Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: SQSQueueDLQ triggering on DLQs for Lambda functions #1630

Merged
merged 1 commit into from
Mar 14, 2024
Merged

fix: SQSQueueDLQ triggering on DLQs for Lambda functions #1630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions src/rules/sqs/SQSQueueDLQ.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/
import { parse } from 'path';
import { CfnResource, Stack } from 'aws-cdk-lib';
import { CfnFunction } from 'aws-cdk-lib/aws-lambda';
import { CfnQueue } from 'aws-cdk-lib/aws-sqs';
import { NagRuleCompliance, NagRules } from '../../nag-rules';
import { flattenCfnReference } from '../../utils/flatten-cfn-reference';
Expand All @@ -29,6 +30,11 @@ export default Object.defineProperty(
found = true;
break;
}
} else if (child instanceof CfnFunction) {
if (isMatchingLambdaFunction(child, queueLogicalId, queueName)) {
found = true;
break;
}
}
}
if (!found) {
Expand Down Expand Up @@ -69,3 +75,29 @@ function isMatchingQueue(
}
return false;
}

/**
* Helper function to check whether a given Lambda Function uses the target SQS queue as a DLQ
* @param node the CfnFunction to check
* @param queueLogicalId the Cfn Logical ID of the target queue
* @param queueName the name of the target queue
* returns whether the CfnFunction uses the target SQS queue as a DLQ
*/
function isMatchingLambdaFunction(
node: CfnFunction,
queueLogicalId: string,
queueName: string | undefined
): boolean {
const deadLetterConfig = Stack.of(node).resolve(node.deadLetterConfig);
const targetArn = flattenCfnReference(
Stack.of(node).resolve(deadLetterConfig?.targetArn) ?? ''
);
if (
new RegExp(`${queueLogicalId}(?![\\w])`).test(targetArn) ||
(queueName !== undefined &&
new RegExp(`:${queueName}(?![\\w\\-_\\.])`).test(targetArn))
) {
return true;
}
return false;
}
47 changes: 47 additions & 0 deletions test/rules/SQS.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import {
StarPrincipal,
} from 'aws-cdk-lib/aws-iam';
import { Key } from 'aws-cdk-lib/aws-kms';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { CfnQueuePolicy, Queue, QueueEncryption } from 'aws-cdk-lib/aws-sqs';
import { Aspects, Stack } from 'aws-cdk-lib/core';
import { TestPack, TestType, validateStack } from './utils';
Expand Down Expand Up @@ -56,6 +57,31 @@ describe('Amazon Simple Queue Service (SQS)', () => {
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});

test('Noncompliance 3', () => {
new Queue(stack, 'Queue');
new Function(stack, 'Function', {
runtime: Runtime.NODEJS_18_X,
code: Code.fromInline('hi'),
handler: 'index.handler',
});
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});

test('Noncompliance 4', () => {
new Queue(stack, 'Dlq', { queueName: 'foo' });
new Function(stack, 'Function', {
runtime: Runtime.NODEJS_18_X,
code: Code.fromInline('hi'),
handler: 'index.handler',
deadLetterQueue: Queue.fromQueueArn(
stack,
'Dlq2FromArn',
`arn:aws:sqs:${stack.region}:${stack.account}:foo2`
),
});
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});

test('Compliance', () => {
const dlq = new Queue(stack, 'Dlq');
new Queue(stack, 'Queue', {
Expand All @@ -77,6 +103,27 @@ describe('Amazon Simple Queue Service (SQS)', () => {
});
validateStack(stack, ruleId, TestType.COMPLIANCE);
});
test('Compliance2', () => {
const dlq = new Queue(stack, 'Dlq');
new Function(stack, 'Function', {
runtime: Runtime.NODEJS_18_X,
code: Code.fromInline('hi'),
handler: 'index.handler',
deadLetterQueue: dlq,
});
new Queue(stack, 'Dlq2', { queueName: 'foo' });
new Function(stack, 'Function2', {
runtime: Runtime.NODEJS_18_X,
code: Code.fromInline('hi'),
handler: 'index.handler',
deadLetterQueue: Queue.fromQueueArn(
stack,
'Dlq2FromArn',
`arn:aws:sqs:${stack.region}:${stack.account}:foo`
),
});
validateStack(stack, ruleId, TestType.COMPLIANCE);
});
});

describe('SQSQueueSSE: SQS queues have server-side encryption enabled', () => {
Expand Down
Loading