merge

.github/workflows/security-scan.yml

@@ -25,15 +25,33 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -U bandit pip-audit setuptools .
-      - name: Install cid-cmd
-        run: |
-          pip install -U .
       - name: Bandit Scan
         run: |
           bandit -r .
+      - name: Install cid-cmd
+        run: |
+          pip install -U .
       - name: Pip Audit
         run: |
-          pip-audit
+          # GHSA-wfm5-v35h-vwf4  gitpython is a dependency of pip-audit not cid-cmd
+          # GHSA-cwvm-v4w8-q58c  gitpython is a dependency of pip-audit not cid-cmd
+          pip-audit --ignore-vuln GHSA-wfm5-v35h-vwf4 --ignore-vuln GHSA-cwvm-v4w8-q58c
+
+  python-pylint-cid:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git clone the repository
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+      - name: Install cfn-lint
+        run: |
+          pip install pylint
+      - name: PyLint
+        run: |
+          pylint ./cid/
 
   cfn-scan-cid:
     runs-on: ubuntu-latest

.pylintrc

@@ -0,0 +1,11 @@
+[MAIN]
+fail-under=7.50 # not the same in github actions and on your pc
+
+[FORMAT]
+max-line-length=240
+
+[MESSAGES CONTROL]
+# Disabling some:
+#   W1203:logging-fstring-interpolation - No performance cosern 
+#   W0511:fixme - widely used
+disable=W1203,W0511

cfn-templates/cid-cfn.yml

@@ -17,7 +17,7 @@ Metadata:
           - DeployCostIntelligenceDashboard
           - DeployKPIDashboard
       - Label:
-          default: Trusted Advisor and Compute Optimizer Dashboards. To deploy theese two dashboard, you must first deploy the Optimization Data Collection Lab (https://wellarchitectedlabs.com/cost/300_labs/300_optimization_data_collection/)
+          default: Trusted Advisor and Compute Optimizer Dashboards. To deploy these two dashboard, you must first deploy the Optimization Data Collection Lab (https://wellarchitectedlabs.com/cost/300_labs/300_optimization_data_collection/)
         Parameters:
           - OptimizationDataCollectionBucketPath
           - DeployTAODashboard
@@ -83,7 +83,7 @@ Metadata:
       GlueDataCatalog:
         default: "Existing Glue Data Catalog"
       DataBuketsKmsKeyArns:
-        default: "ARNs of KMS Keys for data bucket. Keep empty if data Buckets are not Encypted with KMS. Also you can set it to '*'."
+        default: "ARNs of KMS Keys for data bucket. Keep empty if data Buckets are not Encrypted with KMS. Also you can set it to '*'."
       PrimaryTagName:
         Default: "Choose a tag name. Currently used only in Compute Optimizer dashboard."
       SecondaryTagName:
@@ -166,7 +166,7 @@ Parameters:
     AllowedValues: ["yes", "no"]
   DeployTAODashboard:
     Type: String
-    Description: Deploy Trusted Advisor Organisational Dashboard (TAO) - WARNING! Before deploying this dashboard, you need Optimization Data Collection Lab to be installed first https://wellarchitectedlabs.com/cost/300_labs/300_optimization_data_collection/
+    Description: Deploy Trusted Advisor Organizational Dashboard (TAO) - WARNING! Before deploying this dashboard, you need Optimization Data Collection Lab to be installed first https://wellarchitectedlabs.com/cost/300_labs/300_optimization_data_collection/
     Default: "no"
     AllowedValues: ["yes", "no"]
   DeployComputeOptimizerDashboard:
@@ -178,6 +178,7 @@ Parameters:
     Type: String
     Description: The S3 path to the bucket created by the Cost Optimization Data Collection Lab. The path will need point to a folder containing /trusted-advisor and/or /compute-optimizer folders. You can leave the variable {account_id} in place, it will be replaced by current account ID automatically.
     Default: "s3://costoptimizationdata{account_id}"
+    AllowedPattern: '^s3://[a-zA-Z0-9-_{}/]*$'
   LambdaLayerBucketPrefix:
     Type: String
     Description: An S3 bucket with a Lambda layer
@@ -188,7 +189,7 @@ Parameters:
     Default: "AwsDataCatalog"
   DataBuketsKmsKeyArns:
     Type: String
-    Description: "ARNs of KMS Keys for data bucket. Keep empty if data Buckets are not Encypted with KMS. Also you can set it to '*'."
+    Description: "ARNs of KMS Keys for data bucket. Keep empty if data Buckets are not Encrypted with KMS. Also you can set it to '*'."
     Default: "*"
   LakeFormationEnabled:
     Type: String
@@ -249,7 +250,7 @@ Conditions:
         - !Equals [ !Ref DeployCUDOSDashboard, "yes" ]
         - !Equals [ !Ref DeployCostIntelligenceDashboard, "yes" ]
         - !Equals [ !Ref DeployKPIDashboard, "yes" ]
-  NeedLakeFormationCrawlerPermision:
+  NeedLakeFormationCrawlerPermissions:
     Fn::And:
       - !Equals [ !Ref LakeFormationEnabled, "yes" ]
       - !Condition NeedCURTable
@@ -445,7 +446,7 @@ Resources:
             EncryptionOption: SSE_S3
           OutputLocation: !If [ NeedAthenaQueryResultsBucket, !Sub 's3://${MyAthenaQueryResultsBucket}/', !Sub 's3://${AthenaQueryResultsBucket}/' ]
 
-  CustomRessourceFunctionInit:
+  CustomResourceFunctionInit:
     Type: AWS::Lambda::Function
     Properties:
       FunctionName: !Sub "CidInitialSetup-DoNotRun${Suffix}"
@@ -652,8 +653,8 @@ Resources:
   InitialSetup:
     Type: Custom::CustomResource
     Properties:
-      ServiceToken: !GetAtt CustomRessourceFunctionInit.Arn
-      Tags: # Hacky way to manage conditional dependancies
+      ServiceToken: !GetAtt CustomResourceFunctionInit.Arn
+      Tags: # Hacky way to manage conditional dependencies
         - Key: IgnoreConditionalDependsOnAthenaQueryResultsBucket
           Value: !If [NeedAthenaQueryResultsBucket, !Ref MyAthenaQueryResultsBucket, '']
         - Key: IgnoreConditionalDependsOnAthenaWorkgroup
@@ -682,7 +683,7 @@ Resources:
       Path: /
       ManagedPolicyArns:
         - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSLambdaExecute
-  CustomRessourceProcessPath:
+  CustomResourceProcessPath:
     Type: AWS::Lambda::Function
     Properties:
       Role: !GetAtt 'ProcessPathLambdaExecutionRole.Arn'
@@ -772,18 +773,18 @@ Resources:
               return True
 
   ProcessedCURPath:
-    Type: Custom::CustomRessourceProcessPath
+    Type: Custom::CustomResourceProcessPath
     Condition: NeedCUR
     Properties:
-      ServiceToken: !GetAtt CustomRessourceProcessPath.Arn
+      ServiceToken: !GetAtt CustomResourceProcessPath.Arn
       s3path: !Ref CURBucketPath
       type: 'CUR'
 
   ProcessedODCPath:
-    Type: Custom::CustomRessourceProcessPath
+    Type: Custom::CustomResourceProcessPath
     Condition: NeedDataCollectionLab
     Properties:
-      ServiceToken: !GetAtt CustomRessourceProcessPath.Arn
+      ServiceToken: !GetAtt CustomResourceProcessPath.Arn
       s3path: !Ref OptimizationDataCollectionBucketPath
 
   CidDatabase:
@@ -1251,7 +1252,7 @@ Resources:
                 - quicksight:DescribeRefreshSchedule
                 - quicksight:ListRefreshSchedules
                 Resource:
-                - !Sub arn:aws:quicksight:${AWS::Region}:${AWS::AccountId}:dataset/* # DataSetIDs are dynamic as well as shcedule ids
+                - !Sub arn:aws:quicksight:${AWS::Region}:${AWS::AccountId}:dataset/* # DataSetIDs are dynamic as well as schedule ids
               - Effect: Allow
                 Action:
                   - athena:StartQueryExecution
@@ -1279,7 +1280,7 @@ Resources:
         DatabaseResource:
           CatalogId: !Ref "AWS::AccountId"
           Name: !If [NeedDatabase, !Ref CidDatabase, !Ref DatabaseName ]
-        
+
   DataLakeSettingsCidExecRolePermTable:
     Type: AWS::LakeFormation::Permissions
     Condition: NeedLakeFormationEnabled
@@ -1296,7 +1297,7 @@ Resources:
 
   DataLakeSettingsCidCrawlerRolePerm:
     Type: AWS::LakeFormation::Permissions
-    Condition: NeedLakeFormationCrawlerPermision
+    Condition: NeedLakeFormationCrawlerPermissions
     Properties:
       DataLakePrincipal:
         DataLakePrincipalIdentifier: !GetAtt CidCURCrawlerRole.Arn
@@ -1309,7 +1310,7 @@ Resources:
 
   DataLakeSettingsCidCrawlerRolePermTable:
     Type: AWS::LakeFormation::Permissions
-    Condition: NeedLakeFormationCrawlerPermision
+    Condition: NeedLakeFormationCrawlerPermissions
     Properties:
       DataLakePrincipal:
         DataLakePrincipalIdentifier: !GetAtt CidCURCrawlerRole.Arn
@@ -1517,7 +1518,7 @@ Resources:
         quicksight-user: !Ref QuickSightUser
         account-map-source: 'dummy' #initial
         share-with-account: 'yes'
-      Tags: # Hacky way to manage conditional dependancies
+      Tags: # Hacky way to manage conditional dependencies
         - Key: IgnoreNeedCostIntelligenceDashboard
           Value: !If [NeedCostIntelligenceDashboard, !Ref CostIntelligenceDashboard, '']
 
@@ -1540,7 +1541,7 @@ Resources:
         quicksight-user: !Ref QuickSightUser
         account-map-source: 'dummy' #initial
         share-with-account: 'yes'
-      Tags: # Hacky way to manage conditional dependancies
+      Tags: # Hacky way to manage conditional dependencies
         - Key: IgnoreNeedCostIntelligenceDashboard
           Value: !If [NeedCostIntelligenceDashboard, !Ref CostIntelligenceDashboard, '']
         - Key: IgnoreNeedCUDOSDashboard