A lambda function to run cfn_nag as an action in CodePipeline.
To install, navigate to the AWS Serverless Repo and click deploy.
NOTE: due to a bug with SAM policy templates (#389) you will need to manually update the IAM role that the Lambda function assumes. The role should be named something like aws-serverless-repository-cfn-n-CfnNagFunctionRole-XXXXXXXX. Update the inline policy named CfnNagFunctionRolePolicy0 to set the Resource to *:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:PutJobFailureResult",
"codepipeline:PutJobSuccessResult"
],
"Resource": "*"
}
]
}
- Add a source step for a repository with CloudFormation templates
- Add a downstream build step with provider
AWS Lambda - Select the function name
cfn-nag-pipeline - Select the glob for CloudFormation templates in the user parameters section for the step: e.g.
spec/test_templates/json/ec2_volume/*.json - Select the name of the Input Artifact from the repository
- Ensure maven is installed. For more information see: https://maven.apache.org/install.html
- Ensure awscli is installed. The credentials will need permission to create an S3 bucket, lambda functions, and an IAM role for the functions (at least)
- To run tests and build the lambda function, run:
make - To deploy the function, run:
make deploy - To deploy a new version to Serverless Application Repository, update the
VERSIONinMakefileand run:make sar