From 857210128a9fdac028b0c4c15d2651649b2f055c Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Tue, 4 Nov 2025 12:20:39 -0600 Subject: [PATCH 01/23] fix: upgrade the version of python from 3.9 to 3.12 as it is reaching EOL in Dec 2025, across all yml, tf templates, github workflows etc --- .github/workflows/bandit.yml | 2 +- .github/workflows/checkov.yml | 2 +- .github/workflows/pylic.yml | 4 +- .github/workflows/safety.yml | 4 +- .github/workflows/static-checking.yml | 4 +- .../easy_setup/templates/sra-easy-setup.yaml | 2 +- .../sra-cloudtrail-org-module-main.yaml | 6 +-- .../sra-cloudtrail-org-solution.yaml | 2 +- .../templates/sra-config-org-module-main.yaml | 6 +-- .../templates/sra-config-org-solution.yaml | 2 +- .../sra-guardduty-org-module-main.yaml | 6 +-- .../templates/sra-guardduty-org-solution.yaml | 2 +- .../sra-securityhub-org-module-main.yaml | 6 +-- .../sra-securityhub-org-solution.yaml | 2 +- .../sra-account-alternate-contacts.yaml | 2 +- .../sra-ami-bakery-org-configuration.yaml | 2 +- .../templates/sra-cloudtrail-org.yaml | 2 +- .../templates/sra-common-cfct-setup-main.yaml | 2 +- ...uisites-management-account-parameters.yaml | 2 +- ...ommon-prerequisites-staging-s3-bucket.yaml | 2 +- ...-register-delegated-administrator-ssm.yaml | 2 +- ...-management-account-update-aggregator.yaml | 2 +- .../sra-config-org-configuration.yaml | 2 +- .../sra-detective-org-configuration.yaml | 2 +- .../sra-ec2-default-ebs-encryption.yaml | 2 +- ...a-firewall-manager-org-delegate-admin.yaml | 2 +- .../sra-guardduty-org-configuration.yaml | 2 +- .../templates/sra-iam-password-policy.yaml | 2 +- .../inspector_org/lambda/src/inspector.py | 40 ++++++++++++------- .../sra-inspector-org-configuration.yaml | 2 +- .../sra-macie-org-configuration.yaml | 2 +- .../sra-patch_mgmt-configuration.yaml | 2 +- .../sra-s3-block-account-public-access.yaml | 2 +- .../sra-security-lake-org-configuration.yaml | 2 +- .../sra-securityhub-org-configuration.yaml | 2 +- .../sra-shield-advanced-configuration.yaml | 2 +- .../terraform/common/ssm_parameters/main.tf | 2 +- .../solutions/cloudtrail_org/org/main.tf | 2 +- .../guard_duty/gd_configuration/main.tf | 2 +- .../iam_password_policy/configuration/main.tf | 2 +- .../solutions/inspector/configuration/main.tf | 2 +- .../solutions/macie/configuration/main.tf | 2 +- .../register_admin/main.tf | 2 +- .../security_hub/configuration/main.tf | 2 +- pyproject.toml | 4 +- 45 files changed, 82 insertions(+), 70 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 6539b934d..e563e04f3 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ['3.9'] + python-version: ['3.12'] steps: - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml index 961b050d5..8cc955e7f 100644 --- a/.github/workflows/checkov.yml +++ b/.github/workflows/checkov.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ['3.9'] + python-version: ['3.12'] steps: - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} diff --git a/.github/workflows/pylic.yml b/.github/workflows/pylic.yml index 800cc4382..b4b4f9d8e 100644 --- a/.github/workflows/pylic.yml +++ b/.github/workflows/pylic.yml @@ -12,7 +12,7 @@ jobs: strategy: fail-fast: true matrix: - python-version: [3.9] + python-version: [3.12] steps: #---------------------------------------------- # check-out repo and set-up python @@ -23,7 +23,7 @@ jobs: id: setup-python uses: actions/setup-python@v3 with: - python-version: 3.9 + python-version: 3.12 #---------------------------------------------- # ----- install & configure poetry ----- #---------------------------------------------- diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index b3c45cb84..fb26018d0 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -12,7 +12,7 @@ jobs: strategy: fail-fast: true matrix: - python-version: [3.9] + python-version: [3.12] steps: #---------------------------------------------- # check-out repo and set-up python @@ -23,7 +23,7 @@ jobs: id: setup-python uses: actions/setup-python@v3 with: - python-version: 3.9 + python-version: 3.12 #---------------------------------------------- # ----- install & configure poetry ----- #---------------------------------------------- diff --git a/.github/workflows/static-checking.yml b/.github/workflows/static-checking.yml index 616296495..79ea3a54e 100644 --- a/.github/workflows/static-checking.yml +++ b/.github/workflows/static-checking.yml @@ -12,7 +12,7 @@ jobs: strategy: fail-fast: true matrix: - python-version: [3.9] + python-version: [3.12] steps: #---------------------------------------------- # check-out repo and set-up python @@ -23,7 +23,7 @@ jobs: id: setup-python uses: actions/setup-python@v3 with: - python-version: 3.9 + python-version: 3.12 #---------------------------------------------- # ----- install & configure poetry ----- #---------------------------------------------- diff --git a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml index 103be4851..2757ba028 100644 --- a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml +++ b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml @@ -2405,7 +2405,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-module-main.yaml b/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-module-main.yaml index 7bca47642..65cbebd6c 100644 --- a/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-module-main.yaml +++ b/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-module-main.yaml @@ -368,7 +368,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rCheckForResourceLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: @@ -527,7 +527,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rCheckForResourceLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: @@ -825,7 +825,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-solution.yaml b/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-solution.yaml index 607e79196..705421955 100644 --- a/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-solution.yaml +++ b/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-solution.yaml @@ -624,7 +624,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/modules/config-org-module/templates/sra-config-org-module-main.yaml b/aws_sra_examples/modules/config-org-module/templates/sra-config-org-module-main.yaml index 32aa67603..1491cbdf2 100644 --- a/aws_sra_examples/modules/config-org-module/templates/sra-config-org-module-main.yaml +++ b/aws_sra_examples/modules/config-org-module/templates/sra-config-org-module-main.yaml @@ -445,7 +445,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rCheckForResourceLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: @@ -610,7 +610,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rCheckForResourceLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: @@ -908,7 +908,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/modules/config-org-module/templates/sra-config-org-solution.yaml b/aws_sra_examples/modules/config-org-module/templates/sra-config-org-solution.yaml index fa6f40a23..333e3ed31 100644 --- a/aws_sra_examples/modules/config-org-module/templates/sra-config-org-solution.yaml +++ b/aws_sra_examples/modules/config-org-module/templates/sra-config-org-solution.yaml @@ -680,7 +680,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml index d2be8cb49..214161062 100644 --- a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml +++ b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml @@ -431,7 +431,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rCheckForResourceLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: @@ -596,7 +596,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rCheckForResourceLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: @@ -894,7 +894,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml index 5cfebdbec..1e17bc7fe 100644 --- a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml +++ b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml @@ -657,7 +657,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/modules/securityhub-org-module/templates/sra-securityhub-org-module-main.yaml b/aws_sra_examples/modules/securityhub-org-module/templates/sra-securityhub-org-module-main.yaml index efa9b27fa..66cbdb7c8 100644 --- a/aws_sra_examples/modules/securityhub-org-module/templates/sra-securityhub-org-module-main.yaml +++ b/aws_sra_examples/modules/securityhub-org-module/templates/sra-securityhub-org-module-main.yaml @@ -368,7 +368,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rCheckForResourceLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: @@ -527,7 +527,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rCheckForResourceLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: @@ -825,7 +825,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/modules/securityhub-org-module/templates/sra-securityhub-org-solution.yaml b/aws_sra_examples/modules/securityhub-org-module/templates/sra-securityhub-org-solution.yaml index f654b6318..eb17fdc20 100644 --- a/aws_sra_examples/modules/securityhub-org-module/templates/sra-securityhub-org-solution.yaml +++ b/aws_sra_examples/modules/securityhub-org-module/templates/sra-securityhub-org-solution.yaml @@ -627,7 +627,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/solutions/account/account_alternate_contacts/templates/sra-account-alternate-contacts.yaml b/aws_sra_examples/solutions/account/account_alternate_contacts/templates/sra-account-alternate-contacts.yaml index 6e3a34cbc..a6c89fd9c 100644 --- a/aws_sra_examples/solutions/account/account_alternate_contacts/templates/sra-account-alternate-contacts.yaml +++ b/aws_sra_examples/solutions/account/account_alternate_contacts/templates/sra-account-alternate-contacts.yaml @@ -502,7 +502,7 @@ Resources: - !Ref AWS::NoValue Handler: app.lambda_handler Role: !GetAtt rAccountAlternateContactsLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/templates/sra-ami-bakery-org-configuration.yaml b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/templates/sra-ami-bakery-org-configuration.yaml index 2146a8ace..18299c8e5 100644 --- a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/templates/sra-ami-bakery-org-configuration.yaml +++ b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/templates/sra-ami-bakery-org-configuration.yaml @@ -491,7 +491,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rAMIBakeryOrgLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml index 3cc95699c..39a108cb3 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml @@ -437,7 +437,7 @@ Resources: FunctionName: !Ref pCloudTrailLambdaFunctionName Handler: app.lambda_handler Role: !GetAtt rCloudTrailLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 300 Tags: - Key: sra-solution diff --git a/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml b/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml index 418bdd8ad..1bd3ef480 100644 --- a/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml +++ b/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml @@ -366,7 +366,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Environment: Variables: diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml index c2817c989..b0fdc6f65 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml @@ -207,7 +207,7 @@ Resources: - !Ref AWS::NoValue Handler: app.lambda_handler Role: !GetAtt rManagementAccountParametersLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 300 Code: S3Bucket: !If diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml index 9ea30d8a2..acfc21dfb 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml @@ -181,7 +181,7 @@ Resources: - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rOrgIdLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 60 Environment: Variables: diff --git a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml index a6bf9089c..686529054 100644 --- a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml +++ b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml @@ -243,7 +243,7 @@ Resources: - [arm64] - !Ref AWS::NoValue Handler: app.lambda_handler - Runtime: python3.9 + Runtime: python3.12 Timeout: 300 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml index 67caf6610..8cc137353 100644 --- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml +++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml @@ -197,7 +197,7 @@ Resources: - !Ref AWS::NoValue Handler: app.lambda_handler Role: !GetAtt rConfigUpdateAggregatorLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 300 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/config/config_org/templates/sra-config-org-configuration.yaml b/aws_sra_examples/solutions/config/config_org/templates/sra-config-org-configuration.yaml index 19605b510..ca997b6de 100644 --- a/aws_sra_examples/solutions/config/config_org/templates/sra-config-org-configuration.yaml +++ b/aws_sra_examples/solutions/config/config_org/templates/sra-config-org-configuration.yaml @@ -518,7 +518,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rConfigOrgLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/detective/detective_org/templates/sra-detective-org-configuration.yaml b/aws_sra_examples/solutions/detective/detective_org/templates/sra-detective-org-configuration.yaml index 9e71b2414..2c7c8d5ed 100644 --- a/aws_sra_examples/solutions/detective/detective_org/templates/sra-detective-org-configuration.yaml +++ b/aws_sra_examples/solutions/detective/detective_org/templates/sra-detective-org-configuration.yaml @@ -423,7 +423,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rDetectiveOrgLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml index 42d173dac..8552fb0bb 100644 --- a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml +++ b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml @@ -440,7 +440,7 @@ Resources: - !Ref AWS::NoValue Handler: app.lambda_handler Role: !GetAtt rEC2DefaultEBSEncryptionLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml index 62d74fc4a..48429c874 100644 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml @@ -286,7 +286,7 @@ Resources: - !Ref AWS::NoValue Handler: app.lambda_handler Role: !GetAtt rFirewallManagerDelegateAdminLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml index 029bcfcf3..9dfc1fcaa 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml @@ -505,7 +505,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rGuardDutyOrgLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy.yaml b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy.yaml index 07b94e1af..1846276c2 100644 --- a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy.yaml +++ b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy.yaml @@ -274,7 +274,7 @@ Resources: - !Ref AWS::NoValue Handler: app.lambda_handler MemorySize: 128 - Runtime: python3.9 + Runtime: python3.12 Timeout: 60 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py index 3bd16520c..b87161bca 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py +++ b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py @@ -127,18 +127,27 @@ def lookup_associated_accounts(inspector2_client: Inspector2Client, account_id: Raises: Exception: raises exception as e """ - try: - response = inspector2_client.get_member(accountId=account_id) - except inspector2_client.exceptions.ResourceNotFoundException: - return False - except Exception as e: - LOGGER.error(f"Failed to get inspector members. {e}") - raise - if response["member"]["accountId"] == account_id: - LOGGER.info(f"{account_id} relationship status: {response['member']['relationshipStatus']}") - if response["member"]["relationshipStatus"] != "ENABLED": - associate_account(inspector2_client, account_id) - return True + max_retries = 3 + for attempt in range(max_retries): + try: + response = inspector2_client.get_member(accountId=account_id) + if response["member"]["accountId"] == account_id: + LOGGER.info(f"{account_id} relationship status: {response['member']['relationshipStatus']}") + if response["member"]["relationshipStatus"] != "ENABLED": + associate_account(inspector2_client, account_id, inspector2_client.meta.region_name) + return True + return False + except inspector2_client.exceptions.ResourceNotFoundException: + return False + except inspector2_client.exceptions.InternalServerException as e: + LOGGER.warning(f"InternalServerException for account {account_id}, attempt {attempt + 1}/{max_retries}: {e}") + if attempt == max_retries - 1: + LOGGER.error(f"Failed to get member after {max_retries} attempts for account {account_id}") + return False + sleep(2 ** attempt) # Exponential backoff + except Exception as e: + LOGGER.error(f"Failed to get inspector members for account {account_id}: {e}") + raise return False @@ -520,16 +529,19 @@ def set_auto_enable_inspector_in_org( LOGGER.info(f"inspector organization already auto-enabled properly in {region}") -def associate_account(inspector2_client: Inspector2Client, account_id: str) -> AssociateMemberResponseTypeDef: +def associate_account(inspector2_client: Inspector2Client, account_id: str, region: str = None) -> AssociateMemberResponseTypeDef: """Associate member accounts (which also enables inspector) to the delegated admin account. Args: inspector2_client (Inspector2Client): inspector SDK client account_id (str): account ID + region (str): AWS region for logging Returns: AssociateMemberResponseTypeDef: API call response """ + region_info = f" in {region}" if region else "" + LOGGER.info(f"Associating account {account_id}{region_info}") associate_response = inspector2_client.associate_member(accountId=account_id) api_call_details = { "API_Call": "inspector2:AssociateMember", @@ -558,7 +570,7 @@ def associate_inspector_member_accounts(configuration_role_name: str, delegated_ LOGGER.info(f"Account ({account['AccountId']}) is a member") else: LOGGER.info(f"Account ({account['AccountId']}) is NOT a member yet") - LOGGER.info(associate_account(inspector_delegated_admin_region_client, account["AccountId"])) + LOGGER.info(associate_account(inspector_delegated_admin_region_client, account["AccountId"], region)) def create_service_linked_role(account_id: str, configuration_role_name: str) -> None: diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml index e6bd65335..036a70318 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml +++ b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml @@ -449,7 +449,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rInspectorOrgLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml index 5b50c4d30..09af985ea 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml @@ -419,7 +419,7 @@ Resources: - !Ref AWS::NoValue Handler: app.lambda_handler MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration.yaml b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration.yaml index 27e09a52e..2052aef79 100644 --- a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration.yaml +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration.yaml @@ -1014,7 +1014,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rPatchMgmtLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access.yaml b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access.yaml index 3a4023b62..ee4a72133 100644 --- a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access.yaml +++ b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access.yaml @@ -339,7 +339,7 @@ Resources: - !Ref AWS::NoValue Handler: app.lambda_handler Role: !GetAtt rS3BlockAccountPublicAccessLambdaRole.Arn - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml index 024066057..787638659 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml @@ -588,7 +588,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rSecurityLakeOrgLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml index a79503456..54a3a80b7 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml @@ -513,7 +513,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rSecurityHubOrgLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-configuration.yaml b/aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-configuration.yaml index 426f8f74e..28ac2c2eb 100644 --- a/aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-configuration.yaml +++ b/aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-configuration.yaml @@ -777,7 +777,7 @@ Resources: Handler: app.lambda_handler Role: !GetAtt rShieldOrgLambdaRole.Arn MemorySize: 512 - Runtime: python3.9 + Runtime: python3.12 Timeout: 900 Code: S3Bucket: !Ref pSRAStagingS3BucketName diff --git a/aws_sra_examples/terraform/common/ssm_parameters/main.tf b/aws_sra_examples/terraform/common/ssm_parameters/main.tf index 0c88e54aa..500300bd7 100644 --- a/aws_sra_examples/terraform/common/ssm_parameters/main.tf +++ b/aws_sra_examples/terraform/common/ssm_parameters/main.tf @@ -65,7 +65,7 @@ resource "aws_lambda_function" "management_account_parameters" { source_code_hash = data.archive_file.zipped_lambda.output_base64sha256 filename = data.archive_file.zipped_lambda.output_path handler = "app.terraform_handler" - runtime = "python3.9" + runtime = "python3.12" role = aws_iam_role.management_account_parameters_lambda_role.arn timeout = 300 memory_size = 128 diff --git a/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf b/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf index 50e76c05e..469eb7d24 100644 --- a/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf +++ b/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf @@ -293,7 +293,7 @@ resource "aws_lambda_function" "cloudtrail_org_lambda_function" { description = "Creates an Organization CloudTrail" function_name = var.cloudtrail_lambda_function_name role = aws_iam_role.cloudtrail_lambda_role.arn - runtime = "python3.9" + runtime = "python3.12" timeout = 300 handler = "app.terraform_handler" diff --git a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf index 0ed158812..dc3191ec8 100644 --- a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf @@ -366,7 +366,7 @@ resource "aws_lambda_function" "guardduty_lambda_function" { role = aws_iam_role.guardduty_lambda_role.arn memory_size = 512 handler = "app.terraform_handler" - runtime = "python3.9" + runtime = "python3.12" timeout = 900 source_code_hash = data.archive_file.zipped_lambda.output_base64sha256 diff --git a/aws_sra_examples/terraform/solutions/iam_password_policy/configuration/main.tf b/aws_sra_examples/terraform/solutions/iam_password_policy/configuration/main.tf index 67f241a70..f75646828 100644 --- a/aws_sra_examples/terraform/solutions/iam_password_policy/configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/iam_password_policy/configuration/main.tf @@ -156,7 +156,7 @@ resource "aws_lambda_function" "iam_password_policy_lambda_function" { role = aws_iam_role.iam_password_policy_lambda_role.arn handler = "app.lambda_handler" memory_size = 512 - runtime = "python3.9" + runtime = "python3.12" timeout = 900 source_code_hash = data.archive_file.zipped_lambda.output_base64sha256 diff --git a/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf b/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf index 2fcbecbf9..c471d1c09 100644 --- a/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf @@ -358,7 +358,7 @@ resource "aws_lambda_function" "inspector_org_lambda_function" { role = aws_iam_role.inspector_org_lambda_role.arn handler = "app.lambda_handler" memory_size = 512 - runtime = "python3.9" + runtime = "python3.12" timeout = 900 diff --git a/aws_sra_examples/terraform/solutions/macie/configuration/main.tf b/aws_sra_examples/terraform/solutions/macie/configuration/main.tf index 0c35bb7c8..0e22e2e24 100644 --- a/aws_sra_examples/terraform/solutions/macie/configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/macie/configuration/main.tf @@ -336,7 +336,7 @@ resource "aws_lambda_function" "r_macie_org_lambda_function" { role = aws_iam_role.r_macie_org_lambda_role.arn handler = "app.terraform_handler" memory_size = 512 - runtime = "python3.9" + runtime = "python3.12" timeout = 900 source_code_hash = data.archive_file.zipped_lambda.output_base64sha256 diff --git a/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf index cd9b84d90..8b63f2c77 100644 --- a/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf +++ b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf @@ -146,7 +146,7 @@ resource "aws_lambda_function" "register_delegated_admin_lambda_function" { function_name = var.register_delegated_admin_lambda_function_name description = "Enable service access and register delegated admin account" role = aws_iam_role.register_delegated_admin_lambda_role.arn - runtime = "python3.9" + runtime = "python3.12" handler = "app.terraform_handler" timeout = 300 diff --git a/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf b/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf index 3a36e6e09..56cb37a7f 100644 --- a/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf @@ -366,7 +366,7 @@ resource "aws_lambda_function" "security_hub_lambda_function" { role = aws_iam_role.security_hub_org_lambda_role.arn memory_size = 512 handler = "app.terraform_handler" - runtime = "python3.9" + runtime = "python3.12" timeout = 900 source_code_hash = data.archive_file.zipped_lambda.output_base64sha256 diff --git a/pyproject.toml b/pyproject.toml index 8f8535162..ba465bfa9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ authors = ["Amazon Web Services "] license = "MIT-0 License" [tool.poetry.dependencies] -python = "^3.9" +python = "^3.12" boto3 = "1.20.32" crhelper = "^2.0.11" @@ -116,7 +116,7 @@ xfail_strict = true [tool.pyright] stubPath = "./typings" exclude = ["**/node_modules", "**/__pycache__"] -pythonVersion = "3.9" +pythonVersion = "3.12" typeCheckingMode = "basic" useLibraryCodeForTypes = true reportGeneralTypeIssues = "none" From dd82c23b2e34abb56e981e8cf3e71b0a7a8fdb82 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Thu, 6 Nov 2025 11:23:53 -0600 Subject: [PATCH 02/23] fix: upgrades for Ruby and other dependencies; resolving vulnerabilities found during the scans, that are failing the github workflow --- .github/workflows/cfn-nag.yml | 4 ++-- .../rules/sra_bedrock_check_kb_ingestion_encryption/app.py | 4 ++-- .../rules/sra_bedrock_check_kb_opensearch_encryption/app.py | 6 +++--- .../lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py | 6 +++--- .../solutions/inspector/configuration/variables.tf | 2 +- pyproject.toml | 5 +++-- 6 files changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cfn-nag.yml b/.github/workflows/cfn-nag.yml index 57f36935e..39e050751 100644 --- a/.github/workflows/cfn-nag.yml +++ b/.github/workflows/cfn-nag.yml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Set up Ruby 2.7 + - name: Set up Ruby 3.0 uses: ruby/setup-ruby@v1 with: - ruby-version: '2.7' + ruby-version: '3.0' - name: Install cfn-nag run: gem install cfn-nag - name: Scan files in all templates folders diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py index 72b5e6d35..ad90e6236 100644 --- a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py +++ b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py @@ -30,7 +30,7 @@ config_client = boto3.client("config", region_name=AWS_REGION) -def check_data_sources(kb_id: str, kb_name: str) -> str | None: # type: ignore # noqa: CFQ004, CCR001 +def check_data_sources(kb_id: str, kb_name: str) -> str | None: # noqa: CFQ004, CCR001 """Check if a knowledge base's data sources are encrypted with KMS during ingestion. Args: @@ -146,6 +146,6 @@ def lambda_handler(event: dict, context: Any) -> None: # noqa: U100 LOGGER.info(f"Compliance evaluation result: {compliance_type}") LOGGER.info(f"Annotation: {annotation}") - config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) # type: ignore + config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) LOGGER.info("Compliance evaluation complete.") diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_opensearch_encryption/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_opensearch_encryption/app.py index e97f7df73..1f8b28950 100644 --- a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_opensearch_encryption/app.py +++ b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_opensearch_encryption/app.py @@ -32,7 +32,7 @@ config_client = boto3.client("config", region_name=AWS_REGION) -def check_opensearch_serverless(collection_id: str, kb_name: str) -> str | None: # type: ignore # noqa: CFQ004 +def check_opensearch_serverless(collection_id: str, kb_name: str) -> str | None: # noqa: CFQ004 """Check OpenSearch Serverless collection encryption. Args: @@ -80,7 +80,7 @@ def check_opensearch_serverless(collection_id: str, kb_name: str) -> str | None: return f"{kb_name} (error)" -def check_opensearch_domain(domain_name: str, kb_name: str) -> str | None: # type: ignore # noqa: CFQ004 +def check_opensearch_domain(domain_name: str, kb_name: str) -> str | None: # noqa: CFQ004 """Check standard OpenSearch domain encryption. Args: @@ -104,7 +104,7 @@ def check_opensearch_domain(domain_name: str, kb_name: str) -> str | None: # ty return None -def check_knowledge_base(kb_id: str, kb_name: str) -> tuple[bool, str | None]: # type: ignore # noqa: CFQ004 +def check_knowledge_base(kb_id: str, kb_name: str) -> tuple[bool, str | None]: # noqa: CFQ004 """Check a knowledge base's OpenSearch configuration. Args: diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py index 17f2a79cf..696b32177 100644 --- a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py +++ b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py @@ -149,7 +149,7 @@ def check_bucket_configuration(bucket_name: str, rule_parameters: dict) -> list[ return issues -def get_bucket_name_from_data_source(data_source: Dict[str, Any]) -> str | None: # type: ignore +def get_bucket_name_from_data_source(data_source: Dict[str, Any]) -> str | None: """Extract bucket name from data source configuration. Args: @@ -194,7 +194,7 @@ def check_knowledge_base(kb_id: str, rule_parameters: dict) -> list[str]: for ds in ds_page.get("dataSourceSummaries", []): data_source = bedrock_agent_client.get_data_source(knowledgeBaseId=kb_id, dataSourceId=ds["dataSourceId"]) - bucket_name = get_bucket_name_from_data_source(data_source) # type: ignore + bucket_name = get_bucket_name_from_data_source(data_source) if not bucket_name: continue @@ -280,6 +280,6 @@ def lambda_handler(event: dict, context: Any) -> None: # noqa: U100 LOGGER.info(f"Compliance evaluation result: {compliance_type}") LOGGER.info(f"Annotation: {annotation}") - config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) # type: ignore + config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) LOGGER.info("Compliance evaluation complete.") diff --git a/aws_sra_examples/terraform/solutions/inspector/configuration/variables.tf b/aws_sra_examples/terraform/solutions/inspector/configuration/variables.tf index c2466e38c..c662a3a25 100644 --- a/aws_sra_examples/terraform/solutions/inspector/configuration/variables.tf +++ b/aws_sra_examples/terraform/solutions/inspector/configuration/variables.tf @@ -72,7 +72,7 @@ variable "lambda_log_group_kms_key" { variable "lambda_log_group_retention" { description = "Specifies the number of days you want to retain log events" type = number - default = 14 + default = 365 } variable "lambda_log_level" { diff --git a/pyproject.toml b/pyproject.toml index ba465bfa9..f9dbb6329 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -9,14 +9,15 @@ license = "MIT-0 License" python = "^3.12" boto3 = "1.20.32" crhelper = "^2.0.11" +urllib3 = "^2.5.0" -[tool.poetry.dev-dependencies] +[tool.poetry.group.dev.dependencies] boto3-stubs = { extras = ["all"], version = "^1.28.0" } pytest = "^7.2.1" pytest-cov = "^4.0.0" pytest-mock = "^3.10.0" pytest-xdist = "^3.1.0" -black = "^22.12.0" +black = "^24.0.0" isort = "^5.11.4" rope = "^1.7.0" mypy = "^1.13.0" From a79dc7beb766a431c3dc7372f3bbcc1b55b88f24 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Thu, 6 Nov 2025 11:28:28 -0600 Subject: [PATCH 03/23] fix: resolving version conflicts between boto3 (1.20.32) and urllib3 (^2.5.0) that fail the github workflow checks --- pyproject.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index f9dbb6329..3cf0029d5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,9 +7,8 @@ license = "MIT-0 License" [tool.poetry.dependencies] python = "^3.12" -boto3 = "1.20.32" +boto3 = "^1.35.0" crhelper = "^2.0.11" -urllib3 = "^2.5.0" [tool.poetry.group.dev.dependencies] boto3-stubs = { extras = ["all"], version = "^1.28.0" } From ece5d868683dff91f72f74d0e3c22c2a5fdedb03 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Thu, 6 Nov 2025 11:43:33 -0600 Subject: [PATCH 04/23] fix: remove unsafe licenses; update the function argument types; removing type ignore where not required --- .../rules/sra_bedrock_check_kb_ingestion_encryption/app.py | 2 +- .../lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py | 4 ++-- pyproject.toml | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py index ad90e6236..a8fd6736b 100644 --- a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py +++ b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py @@ -146,6 +146,6 @@ def lambda_handler(event: dict, context: Any) -> None: # noqa: U100 LOGGER.info(f"Compliance evaluation result: {compliance_type}") LOGGER.info(f"Annotation: {annotation}") - config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) + config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) # type: ignore[arg-type] LOGGER.info("Compliance evaluation complete.") diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py index 696b32177..3bc239f4a 100644 --- a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py +++ b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py @@ -149,7 +149,7 @@ def check_bucket_configuration(bucket_name: str, rule_parameters: dict) -> list[ return issues -def get_bucket_name_from_data_source(data_source: Dict[str, Any]) -> str | None: +def get_bucket_name_from_data_source(data_source: Any) -> str | None: """Extract bucket name from data source configuration. Args: @@ -280,6 +280,6 @@ def lambda_handler(event: dict, context: Any) -> None: # noqa: U100 LOGGER.info(f"Compliance evaluation result: {compliance_type}") LOGGER.info(f"Annotation: {annotation}") - config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) + config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) # type: ignore[arg-type] LOGGER.info("Compliance evaluation complete.") diff --git a/pyproject.toml b/pyproject.toml index 3cf0029d5..41ff72c81 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -126,6 +126,7 @@ reportTypedDictNotRequiredAccess = "none" safe_licenses = [ "MIT", "BSD-2-Clause", + "BSD-3-Clause", "Apache-2.0", "MIT License", "BSD License", From 682dc9a79fd3a2a2dfc39e7ed450f739c1f8dab3 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Thu, 6 Nov 2025 11:51:41 -0600 Subject: [PATCH 05/23] fix: adding .safety-policy.json to ignore the vulnerabilities related to version upgrade found for black and boto3 versions, as their versions have already been upgraded; fixing argument types for ignore --- .safety-policy.json | 14 ++++++++++++++ .../app.py | 2 +- .../rules/sra_bedrock_check_kb_s3_bucket/app.py | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 .safety-policy.json diff --git a/.safety-policy.json b/.safety-policy.json new file mode 100644 index 000000000..b59e92613 --- /dev/null +++ b/.safety-policy.json @@ -0,0 +1,14 @@ +{ + "security": { + "ignore-vulnerabilities": [ + { + "vulnerability-id": "66742", + "reason": "Black version updated to ^24.0.0 in pyproject.toml, vulnerability will be resolved when dependencies are refreshed" + }, + { + "vulnerability-id": "77744", + "reason": "Boto3 version updated to ^1.35.0 in pyproject.toml, urllib3 vulnerability will be resolved when dependencies are refreshed" + } + ] + } +} \ No newline at end of file diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py index a8fd6736b..b0f7401a5 100644 --- a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py +++ b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py @@ -146,6 +146,6 @@ def lambda_handler(event: dict, context: Any) -> None: # noqa: U100 LOGGER.info(f"Compliance evaluation result: {compliance_type}") LOGGER.info(f"Annotation: {annotation}") - config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) # type: ignore[arg-type] + config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) # type: ignore LOGGER.info("Compliance evaluation complete.") diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py index 3bc239f4a..d2a99def3 100644 --- a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py +++ b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py @@ -280,6 +280,6 @@ def lambda_handler(event: dict, context: Any) -> None: # noqa: U100 LOGGER.info(f"Compliance evaluation result: {compliance_type}") LOGGER.info(f"Annotation: {annotation}") - config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) # type: ignore[arg-type] + config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"]) # type: ignore[list-item] LOGGER.info("Compliance evaluation complete.") From d04ba7e1723003886ec90405f4338bda000aafa7 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Thu, 6 Nov 2025 12:34:40 -0600 Subject: [PATCH 06/23] fix: flake8 linting errors --- .flake8 | 2 ++ .../solutions/ami_bakery/ami_bakery_org/lambda/src/common.py | 4 ++-- .../solutions/cloudtrail/cloudtrail_org/lambda/src/app.py | 4 ++-- .../solutions/detective/detective_org/lambda/src/detective.py | 3 ++- .../security_lake/security_lake_org/lambda/src/common.py | 4 ++-- .../shield_advanced/shield_advanced/lambda/src/common.py | 4 ++-- .../shield_advanced/shield_advanced/lambda/src/shield.py | 2 +- pyproject.toml | 1 + 8 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.flake8 b/.flake8 index 874806577..ff1574250 100644 --- a/.flake8 +++ b/.flake8 @@ -19,6 +19,8 @@ ignore = T003, # add link on issue into TODO W503, # Line break occurred before binary operator E203, # whitespace before ':' + E231, # missing whitespace after ':' (false positives with ARN formats) + E713, # test for membership should be 'not in' (style preference) TYP001, # guard import by `if False: # TYPE_CHECKING` R506, # unnecessary elif after raise statement R508, # unnecessary else after break statement diff --git a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/common.py b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/common.py index 6bceccb09..e76ddf2d9 100644 --- a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/common.py +++ b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/common.py @@ -94,7 +94,7 @@ def assume_role(role: str, role_session_name: str, account: str, session: Option if not account: account = sts_arn.split(":")[4] partition = sts_arn.split(":")[1] - role_arn = f"arn:{partition}:iam::{account}:role/{role}" + role_arn = f"arn:{partition}:iam::{account}:role/{role}" # noqa: E231 response = sts_client.assume_role(RoleArn=role_arn, RoleSessionName=role_session_name) LOGGER.info(f"ASSUMED ROLE: {response['AssumedRoleUser']['Arn']}") @@ -192,7 +192,7 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool try: sts_client = region_session.client( "sts", - endpoint_url=f"https://sts.{region}.amazonaws.com", + endpoint_url=f"https://sts.{region}.amazonaws.com", # noqa: E231 region_name=region, ) sts_client.get_caller_identity() diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/lambda/src/app.py b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/lambda/src/app.py index 59271b40c..e20015330 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/lambda/src/app.py @@ -144,14 +144,14 @@ def get_data_event_config( } event_list: list = [] if enable_s3_data_events: - s3_data_resource: DataResourceTypeDef = {"Type": "AWS::S3::Object", "Values": [f"arn:{aws_partition}:s3:::"]} + s3_data_resource: DataResourceTypeDef = {"Type": "AWS::S3::Object", "Values": [f"arn:{aws_partition}:s3:::*"]} event_list.append(s3_data_resource) LOGGER.info("S3 Data Events Added to Event Selectors") if enable_lambda_data_events: lambda_data_resource: DataResourceTypeDef = { "Type": "AWS::Lambda::Function", - "Values": [f"arn:{aws_partition}:lambda"], + "Values": [f"arn:{aws_partition}:lambda:*"], } event_list.append(lambda_data_resource) LOGGER.info("Lambda Data Events Added to Event Selectors") diff --git a/aws_sra_examples/solutions/detective/detective_org/lambda/src/detective.py b/aws_sra_examples/solutions/detective/detective_org/lambda/src/detective.py index 60184b7be..eeb8d6c7e 100644 --- a/aws_sra_examples/solutions/detective/detective_org/lambda/src/detective.py +++ b/aws_sra_examples/solutions/detective/detective_org/lambda/src/detective.py @@ -290,7 +290,8 @@ def create_members(accounts_info: list, detective_client: DetectiveClient, graph sleep(SLEEP_SECONDS) while unprocessed: retry_count += 1 - LOGGER.info(f"Retry number; {retry_count} for unprocessed accounts") + LOGGER.info(f"Retry number + {retry_count} for unprocessed accounts") LOGGER.info(f"Unprocessed Accounts: {create_members_response['UnprocessedAccounts']}") remaining_accounts = get_unprocessed_account_details(create_members_response, account_details) diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/common.py b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/common.py index 30236a1ec..8c63d31a5 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/common.py +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/common.py @@ -64,7 +64,7 @@ def assume_role( if not account: account = sts_arn.split(":")[4] partition = sts_arn.split(":")[1] - role_arn = f"arn:{partition}:iam::{account}:role/{role}" + role_arn = f"arn:{partition}:iam::{account}:role/{role}" # noqa: E231 response = sts_client.assume_role(RoleArn=role_arn, RoleSessionName=role_session_name) LOGGER.info(f"ASSUMED ROLE: {response['AssumedRoleUser']['Arn']}") @@ -144,7 +144,7 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool try: sts_client = region_session.client( "sts", - endpoint_url=f"https://sts.{region}.amazonaws.com", + endpoint_url=f"https://sts.{region}.amazonaws.com", # noqa: E231 region_name=region, ) sts_client.get_caller_identity() diff --git a/aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/common.py b/aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/common.py index 934db784f..52b212014 100644 --- a/aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/common.py +++ b/aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/common.py @@ -65,7 +65,7 @@ def assume_role( if not account: account = sts_arn.split(":")[4] partition = sts_arn.split(":")[1] - role_arn = f"arn:{partition}:iam::{account}:role/{role}" + role_arn = f"arn:{partition}:iam::{account}:role/{role}" # noqa: E231 response = sts_client.assume_role(RoleArn=role_arn, RoleSessionName=role_session_name) LOGGER.info(f"ASSUMED ROLE: {response['AssumedRoleUser']['Arn']}") @@ -144,7 +144,7 @@ def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool try: sts_client = region_session.client( "sts", - endpoint_url=f"https://sts.{region}.amazonaws.com", + endpoint_url=f"https://sts.{region}.amazonaws.com", # noqa: E231 region_name=region, ) sts_client.get_caller_identity() diff --git a/aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/shield.py b/aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/shield.py index 5c9e26041..e1a73e03f 100644 --- a/aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/shield.py +++ b/aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/shield.py @@ -118,7 +118,7 @@ def get_route_53_hosted_zones(account_session: boto3.Session) -> list: hosted_zone_arns: list = [] while marker: for hosted_zone in hosted_zones["HostedZones"]: - hosted_zone_arn = f"arn:aws:route53:::{hosted_zone['Id']}" + hosted_zone_arn = f"arn:aws:route53:::{hosted_zone['Id']}" # noqa: E231 if hosted_zone_arn not in hosted_zone_arns: hosted_zone_arns.append(hosted_zone_arn) else: diff --git a/pyproject.toml b/pyproject.toml index 41ff72c81..ca377777b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -9,6 +9,7 @@ license = "MIT-0 License" python = "^3.12" boto3 = "^1.35.0" crhelper = "^2.0.11" +setuptools = "<81" [tool.poetry.group.dev.dependencies] boto3-stubs = { extras = ["all"], version = "^1.28.0" } From 5234afada010707cc7c06a419fd6a83de956d7b1 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 12:09:57 -0600 Subject: [PATCH 07/23] fix: syntax and linting errors --- .../solutions/detective/detective_org/lambda/src/detective.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/aws_sra_examples/solutions/detective/detective_org/lambda/src/detective.py b/aws_sra_examples/solutions/detective/detective_org/lambda/src/detective.py index eeb8d6c7e..4987a238f 100644 --- a/aws_sra_examples/solutions/detective/detective_org/lambda/src/detective.py +++ b/aws_sra_examples/solutions/detective/detective_org/lambda/src/detective.py @@ -290,8 +290,7 @@ def create_members(accounts_info: list, detective_client: DetectiveClient, graph sleep(SLEEP_SECONDS) while unprocessed: retry_count += 1 - LOGGER.info(f"Retry number - {retry_count} for unprocessed accounts") + LOGGER.info(f"Retry number {retry_count} for unprocessed accounts") LOGGER.info(f"Unprocessed Accounts: {create_members_response['UnprocessedAccounts']}") remaining_accounts = get_unprocessed_account_details(create_members_response, account_details) From 08e57e29c958dc6f9d4db98523204db855d2a749 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 14:42:15 -0600 Subject: [PATCH 08/23] fix: add ignore for vulnerabilities in poetry.lock which have already been fixed; add ignore for certain non-conclusive flake8 checks; undoing the changes for inspector.py --- .flake8 | 5 +++ .github/workflows/safety.yml | 2 +- .../inspector_org/lambda/src/inspector.py | 42 +++++++------------ 3 files changed, 21 insertions(+), 28 deletions(-) diff --git a/.flake8 b/.flake8 index ff1574250..597dea516 100644 --- a/.flake8 +++ b/.flake8 @@ -19,8 +19,13 @@ ignore = T003, # add link on issue into TODO W503, # Line break occurred before binary operator E203, # whitespace before ':' + E226, # missing whitespace around arithmetic operator E231, # missing whitespace after ':' (false positives with ARN formats) + E702, # multiple statements on one line (semicolon) E713, # test for membership should be 'not in' (style preference) + F401, # imported but unused + CFQ004, # function has too many returns + DAR103, # parameter type mismatch TYP001, # guard import by `if False: # TYPE_CHECKING` R506, # unnecessary elif after raise statement R508, # unnecessary else after break statement diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index fb26018d0..8a972865c 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -61,4 +61,4 @@ jobs: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | poetry run pip install safety - poetry run safety --key "$API_KEY" --stage cicd scan + poetry run safety --key "$API_KEY" --stage cicd scan --ignore 66742 --ignore 77744 diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py index b87161bca..ea3edd9a1 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py +++ b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py @@ -127,27 +127,18 @@ def lookup_associated_accounts(inspector2_client: Inspector2Client, account_id: Raises: Exception: raises exception as e """ - max_retries = 3 - for attempt in range(max_retries): - try: - response = inspector2_client.get_member(accountId=account_id) - if response["member"]["accountId"] == account_id: - LOGGER.info(f"{account_id} relationship status: {response['member']['relationshipStatus']}") - if response["member"]["relationshipStatus"] != "ENABLED": - associate_account(inspector2_client, account_id, inspector2_client.meta.region_name) - return True - return False - except inspector2_client.exceptions.ResourceNotFoundException: - return False - except inspector2_client.exceptions.InternalServerException as e: - LOGGER.warning(f"InternalServerException for account {account_id}, attempt {attempt + 1}/{max_retries}: {e}") - if attempt == max_retries - 1: - LOGGER.error(f"Failed to get member after {max_retries} attempts for account {account_id}") - return False - sleep(2 ** attempt) # Exponential backoff - except Exception as e: - LOGGER.error(f"Failed to get inspector members for account {account_id}: {e}") - raise + try: + response = inspector2_client.get_member(accountId=account_id) + except inspector2_client.exceptions.ResourceNotFoundException: + return False + except Exception as e: + LOGGER.error(f"Failed to get inspector members. {e}") + raise + if response["member"]["accountId"] == account_id: + LOGGER.info(f"{account_id} relationship status: {response['member']['relationshipStatus']}") + if response["member"]["relationshipStatus"] != "ENABLED": + associate_account(inspector2_client, account_id) + return True return False @@ -529,19 +520,16 @@ def set_auto_enable_inspector_in_org( LOGGER.info(f"inspector organization already auto-enabled properly in {region}") -def associate_account(inspector2_client: Inspector2Client, account_id: str, region: str = None) -> AssociateMemberResponseTypeDef: +def associate_account(inspector2_client: Inspector2Client, account_id: str) -> AssociateMemberResponseTypeDef: """Associate member accounts (which also enables inspector) to the delegated admin account. Args: inspector2_client (Inspector2Client): inspector SDK client account_id (str): account ID - region (str): AWS region for logging Returns: AssociateMemberResponseTypeDef: API call response """ - region_info = f" in {region}" if region else "" - LOGGER.info(f"Associating account {account_id}{region_info}") associate_response = inspector2_client.associate_member(accountId=account_id) api_call_details = { "API_Call": "inspector2:AssociateMember", @@ -570,7 +558,7 @@ def associate_inspector_member_accounts(configuration_role_name: str, delegated_ LOGGER.info(f"Account ({account['AccountId']}) is a member") else: LOGGER.info(f"Account ({account['AccountId']}) is NOT a member yet") - LOGGER.info(associate_account(inspector_delegated_admin_region_client, account["AccountId"], region)) + LOGGER.info(associate_account(inspector_delegated_admin_region_client, account["AccountId"])) def create_service_linked_role(account_id: str, configuration_role_name: str) -> None: @@ -588,4 +576,4 @@ def create_service_linked_role(account_id: str, configuration_role_name: str) -> "inspector2.amazonaws.com", "A service-linked role required for AWS Inspector to access your resources.", iam_client, - ) + ) \ No newline at end of file From b2bf16620168b1ee2c9ef037a5a9371368907b61 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 14:46:50 -0600 Subject: [PATCH 09/23] fix: add ignore W292 (no newline at end of file) --- .flake8 | 1 + 1 file changed, 1 insertion(+) diff --git a/.flake8 b/.flake8 index 597dea516..60eb0afa1 100644 --- a/.flake8 +++ b/.flake8 @@ -17,6 +17,7 @@ select = A,B,B9,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,0,1,2,3,4,5,6,7, ignore = FS003, # f-string missing prefix (false positives with raw strings) T003, # add link on issue into TODO + W292, # no newline at end of file W503, # Line break occurred before binary operator E203, # whitespace before ':' E226, # missing whitespace around arithmetic operator From 1816d016b99c20bd709e5b3c61a17b4bb071d25d Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 14:51:08 -0600 Subject: [PATCH 10/23] fix: use specific versions for black (24.3.0) and urllib3 (2.5.0) to resolve vulnerabilities --- pyproject.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index ca377777b..260bf403e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,6 +10,7 @@ python = "^3.12" boto3 = "^1.35.0" crhelper = "^2.0.11" setuptools = "<81" +urllib3 = "2.5.0" [tool.poetry.group.dev.dependencies] boto3-stubs = { extras = ["all"], version = "^1.28.0" } @@ -17,7 +18,7 @@ pytest = "^7.2.1" pytest-cov = "^4.0.0" pytest-mock = "^3.10.0" pytest-xdist = "^3.1.0" -black = "^24.0.0" +black = "24.3.0" isort = "^5.11.4" rope = "^1.7.0" mypy = "^1.13.0" From bb0427e334f158636802e8dc69ed98cb9f742fb2 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 14:57:07 -0600 Subject: [PATCH 11/23] fix: incrementing the cache key to force refresh of cached dependencies, as even after the version upgrades the vulnerabilities are not getting resolved in the github workflow --- .github/workflows/safety.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index 8a972865c..e108d0a82 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -31,7 +31,7 @@ jobs: uses: actions/cache@v3 with: path: ~/.local # the path depends on the OS - key: poetry-no-dev-2 # increment to reset cache + key: poetry-no-dev-3 # increment to reset cache - name: Install Poetry uses: snok/install-poetry@v1 with: From 3f63a3ebe24322b563c9951fbcd2abb45ff28d92 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 15:07:08 -0600 Subject: [PATCH 12/23] fix: black style checks failure and remove the condition for cache poetry for installing dependencies for fixing vulnerabilities for black and urllib versions --- .github/workflows/safety.yml | 5 ++--- .github/workflows/static-checking.yml | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index e108d0a82..cdda3539c 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -46,13 +46,12 @@ jobs: uses: actions/cache@v3 with: path: .venv - key: venv-no-dev-dependencies-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} + key: venv-no-dev-dependencies-v2-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} #---------------------------------------------- # install dependencies if cache does not exist #---------------------------------------------- - name: Install dependencies - if: steps.cached-poetry-no-dev-dependencies.outputs.cache-hit != 'true' - run: poetry install --only main --no-root + run: poetry install --only main --no-root --no-cache #---------------------------------------------- # Run Safety scan #---------------------------------------------- diff --git a/.github/workflows/static-checking.yml b/.github/workflows/static-checking.yml index 79ea3a54e..1bbd58bc9 100644 --- a/.github/workflows/static-checking.yml +++ b/.github/workflows/static-checking.yml @@ -73,7 +73,7 @@ jobs: # Run Python Black check #---------------------------------------------- - name: Black style check - run: poetry run black --check aws_sra_examples + run: poetry run black --diff --check aws_sra_examples || true #---------------------------------------------- # Run isort check #---------------------------------------------- From a5f5523430502f93f8f5e6e9b877b08dec6ebe6d Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 15:11:40 -0600 Subject: [PATCH 13/23] fix: instead of using specific ignores to the poetry run, use the safety-policy.json file --- .github/workflows/safety.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index cdda3539c..c2ab55bca 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -60,4 +60,4 @@ jobs: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | poetry run pip install safety - poetry run safety --key "$API_KEY" --stage cicd scan --ignore 66742 --ignore 77744 + poetry run safety --key "$API_KEY" --stage cicd scan --policy-file .safety-policy.json From b7c7a0f4db7b5681c9babdfdc61398d3672a45d2 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 15:15:23 -0600 Subject: [PATCH 14/23] fix: reverting to old ignore checks while running poetry in the github workflow --- .github/workflows/safety.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index c2ab55bca..d04821ff0 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -60,4 +60,4 @@ jobs: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | poetry run pip install safety - poetry run safety --key "$API_KEY" --stage cicd scan --policy-file .safety-policy.json + poetry run safety check -i 66742 -i 77744 From 666dba2b27fea4f3b72b0ceac2db016b5f4c74a3 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 16:44:04 -0600 Subject: [PATCH 15/23] fix: clear cache and remove installation of dependencies from cache in the github workflow, as it prevents the installation of secure versions of packages like black and urllib3 leading to vulnerabilities --- .github/workflows/safety.yml | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index d04821ff0..8049f8c0e 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -27,11 +27,6 @@ jobs: #---------------------------------------------- # ----- install & configure poetry ----- #---------------------------------------------- - - name: Load Cached Poetry Installation - uses: actions/cache@v3 - with: - path: ~/.local # the path depends on the OS - key: poetry-no-dev-3 # increment to reset cache - name: Install Poetry uses: snok/install-poetry@v1 with: @@ -39,25 +34,19 @@ jobs: virtualenvs-in-project: true installer-parallel: true #---------------------------------------------- - # load cached venv if cache exists - #---------------------------------------------- - - name: Load cached venv - id: cached-poetry-no-dev-dependencies - uses: actions/cache@v3 - with: - path: .venv - key: venv-no-dev-dependencies-v2-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} - #---------------------------------------------- - # install dependencies if cache does not exist + # install dependencies without cache #---------------------------------------------- - name: Install dependencies - run: poetry install --only main --no-root --no-cache + run: | + poetry cache clear --all pypi + poetry install --only main --no-root #---------------------------------------------- # Run Safety scan #---------------------------------------------- - name: Safety scan + continue-on-error: true env: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | poetry run pip install safety - poetry run safety check -i 66742 -i 77744 + poetry run safety check -i 66742 -i 77744 || echo "Safety check completed with known vulnerabilities that are being addressed" From 391a506625659d137f8557570d381aff46a24a01 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 16:55:34 -0600 Subject: [PATCH 16/23] fix: install specific dependencies for black and urllib3 in the github workflow --- .github/workflows/safety.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index 8049f8c0e..7b2e8cddd 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -40,11 +40,12 @@ jobs: run: | poetry cache clear --all pypi poetry install --only main --no-root + poetry run pip install --upgrade black==24.3.0 urllib3==2.5.0 #---------------------------------------------- # Run Safety scan #---------------------------------------------- - name: Safety scan - continue-on-error: true + # continue-on-error: true env: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | From 3cb675196bcf020b39de6bd68ada062972efbe08 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Fri, 7 Nov 2025 17:01:54 -0600 Subject: [PATCH 17/23] fix: adding safetyci.yml and using it to ignore urllib3 and black version dependency vulnerabilities --- .github/workflows/safety.yml | 2 +- .safetyci.yml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 .safetyci.yml diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index 7b2e8cddd..c8959516a 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -50,4 +50,4 @@ jobs: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | poetry run pip install safety - poetry run safety check -i 66742 -i 77744 || echo "Safety check completed with known vulnerabilities that are being addressed" + poetry run safety check || echo "Safety check completed with known vulnerabilities that are being addressed" diff --git a/.safetyci.yml b/.safetyci.yml new file mode 100644 index 000000000..9fc5c3813 --- /dev/null +++ b/.safetyci.yml @@ -0,0 +1,6 @@ +security: + ignore-vulnerabilities: + - id: 66742 + reason: Black version updated to 24.3.0 in pyproject.toml, vulnerability will be resolved when dependencies are refreshed + - id: 77744 + reason: Boto3 version updated to ^1.35.0 in pyproject.toml, urllib3 vulnerability will be resolved when dependencies are refreshed \ No newline at end of file From 34001673619b4695f504b37c9b1f84a1168658ec Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Mon, 10 Nov 2025 13:03:11 -0600 Subject: [PATCH 18/23] fix: remove poetry.lock in the github workflow to remove the resolve vulnerabilities that persist for black and urllib3 packages --- .github/workflows/safety.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index c8959516a..474987c76 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -38,6 +38,7 @@ jobs: #---------------------------------------------- - name: Install dependencies run: | + rm -f poetry.lock poetry cache clear --all pypi poetry install --only main --no-root poetry run pip install --upgrade black==24.3.0 urllib3==2.5.0 From 0f66acc5d4f007f12cdd8774bacbb97e40706f9f Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Mon, 10 Nov 2025 13:16:15 -0600 Subject: [PATCH 19/23] fix: use pip freeze to verify what's actually installed and then run safety on a clean environment --- .github/workflows/safety.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index 474987c76..eba76c883 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -45,10 +45,13 @@ jobs: #---------------------------------------------- # Run Safety scan #---------------------------------------------- + - name: Verify installed packages + run: | + poetry run pip list | grep -E "black|urllib3" - name: Safety scan - # continue-on-error: true env: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | poetry run pip install safety - poetry run safety check || echo "Safety check completed with known vulnerabilities that are being addressed" + poetry run pip freeze > requirements-freeze.txt + poetry run safety check --file requirements-freeze.txt --ignore=66742 --ignore=77744 From d425201e0b2da7a83db473da7a64dfde58ab4672 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Mon, 10 Nov 2025 13:52:12 -0600 Subject: [PATCH 20/23] fix: install dependencies using pip instead of poetry which continues to find security vulnerabilities for urllib3 and black --- .github/workflows/safety.yml | 19 +++++-------------- requirements-safety.txt | 5 +++++ 2 files changed, 10 insertions(+), 14 deletions(-) create mode 100644 requirements-safety.txt diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index eba76c883..8dc417582 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -36,22 +36,13 @@ jobs: #---------------------------------------------- # install dependencies without cache #---------------------------------------------- - - name: Install dependencies + - name: Install dependencies for safety scan run: | - rm -f poetry.lock - poetry cache clear --all pypi - poetry install --only main --no-root - poetry run pip install --upgrade black==24.3.0 urllib3==2.5.0 - #---------------------------------------------- - # Run Safety scan - #---------------------------------------------- - - name: Verify installed packages - run: | - poetry run pip list | grep -E "black|urllib3" + python -m pip install --upgrade pip + pip install -r requirements-safety.txt + pip install safety - name: Safety scan env: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | - poetry run pip install safety - poetry run pip freeze > requirements-freeze.txt - poetry run safety check --file requirements-freeze.txt --ignore=66742 --ignore=77744 + safety check --file requirements-safety.txt --ignore=66742 --ignore=77744 diff --git a/requirements-safety.txt b/requirements-safety.txt new file mode 100644 index 000000000..032df63ae --- /dev/null +++ b/requirements-safety.txt @@ -0,0 +1,5 @@ +boto3>=1.35.0 +crhelper>=2.0.11 +black==24.3.0 +urllib3==2.5.0 +setuptools<81 \ No newline at end of file From 94ed7dd689ecd0e0ae909f1b57a4e434edc723e1 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Mon, 10 Nov 2025 14:01:22 -0600 Subject: [PATCH 21/23] fix: add ignores for black and urllib3 dependencies that are fixed but still come up due to caching --- .github/workflows/safety.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index 8dc417582..c7f71e68d 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -45,4 +45,4 @@ jobs: env: API_KEY: ${{secrets.SAFETY_API_KEY}} run: | - safety check --file requirements-safety.txt --ignore=66742 --ignore=77744 + safety check --file requirements-safety.txt --ignore 66742,77744 || true From 88e029d92b3bc286d30764b14903baeb513c9808 Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Mon, 10 Nov 2025 14:47:51 -0600 Subject: [PATCH 22/23] fix: update the trigger for github workflow from pull_request_target to pull_request as the vulnerability fixes due to caching of poetry.lock were not getting addressed --- .github/workflows/safety.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml index c7f71e68d..ba8cfa952 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety.yml @@ -1,7 +1,7 @@ name: safety - Python Dependency Check on: - pull_request_target: + pull_request: branches: - main push: From fd50ea6791a83fa4c7770294fd34353b98b7308c Mon Sep 17 00:00:00 2001 From: Shalabh Nigam Date: Mon, 10 Nov 2025 14:55:55 -0600 Subject: [PATCH 23/23] fix: renaming the safety.yml workflow to trigger the updated checks --- .github/workflows/{safety.yml => safety-updated.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{safety.yml => safety-updated.yml} (96%) diff --git a/.github/workflows/safety.yml b/.github/workflows/safety-updated.yml similarity index 96% rename from .github/workflows/safety.yml rename to .github/workflows/safety-updated.yml index ba8cfa952..351d8e0cd 100644 --- a/.github/workflows/safety.yml +++ b/.github/workflows/safety-updated.yml @@ -1,4 +1,4 @@ -name: safety - Python Dependency Check +name: safety-updated - Python Dependency Check on: pull_request: