updating for flake8 and mypy errors

Author: cyphronix

aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_ingestion_encryption/app.py

@@ -28,7 +28,43 @@
 bedrock_agent_client = boto3.client("bedrock-agent", region_name=AWS_REGION)
 config_client = boto3.client("config", region_name=AWS_REGION)
 
-def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:
+
+def check_data_sources(kb_id: str, kb_name: str) -> str | None:  # noqa: CFQ004
+    """Check if a knowledge base's data sources are encrypted.
+
+    Args:
+        kb_id (str): Knowledge base ID
+        kb_name (str): Knowledge base name
+
+    Raises:
+        ClientError: If there is an error checking the knowledge base
+
+    Returns:
+        str | None: Error message if non-compliant, None if compliant
+    """
+    try:
+        data_sources = bedrock_agent_client.list_data_sources(knowledgeBaseId=kb_id)
+        if not isinstance(data_sources, dict):
+            return f"{kb_name} (invalid data sources response)"
+        unencrypted_sources = []
+        for source in data_sources.get("dataSourceSummaries", []):
+            if not isinstance(source, dict):
+                continue
+            encryption_config = source.get("serverSideEncryptionConfiguration", {})
+            if not isinstance(encryption_config, dict) or not encryption_config.get("kmsKeyArn"):
+                unencrypted_sources.append(source.get("name", source["dataSourceId"]))
+
+        if unencrypted_sources:
+            return f"{kb_name} (unencrypted sources: {', '.join(unencrypted_sources)})"
+        return None
+    except ClientError as e:
+        LOGGER.error(f"Error checking data sources for knowledge base {kb_name}: {str(e)}")
+        if e.response["Error"]["Code"] == "AccessDeniedException":
+            return f"{kb_name} (access denied)"
+        raise
+
+
+def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:  # noqa: U100
     """Evaluate if Bedrock Knowledge Base data sources are encrypted with KMS.
 
     Args:
@@ -38,36 +74,16 @@ def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:
         tuple[str, str]: Compliance type and annotation message.
     """
     try:
-        # List all knowledge bases
         non_compliant_kbs = []
         paginator = bedrock_agent_client.get_paginator("list_knowledge_bases")
-        
+
         for page in paginator.paginate():
             for kb in page["knowledgeBaseSummaries"]:
                 kb_id = kb["knowledgeBaseId"]
                 kb_name = kb.get("name", kb_id)
-                
-                # Get data sources for each knowledge base
-                try:
-                    data_sources = bedrock_agent_client.list_data_sources(
-                        knowledgeBaseId=kb_id
-                    )
-                    
-                    # Check if any data source is not encrypted
-                    unencrypted_sources = []
-                    for source in data_sources.get("dataSourceSummaries", []):
-                        if not source.get("serverSideEncryptionConfiguration", {}).get("kmsKeyArn"):
-                            unencrypted_sources.append(source.get("name", source["dataSourceId"]))
-                    
-                    if unencrypted_sources:
-                        non_compliant_kbs.append(f"{kb_name} (unencrypted sources: {', '.join(unencrypted_sources)})")
-                
-                except ClientError as e:
-                    LOGGER.error(f"Error checking data sources for knowledge base {kb_name}: {str(e)}")
-                    if e.response["Error"]["Code"] == "AccessDeniedException":
-                        non_compliant_kbs.append(f"{kb_name} (access denied)")
-                    else:
-                        raise
+                error = check_data_sources(kb_id, kb_name)
+                if error:
+                    non_compliant_kbs.append(error)
 
         if non_compliant_kbs:
             return "NON_COMPLIANT", f"The following knowledge bases have unencrypted data sources: {'; '.join(non_compliant_kbs)}"
@@ -77,6 +93,7 @@ def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:
         LOGGER.error(f"Error evaluating Bedrock Knowledge Base encryption: {str(e)}")
         return "ERROR", f"Error evaluating compliance: {str(e)}"
 
+
 def lambda_handler(event: dict, context: Any) -> None:  # noqa: U100
     """Lambda handler.
 
@@ -105,4 +122,4 @@ def lambda_handler(event: dict, context: Any) -> None:  # noqa: U100
 
     config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"])  # type: ignore
 
-    LOGGER.info("Compliance evaluation complete.") 
+    LOGGER.info("Compliance evaluation complete.")

aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_logging/app.py

@@ -29,12 +29,15 @@
 config_client = boto3.client("config", region_name=AWS_REGION)
 
 
-def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:
+def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:  # noqa: CFQ004, U100
     """Evaluate if Bedrock Knowledge Base logging is properly configured.
 
     Args:
         rule_parameters (dict): Rule parameters from AWS Config rule.
 
+    Raises:
+        ClientError: If there is an error checking the knowledge base
+
     Returns:
         tuple[str, str]: Compliance type and annotation message.
     """
@@ -49,20 +52,20 @@ def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:
             return "COMPLIANT", "No knowledge bases found in the account"
 
         non_compliant_kbs = []
-        
+
         # Check each knowledge base for logging configuration
         for kb in kb_list:
             kb_id = kb['knowledgeBaseId']
             try:
                 kb_details = bedrock_agent_client.get_knowledge_base(
                     knowledgeBaseId=kb_id
                 )
-                
+
                 # Check if logging is enabled
                 logging_config = kb_details.get('loggingConfiguration', {})
-                if not logging_config or not logging_config.get('enabled', False):
+                if not isinstance(logging_config, dict) or not logging_config.get('enabled', False):
                     non_compliant_kbs.append(f"{kb_id} ({kb.get('name', 'unnamed')})")
-                    
+
             except ClientError as e:
                 LOGGER.error(f"Error checking knowledge base {kb_id}: {str(e)}")
                 if e.response['Error']['Code'] == 'AccessDeniedException':
@@ -107,4 +110,4 @@ def lambda_handler(event: dict, context: Any) -> None:  # noqa: U100
 
     config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"])  # type: ignore
 
-    LOGGER.info("Compliance evaluation complete.") 
+    LOGGER.info("Compliance evaluation complete.")

aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_opensearch_encryption/app.py

@@ -27,9 +27,107 @@
 # Initialize AWS clients
 bedrock_agent_client = boto3.client("bedrock-agent", region_name=AWS_REGION)
 opensearch_client = boto3.client("opensearch", region_name=AWS_REGION)
+opensearch_serverless_client = boto3.client("opensearchserverless", region_name=AWS_REGION)
 config_client = boto3.client("config", region_name=AWS_REGION)
 
-def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:
+
+def check_opensearch_serverless(collection_id: str, kb_name: str) -> str | None:
+    """Check OpenSearch Serverless collection encryption.
+
+    Args:
+        collection_id (str): Collection ID
+        kb_name (str): Knowledge base name
+
+    Returns:
+        str | None: Error message if non-compliant, None if compliant
+    """
+    try:
+        collection = opensearch_serverless_client.get_security_policy(
+            name=collection_id,
+            type="encryption"
+        )
+        security_policy = collection.get("securityPolicyDetail", {})
+        if security_policy.get("Type") == "encryption":
+            security_policies = security_policy.get("SecurityPolicies", [])
+            if isinstance(security_policies, list) and security_policies:
+                encryption_policy = security_policies[0]
+                kms_key_arn = encryption_policy.get("KmsARN", "")
+                if not kms_key_arn or "aws/opensearchserverless" in kms_key_arn:
+                    return f"{kb_name} (OpenSearch Serverless not using CMK)"
+    except ClientError as e:
+        LOGGER.error(f"Error checking OpenSearch Serverless collection: {str(e)}")
+        return f"{kb_name} (error checking OpenSearch Serverless)"
+    return None
+
+
+def check_opensearch_domain(domain_name: str, kb_name: str) -> str | None:  # noqa: CFQ004
+    """Check standard OpenSearch domain encryption.
+
+    Args:
+        domain_name (str): Domain name
+        kb_name (str): Knowledge base name
+
+    Returns:
+        str | None: Error message if non-compliant, None if compliant
+    """
+    try:
+        domain = opensearch_client.describe_domain(DomainName=domain_name)
+        encryption_config = domain.get("DomainStatus", {}).get("EncryptionAtRestOptions", {})
+        if not encryption_config.get("Enabled", False):
+            return f"{kb_name} (OpenSearch domain encryption not enabled)"
+        if not encryption_config.get("KmsKeyId"):
+            return f"{kb_name} (OpenSearch domain not using CMK)"
+    except ClientError as e:
+        LOGGER.error(f"Error checking OpenSearch domain: {str(e)}")
+        return f"{kb_name} (error checking OpenSearch domain)"
+    return None
+
+
+def check_knowledge_base(kb_id: str, kb_name: str) -> str | None:  # noqa: CFQ004
+    """Check a knowledge base's OpenSearch configuration.
+
+    Args:
+        kb_id (str): Knowledge base ID
+        kb_name (str): Knowledge base name
+
+    Raises:
+        ClientError: If there is an error checking the knowledge base
+
+    Returns:
+        str | None: Error message if non-compliant, None if compliant
+    """
+    try:
+        kb_details = bedrock_agent_client.get_knowledge_base(knowledgeBaseId=kb_id)
+        vector_store = kb_details.get("vectorStoreConfiguration")
+
+        if not vector_store or not isinstance(vector_store, dict):
+            return None
+
+        if vector_store.get("vectorStoreType") != "OPENSEARCH":
+            return None
+
+        opensearch_config = vector_store.get("opensearchServerlessConfiguration") or vector_store.get("opensearchConfiguration")
+        if not opensearch_config:
+            return f"{kb_name} (missing OpenSearch configuration)"
+
+        if "collectionArn" in opensearch_config:
+            collection_id = opensearch_config["collectionArn"].split("/")[-1]
+            return check_opensearch_serverless(collection_id, kb_name)
+
+        domain_endpoint = opensearch_config.get("endpoint", "")
+        if not domain_endpoint:
+            return f"{kb_name} (missing OpenSearch domain endpoint)"
+        domain_name = domain_endpoint.split(".")[0]
+        return check_opensearch_domain(domain_name, kb_name)
+
+    except ClientError as e:
+        LOGGER.error(f"Error checking knowledge base {kb_id}: {str(e)}")
+        if e.response["Error"]["Code"] == "AccessDeniedException":
+            return f"{kb_name} (access denied)"
+        raise
+
+
+def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:  # noqa: U100
     """Evaluate if Bedrock Knowledge Base OpenSearch vector stores are encrypted with KMS CMK.
 
     Args:
@@ -41,85 +139,28 @@ def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:
     try:
         non_compliant_kbs = []
         paginator = bedrock_agent_client.get_paginator("list_knowledge_bases")
-        
+
         for page in paginator.paginate():
             for kb in page["knowledgeBaseSummaries"]:
                 kb_id = kb["knowledgeBaseId"]
                 kb_name = kb.get("name", kb_id)
-                
-                try:
-                    # Get knowledge base details
-                    kb_details = bedrock_agent_client.get_knowledge_base(knowledgeBaseId=kb_id)
-                    vector_store = kb_details.get("vectorStoreConfiguration")
-                    
-                    if vector_store and vector_store.get("vectorStoreType") == "OPENSEARCH":
-                        # Extract OpenSearch domain information
-                        opensearch_config = vector_store.get("opensearchServerlessConfiguration") or vector_store.get("opensearchConfiguration")
-                        
-                        if not opensearch_config:
-                            non_compliant_kbs.append(f"{kb_name} (missing OpenSearch configuration)")
-                            continue
-                            
-                        # Check if it's OpenSearch Serverless or standard OpenSearch
-                        if "collectionArn" in opensearch_config:
-                            # OpenSearch Serverless - always encrypted with AWS owned key at minimum
-                            collection_id = opensearch_config["collectionArn"].split("/")[-1]
-                            try:
-                                collection = opensearch_client.get_security_policy(
-                                    Name=collection_id,
-                                    Type="encryption"
-                                )
-                                # Check if using customer managed key
-                                security_policy = collection.get("securityPolicyDetail", {})
-                                if security_policy.get("Type") == "encryption":
-                                    encryption_policy = security_policy.get("SecurityPolicies", [])[0]
-                                    kms_key_arn = encryption_policy.get("KmsARN", "")
-                                    
-                                    # If not using customer managed key
-                                    if not kms_key_arn or "aws/opensearchserverless" in kms_key_arn:
-                                        non_compliant_kbs.append(f"{kb_name} (OpenSearch Serverless not using CMK)")
-                            except ClientError as e:
-                                LOGGER.error(f"Error checking OpenSearch Serverless collection: {str(e)}")
-                                non_compliant_kbs.append(f"{kb_name} (error checking OpenSearch Serverless)")
-                        else:
-                            # Standard OpenSearch
-                            domain_endpoint = opensearch_config.get("endpoint", "")
-                            if not domain_endpoint:
-                                non_compliant_kbs.append(f"{kb_name} (missing OpenSearch domain endpoint)")
-                                continue
-                                
-                            # Extract domain name from endpoint
-                            domain_name = domain_endpoint.split(".")[0]
-                            
-                            try:
-                                domain = opensearch_client.describe_domain(DomainName=domain_name)
-                                encryption_config = domain.get("DomainStatus", {}).get("EncryptionAtRestOptions", {})
-                                
-                                # Check if encryption is enabled and using CMK
-                                if not encryption_config.get("Enabled", False):
-                                    non_compliant_kbs.append(f"{kb_name} (OpenSearch domain encryption not enabled)")
-                                elif not encryption_config.get("KmsKeyId"):
-                                    non_compliant_kbs.append(f"{kb_name} (OpenSearch domain not using CMK)")
-                            except ClientError as e:
-                                LOGGER.error(f"Error checking OpenSearch domain: {str(e)}")
-                                non_compliant_kbs.append(f"{kb_name} (error checking OpenSearch domain)")
-                
-                except ClientError as e:
-                    LOGGER.error(f"Error checking knowledge base {kb_id}: {str(e)}")
-                    if e.response["Error"]["Code"] == "AccessDeniedException":
-                        non_compliant_kbs.append(f"{kb_name} (access denied)")
-                    else:
-                        raise
+                error = check_knowledge_base(kb_id, kb_name)
+                if error:
+                    non_compliant_kbs.append(error)
 
         if non_compliant_kbs:
-            return "NON_COMPLIANT", f"The following knowledge bases have OpenSearch vector stores not encrypted with CMK: {'; '.join(non_compliant_kbs)}"
+            return "NON_COMPLIANT", (
+                "The following knowledge bases have OpenSearch vector stores not encrypted with CMK: "
+                + f"{'; '.join(non_compliant_kbs)}"
+            )
         return "COMPLIANT", "All knowledge base OpenSearch vector stores are encrypted with KMS CMK"
 
     except Exception as e:
         LOGGER.error(f"Error evaluating Bedrock Knowledge Base OpenSearch encryption: {str(e)}")
         return "ERROR", f"Error evaluating compliance: {str(e)}"
 
-def lambda_handler(event: dict, context: Any) -> None:
+
+def lambda_handler(event: dict, context: Any) -> None:  # noqa: U100
     """Lambda handler.
 
     Args:
@@ -145,6 +186,6 @@ def lambda_handler(event: dict, context: Any) -> None:
     LOGGER.info(f"Compliance evaluation result: {compliance_type}")
     LOGGER.info(f"Annotation: {annotation}")
 
-    config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"])
+    config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"])  # type: ignore
 
-    LOGGER.info("Compliance evaluation complete.") 
+    LOGGER.info("Compliance evaluation complete.")