version = "2.13.3" description = "Run-time type checker for Python" +category = "main" optional = false python-versions = ">=3.5.3" files = [ @@ -1396,6 +1543,7 @@ test = ["mypy", "pytest", "typing-extensions"] name = "types-pyyaml" version = "6.0.12.10" description = "Typing stubs for PyYAML" +category = "dev" optional = false python-versions = "*" files = [ @@ -1407,6 +1555,7 @@ files = [ name = "typing-extensions" version = "4.6.3" description = "Backported and Experimental Type Hints for Python 3.7+" +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -1418,6 +1567,7 @@ files = [ name = "ujson" version = "5.8.0" description = "Ultra fast JSON encoder and decoder for Python" +category = "dev" optional = false python-versions = ">=3.8" files = [ @@ -1488,6 +1638,7 @@ files = [ name = "urllib3" version = "1.26.16" description = "HTTP library with thread-safe connection pooling, file post, and more." +category = "dev" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*" files = [ @@ -1504,6 +1655,7 @@ socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"] name = "uvicorn" version = "0.22.0" description = "The lightning-fast ASGI server." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1518,7 +1670,7 @@ h11 = ">=0.8" httptools = {version = ">=0.5.0", optional = true, markers = "extra == \"standard\""} python-dotenv = {version = ">=0.13", optional = true, markers = "extra == \"standard\""} pyyaml = {version = ">=5.1", optional = true, markers = "extra == \"standard\""} -uvloop = {version = ">=0.14.0,<0.15.0 || >0.15.0,<0.15.1 || >0.15.1", optional = true, markers = "(sys_platform != \"win32\" and sys_platform != \"cygwin\") and platform_python_implementation != \"PyPy\" and extra == \"standard\""} +uvloop = {version = ">=0.14.0,<0.15.0 || >0.15.0,<0.15.1 || >0.15.1", optional = true, markers = "sys_platform != \"win32\" and sys_platform != \"cygwin\" and platform_python_implementation != \"PyPy\" and extra == \"standard\""} watchfiles = {version = ">=0.13", optional = true, markers = "extra == \"standard\""} websockets = {version = ">=10.4", optional = true, markers = "extra == \"standard\""} @@ -1529,6 +1681,7 @@ standard = ["colorama (>=0.4)", "httptools (>=0.5.0)", "python-dotenv (>=0.13)", name = "uvloop" version = "0.17.0" description = "Fast implementation of asyncio event loop on top of libuv" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1573,6 +1726,7 @@ test = ["Cython (>=0.29.32,<0.30.0)", "aiohttp", "flake8 (>=3.9.2,<3.10.0)", "my name = "watchfiles" version = "0.19.0" description = "Simple, modern and high performance file watching and code reload in python." +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1607,6 +1761,7 @@ anyio = ">=3.0.0" name = "websockets" version = "11.0.3" description = "An implementation of the WebSocket Protocol (RFC 6455 & 7692)" +category = "dev" optional = false python-versions = ">=3.7" files = [ @@ -1686,6 +1841,7 @@ files = [ name = "werkzeug" version = "2.3.6" description = "The comprehensive WSGI web application library." +category = "dev" optional = false python-versions = ">=3.8" files = [ @@ -1703,6 +1859,7 @@ watchdog = ["watchdog (>=2.3)"] name = "wrapt" version = "1.15.0" description = "Module for decorators, wrappers and monkey patching." +category = "dev" optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" files = [ @@ -1787,6 +1944,7 @@ files = [ name = "xmltodict" version = "0.13.0" description = "Makes working with XML feel like you are working with JSON" +category = "dev" optional = false python-versions = ">=3.4" files = [ @@ -1798,6 +1956,7 @@ files = [ name = "zipp" version = "3.15.0" description = "Backport of pathlib-compatible object wrapper for zip files" +category = "main" optional = false python-versions = ">=3.7" files = [ @@ -1812,4 +1971,4 @@ testing = ["big-O", "flake8 (<5)", "jaraco.functools", "jaraco.itertools", "more [metadata] lock-version = "2.0" python-versions = "^3.9" -content-hash = "e28ed8d35aea045806738cffa70d15169aa89ab9f86086549ab4c150f5778ad3" +content-hash = "9cf0f7b4a9c4438283883bef15ae913ccff7a23377960e65a4431a2d5fa366fe" diff --git a/pyproject.toml b/pyproject.toml index 53d900d..547bd4f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,6 +10,7 @@ readme = "README.md" python = "^3.9" aws-cdk-lib = "2.83.1" constructs = ">=10.0.0,<11.0.0" +black = "^23.9.1" [tool.poetry.group.dev.dependencies] aws-lambda-powertools = {extras = ["all"], version = "^2.16.2"} From 19562a489bdf432958fbf9d2780b7473a594a767 Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 11:45:27 -0500 Subject: [PATCH 3/9] Update output folder for checkov action --- .github/workflows/deploy.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 6368193..edc8489 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -93,6 +93,7 @@ jobs: with: name: cdk-synth-folder path: ./cdk.out + retention-days: 1 iac-checkov: name: IaC Checkov Validations @@ -105,13 +106,13 @@ jobs: uses: actions/download-artifact@v3 with: name: cdk-synth-folder - path: ./cdk.out + path: ./cdk-synth-output-folder - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@v12 with: - directory: .cdk.out/ + directory: cdk-synth-output-folder/.cdk.out/ framework: cloudformation soft_fail: true # optional: do not return an error code if there are failed checks skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list From ea1f1864fca274cd3649dd160d855e9bbbb5af53 Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 12:01:38 -0500 Subject: [PATCH 4/9] Add debug logs --- .github/workflows/deploy.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index edc8489..d892ca3 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -108,6 +108,14 @@ jobs: name: cdk-synth-folder path: ./cdk-synth-output-folder + - name: Display structure of downloaded files + run: ls -R + working-directory: ./cdk-synth-output-folder + + - name: Tree Debug + run: | + tree . + - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@v12 From 5b5c8e0d9a781f2ba407147b66936cea88d44209 Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 12:20:16 -0500 Subject: [PATCH 5/9] Update CICD paths and archive assets --- .github/workflows/deploy.yml | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d892ca3..2dd278d 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -88,11 +88,13 @@ jobs: source .venv/bin/activate cdk synth - - name: Archive CDK Synth results + - name: Archive CDK Synth results (no assets) uses: actions/upload-artifact@v3 with: name: cdk-synth-folder - path: ./cdk.out + path: ! + ./cdk.out + !./cdk.out/asset.* retention-days: 1 iac-checkov: @@ -108,19 +110,15 @@ jobs: name: cdk-synth-folder path: ./cdk-synth-output-folder - - name: Display structure of downloaded files - run: ls -R + - name: Display files in the output folder + run: ls -lrta working-directory: ./cdk-synth-output-folder - - name: Tree Debug - run: | - tree . - - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@v12 with: - directory: cdk-synth-output-folder/.cdk.out/ + directory: cdk-synth-output-folder/ framework: cloudformation soft_fail: true # optional: do not return an error code if there are failed checks skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list @@ -157,8 +155,7 @@ jobs: node-version: "20" - name: Install CDK - run: | - npm install -g aws-cdk + run: npm install -g aws-cdk # # MY OLD AUTH CONFIG (NOW WITH GITHUB OIDC TOKEN) # - name: Configure AWS credentials @@ -175,11 +172,6 @@ jobs: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} role-session-name: myGitHubActions - # Sample STS get caller identity for tests - - name: sts get-caller-identity - run: | - aws sts get-caller-identity - # NOTE: for now no manual approvals are required - name: Deploy to AWS run: | From 6dd3aaae40cf0671c4b6f2bee20b917cd0450567 Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 12:21:51 -0500 Subject: [PATCH 6/9] Update typo --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2dd278d..04caa1e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -92,7 +92,7 @@ jobs: uses: actions/upload-artifact@v3 with: name: cdk-synth-folder - path: ! + path: | ./cdk.out !./cdk.out/asset.* retention-days: 1 From 374d9f0e10dde9a0b5712d5f69c64784e7518e3c Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 12:47:10 -0500 Subject: [PATCH 7/9] Test check fail validation --- .github/workflows/deploy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 04caa1e..12b80e7 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -117,10 +117,11 @@ jobs: - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@v12 + continue-on-error: true with: directory: cdk-synth-output-folder/ framework: cloudformation - soft_fail: true # optional: do not return an error code if there are failed checks + soft_fail: false # optional: do not return an error code if there are failed checks skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list quiet: true # optional: display only failed checks log_level: WARNING # optional: set log level. Default WARNING From 12c06e3e16ae3e06c53150349e71201f04158d22 Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 12:50:50 -0500 Subject: [PATCH 8/9] Test check fail validation --- .github/workflows/deploy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 12b80e7..e85f30f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -117,7 +117,6 @@ jobs: - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@v12 - continue-on-error: true with: directory: cdk-synth-output-folder/ framework: cloudformation From 2b7312f08f0fd516d9c43e84e2f9651be973c8c5 Mon Sep 17 00:00:00 2001 From: Santiago Garcia Arango Date: Sat, 16 Sep 2023 12:55:42 -0500 Subject: [PATCH 9/9] Test check fail validation --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e85f30f..04caa1e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -120,7 +120,7 @@ jobs: with: directory: cdk-synth-output-folder/ framework: cloudformation - soft_fail: false # optional: do not return an error code if there are failed checks + soft_fail: true # optional: do not return an error code if there are failed checks skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list quiet: true # optional: display only failed checks log_level: WARNING # optional: set log level. Default WARNING