cdk-nag 2.31.3__py3-none-any.whl → 2.32.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. cdk_nag/__init__.py +66 -1
  2. cdk_nag/_jsii/__init__.py +1 -1
  3. cdk_nag/_jsii/cdk-nag@2.32.0.jsii.tgz +0 -0
  4. {cdk_nag-2.31.3.dist-info → cdk_nag-2.32.0.dist-info}/METADATA +62 -1
  5. cdk_nag-2.32.0.dist-info/RECORD +10 -0
  6. cdk_nag/_jsii/cdk-nag@2.31.3.jsii.tgz +0 -0
  7. cdk_nag-2.31.3.dist-info/RECORD +0 -10
  8. {cdk_nag-2.31.3.dist-info → cdk_nag-2.32.0.dist-info}/LICENSE +0 -0
  9. {cdk_nag-2.31.3.dist-info → cdk_nag-2.32.0.dist-info}/NOTICE +0 -0
  10. {cdk_nag-2.31.3.dist-info → cdk_nag-2.32.0.dist-info}/WHEEL +0 -0
  11. {cdk_nag-2.31.3.dist-info → cdk_nag-2.32.0.dist-info}/top_level.txt +0 -0
cdk_nag/__init__.py CHANGED
@@ -282,6 +282,67 @@ You would see the following error on synth/deploy
282
282
 
283
283
  </details>
284
284
 
285
+ ## Suppressing Rule Validation Failures
286
+
287
+ When a rule validation fails it is handled similarly to a rule violation, and can be suppressed in the same manner. The `ID` for a rule failure is `CdkNagValidationFailure`.
288
+
289
+ If a rule is suppressed in a non-granular manner (i.e. `appliesTo` is not set, see example 1 above) then validation failures on that rule are also suppressed.
290
+
291
+ Validation failure suppression respects any applied [Suppression Ignore Conditions](#conditionally-ignoring-suppressions)
292
+
293
+ <details>
294
+ <summary>Example 1) Suppress all Validation Failures on a Resource</summary>
295
+
296
+ ```python
297
+ import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
298
+ import { Stack, StackProps } from 'aws-cdk-lib';
299
+ import { Construct } from 'constructs';
300
+ import { NagSuppressions } from 'cdk-nag';
301
+
302
+ export class CdkTestStack extends Stack {
303
+ constructor(scope: Construct, id: string, props?: StackProps) {
304
+ super(scope, id, props);
305
+ const test = new SecurityGroup(this, 'test', {
306
+ vpc: new Vpc(this, 'vpc'),
307
+ });
308
+ test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
309
+ NagSuppressions.addResourceSuppressions(test, [
310
+ { id: 'CdkNagValidationFailure', reason: 'lorem ipsum' },
311
+ ]);
312
+ }
313
+ }
314
+ ```
315
+
316
+ </details><details>
317
+ <summary>Example 2) Granular Suppression of Validation Failures</summary>
318
+ Validation failures can be suppressed for individual rules by using `appliesTo` to list the desired rules
319
+
320
+ ```python
321
+ import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
322
+ import { Stack, StackProps } from 'aws-cdk-lib';
323
+ import { Construct } from 'constructs';
324
+ import { NagSuppressions } from 'cdk-nag';
325
+
326
+ export class CdkTestStack extends Stack {
327
+ constructor(scope: Construct, id: string, props?: StackProps) {
328
+ super(scope, id, props);
329
+ const test = new SecurityGroup(this, 'test', {
330
+ vpc: new Vpc(this, 'vpc'),
331
+ });
332
+ test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
333
+ NagSuppressions.addResourceSuppressions(test, [
334
+ {
335
+ id: 'CdkNagValidationFailure',
336
+ reason: 'lorem ipsum',
337
+ appliesTo: ['AwsSolutions-L1'],
338
+ },
339
+ ]);
340
+ }
341
+ }
342
+ ```
343
+
344
+ </details>
345
+
285
346
  ## Suppressing `aws-cdk-lib/pipelines` Violations
286
347
 
287
348
  The [aws-cdk-lib/pipelines.CodePipeline](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines.CodePipeline.html) construct and its child constructs are not guaranteed to be "Visited" by `Aspects`, as they are not added during the "Construction" phase of the [cdk lifecycle](https://docs.aws.amazon.com/cdk/v2/guide/apps.html#lifecycle). Because of this behavior, you may experience problems such as rule violations not appearing or the inability to suppress violations on these constructs.
@@ -2231,6 +2292,7 @@ class NagPack(metaclass=jsii.JSIIAbstractClass, jsii_type="cdk-nag.NagPack"):
2231
2292
  resource: _aws_cdk_ceddda9d.CfnResource,
2232
2293
  level: NagMessageLevel,
2233
2294
  ignore_suppression_condition: typing.Optional[INagSuppressionIgnore] = None,
2295
+ validation_failure: typing.Optional[builtins.bool] = None,
2234
2296
  ) -> builtins.str:
2235
2297
  '''Check whether a specific rule should be ignored.
2236
2298
 
@@ -2240,6 +2302,7 @@ class NagPack(metaclass=jsii.JSIIAbstractClass, jsii_type="cdk-nag.NagPack"):
2240
2302
  :param resource: The resource being evaluated.
2241
2303
  :param level: -
2242
2304
  :param ignore_suppression_condition: -
2305
+ :param validation_failure: Whether the rule is being checked due to a validation failure.
2243
2306
 
2244
2307
  :return: The reason the rule was ignored, or an empty string.
2245
2308
  '''
@@ -2251,7 +2314,8 @@ class NagPack(metaclass=jsii.JSIIAbstractClass, jsii_type="cdk-nag.NagPack"):
2251
2314
  check_type(argname="argument resource", value=resource, expected_type=type_hints["resource"])
2252
2315
  check_type(argname="argument level", value=level, expected_type=type_hints["level"])
2253
2316
  check_type(argname="argument ignore_suppression_condition", value=ignore_suppression_condition, expected_type=type_hints["ignore_suppression_condition"])
2254
- return typing.cast(builtins.str, jsii.invoke(self, "ignoreRule", [suppressions, rule_id, finding_id, resource, level, ignore_suppression_condition]))
2317
+ check_type(argname="argument validation_failure", value=validation_failure, expected_type=type_hints["validation_failure"])
2318
+ return typing.cast(builtins.str, jsii.invoke(self, "ignoreRule", [suppressions, rule_id, finding_id, resource, level, ignore_suppression_condition, validation_failure]))
2255
2319
 
2256
2320
  @jsii.member(jsii_name="visit")
2257
2321
  @abc.abstractmethod
@@ -4193,6 +4257,7 @@ def _typecheckingstub__ba5c64d28918f6c81ac27ddb1b8fd172dcc8d60b93422df8be15366fb
4193
4257
  resource: _aws_cdk_ceddda9d.CfnResource,
4194
4258
  level: NagMessageLevel,
4195
4259
  ignore_suppression_condition: typing.Optional[INagSuppressionIgnore] = None,
4260
+ validation_failure: typing.Optional[builtins.bool] = None,
4196
4261
  ) -> None:
4197
4262
  """Type checking stubs"""
4198
4263
  pass
cdk_nag/_jsii/__init__.py CHANGED
@@ -32,7 +32,7 @@ import aws_cdk._jsii
32
32
  import constructs._jsii
33
33
 
34
34
  __jsii_assembly__ = jsii.JSIIAssembly.load(
35
- "cdk-nag", "2.31.3", __name__[0:-6], "cdk-nag@2.31.3.jsii.tgz"
35
+ "cdk-nag", "2.32.0", __name__[0:-6], "cdk-nag@2.32.0.jsii.tgz"
36
36
  )
37
37
 
38
38
  __all__ = [
cdk_nag/_jsii/cdk-nag@2.32.0.jsii.tgz ADDED
Binary file
{cdk_nag-2.31.3.dist-info → cdk_nag-2.32.0.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: cdk-nag
3
- Version: 2.31.3
3
+ Version: 2.32.0
4
4
  Summary: Check CDK v2 applications for best practices using a combination on available rule packs.
5
5
  Home-page: https://github.com/cdklabs/cdk-nag.git
6
6
  Author: Arun Donti<donti@amazon.com>
@@ -310,6 +310,67 @@ You would see the following error on synth/deploy
310
310
 
311
311
  </details>
312
312
 
313
+ ## Suppressing Rule Validation Failures
314
+
315
+ When a rule validation fails it is handled similarly to a rule violation, and can be suppressed in the same manner. The `ID` for a rule failure is `CdkNagValidationFailure`.
316
+
317
+ If a rule is suppressed in a non-granular manner (i.e. `appliesTo` is not set, see example 1 above) then validation failures on that rule are also suppressed.
318
+
319
+ Validation failure suppression respects any applied [Suppression Ignore Conditions](#conditionally-ignoring-suppressions)
320
+
321
+ <details>
322
+ <summary>Example 1) Suppress all Validation Failures on a Resource</summary>
323
+
324
+ ```python
325
+ import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
326
+ import { Stack, StackProps } from 'aws-cdk-lib';
327
+ import { Construct } from 'constructs';
328
+ import { NagSuppressions } from 'cdk-nag';
329
+
330
+ export class CdkTestStack extends Stack {
331
+ constructor(scope: Construct, id: string, props?: StackProps) {
332
+ super(scope, id, props);
333
+ const test = new SecurityGroup(this, 'test', {
334
+ vpc: new Vpc(this, 'vpc'),
335
+ });
336
+ test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
337
+ NagSuppressions.addResourceSuppressions(test, [
338
+ { id: 'CdkNagValidationFailure', reason: 'lorem ipsum' },
339
+ ]);
340
+ }
341
+ }
342
+ ```
343
+
344
+ </details><details>
345
+ <summary>Example 2) Granular Suppression of Validation Failures</summary>
346
+ Validation failures can be suppressed for individual rules by using `appliesTo` to list the desired rules
347
+
348
+ ```python
349
+ import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
350
+ import { Stack, StackProps } from 'aws-cdk-lib';
351
+ import { Construct } from 'constructs';
352
+ import { NagSuppressions } from 'cdk-nag';
353
+
354
+ export class CdkTestStack extends Stack {
355
+ constructor(scope: Construct, id: string, props?: StackProps) {
356
+ super(scope, id, props);
357
+ const test = new SecurityGroup(this, 'test', {
358
+ vpc: new Vpc(this, 'vpc'),
359
+ });
360
+ test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
361
+ NagSuppressions.addResourceSuppressions(test, [
362
+ {
363
+ id: 'CdkNagValidationFailure',
364
+ reason: 'lorem ipsum',
365
+ appliesTo: ['AwsSolutions-L1'],
366
+ },
367
+ ]);
368
+ }
369
+ }
370
+ ```
371
+
372
+ </details>
373
+
313
374
  ## Suppressing `aws-cdk-lib/pipelines` Violations
314
375
 
315
376
  The [aws-cdk-lib/pipelines.CodePipeline](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines.CodePipeline.html) construct and its child constructs are not guaranteed to be "Visited" by `Aspects`, as they are not added during the "Construction" phase of the [cdk lifecycle](https://docs.aws.amazon.com/cdk/v2/guide/apps.html#lifecycle). Because of this behavior, you may experience problems such as rule violations not appearing or the inability to suppress violations on these constructs.
cdk_nag-2.32.0.dist-info/RECORD ADDED
@@ -0,0 +1,10 @@
1
+ cdk_nag/__init__.py,sha256=gFC-zoqJD8upXEQ8U9NYkkC8FyENY2SE5J7Xio58h8Q,171218
2
+ cdk_nag/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
3
+ cdk_nag/_jsii/__init__.py,sha256=VpcQ--_P7VXRZHHK_AXbjwcBxIAP8dHQbTIpXKsqYyk,1427
4
+ cdk_nag/_jsii/cdk-nag@2.32.0.jsii.tgz,sha256=V0piSvpls1wXuBscZTnOOF8hvclJhCJ5i9XZv_7bvgo,692613
5
+ cdk_nag-2.32.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358
6
+ cdk_nag-2.32.0.dist-info/METADATA,sha256=-9KadpwWlYssUAKr5w6436Zm6QLYa4_RvFTZtOqUuSU,23256
7
+ cdk_nag-2.32.0.dist-info/NOTICE,sha256=iY5F0xzQe4KtUQk3HOYeKSkIN2Xty0Y_tmkXNX4mzdw,105
8
+ cdk_nag-2.32.0.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
9
+ cdk_nag-2.32.0.dist-info/top_level.txt,sha256=uA4ZNR24n8x6ieIX39y6e7sTFkC--8tF78mNKV88Ce0,8
10
+ cdk_nag-2.32.0.dist-info/RECORD,,
cdk_nag/_jsii/cdk-nag@2.31.3.jsii.tgz DELETED
Binary file
cdk_nag-2.31.3.dist-info/RECORD DELETED
@@ -1,10 +0,0 @@
1
- cdk_nag/__init__.py,sha256=gRIpacfeNRkTcFqno_YfKlmM3CZ4upgCMeHKBtMK1yc,168693
2
- cdk_nag/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
3
- cdk_nag/_jsii/__init__.py,sha256=s93Mos_juG5zwLw1CgzmKcPG_k2_XnENm537rY62Sb0,1427
4
- cdk_nag/_jsii/cdk-nag@2.31.3.jsii.tgz,sha256=p288I_vO2Bw6XdGAuGOuAAoHsPlZNhjJSjtgwQ3NwG4,691677
5
- cdk_nag-2.31.3.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358
6
- cdk_nag-2.31.3.dist-info/METADATA,sha256=iciUW9ePD5OJQPg9wQtyGcufEcIMXdRqm2DXsQmVhqY,21115
7
- cdk_nag-2.31.3.dist-info/NOTICE,sha256=iY5F0xzQe4KtUQk3HOYeKSkIN2Xty0Y_tmkXNX4mzdw,105
8
- cdk_nag-2.31.3.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
9
- cdk_nag-2.31.3.dist-info/top_level.txt,sha256=uA4ZNR24n8x6ieIX39y6e7sTFkC--8tF78mNKV88Ce0,8
10
- cdk_nag-2.31.3.dist-info/RECORD,,