in packages/utilities/iam-role-helper/lib/rolehelper.ts [130:301]
private createResolveRoleProvider(): Provider {
const crLambdaRole = new MdaaLambdaRole(this.scope, 'role-res-cr', {
description: 'CR Role',
roleName: 'role-res-cr',
naming: this.naming,
logGroupNames: [this.naming.resourceName('role-res-cr')],
createParams: false,
createOutputs: false,
});
const listRolesPolicyDoc = new PolicyDocument({
statements: [
new PolicyStatement({
resources: ['*'],
actions: ['iam:ListRoles'],
}),
],
});
const iamPolicy = new ManagedPolicy(crLambdaRole, `role-res-pol`, {
managedPolicyName: this.naming.resourceName(`role-res-pol`),
document: listRolesPolicyDoc,
roles: [crLambdaRole],
});
MdaaNagSuppressions.addCodeResourceSuppressions(
iamPolicy,
[{ id: 'AwsSolutions-IAM5', reason: 'iam:ListRoles does not take a resource.' }],
true,
);
// This Lambda is used as a Custom Resource in order to create the Data Lake Folder
const resolveRoleLambda = new MdaaLambdaFunction(this.scope, 'resolve-role-res-cr-function', {
functionName: 'role-res-cr',
code: Code.fromAsset(`${__dirname}/../src/python/resolve_role/`),
handler: 'resolve_role.lambda_handler',
runtime: Runtime.PYTHON_3_13,
timeout: Duration.seconds(120),
role: crLambdaRole,
naming: this.naming,
createParams: false,
createOutputs: false,
environment: {
LOG_LEVEL: 'INFO',
},
});
resolveRoleLambda.node.addDependency(iamPolicy);
MdaaNagSuppressions.addCodeResourceSuppressions(
resolveRoleLambda,
[
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with IAM.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with IAM.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with IAM.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
const resolveRoleProviderFunctionName = this.naming.resourceName('role-res-cr-prov', 64);
const resolveRoleCrProviderRole = new MdaaLambdaRole(this.scope, 'role-res-cr-prov', {
description: 'CR Role Resolver Provider',
roleName: 'role-res-cr-prov',
naming: this.naming,
logGroupNames: [resolveRoleProviderFunctionName],
createParams: false,
createOutputs: false,
});
const resolveRoleProvider = new Provider(this.scope, 'resolve-role-res-cr-provider', {
providerFunctionName: resolveRoleProviderFunctionName,
onEventHandler: resolveRoleLambda,
role: resolveRoleCrProviderRole,
});
MdaaNagSuppressions.addCodeResourceSuppressions(
resolveRoleCrProviderRole,
[
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'HIPAA.Security-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'PCI.DSS.321-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
],
true,
);
MdaaNagSuppressions.addCodeResourceSuppressions(
resolveRoleProvider,
[
{ id: 'AwsSolutions-L1', reason: 'Lambda function Runtime set by CDK Provider Framework' },
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
return resolveRoleProvider;
}