serverless-sample-app/src/activity-service/cdk/activity_service/service_stack.py at c7c36b7f4f4f917aabf94ae6d5dc33bbb4ef62ce · DataDog/serverless-sample-app · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
import os

from aws_cdk import Aspects, Stack, Tags
from cdk_nag import AwsSolutionsChecks, NagSuppressions
from constructs import Construct
from datadog_cdk_constructs_v2 import DatadogLambda

from cdk.activity_service.api_construct import ApiConstruct
from cdk.activity_service.constants import SERVICE_NAME, SERVICE_NAME_TAG
from cdk.activity_service.shared_props import SharedProps
from cdk.activity_service.utils import get_construct_name


class ServiceStack(Stack):
    def __init__(self, scope: Construct, id: str, is_production_env: bool, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)
        self._add_stack_tags()

        environment = os.environ.get("ENV", "dev")
        version = os.environ.get("VERSION", "latest")
        dd_api_key = os.environ.get("DD_API_KEY", "")
        dd_site = os.environ.get("DD_SITE", "datadoghq.com")

        self.datadog_configuration = DatadogLambda(self, "DatadogLambda",
            python_layer_version=118,
            extension_layer_version=90,
            service=SERVICE_NAME,
            env=environment,
            version=version,
            capture_lambda_payload=True,
            site=dd_site,
            api_key=dd_api_key,
            enable_cold_start_tracing=True,
           source_code_integration=True,
           enable_datadog_tracing=True,
        )

        self.shared_props = SharedProps("activity", "activity", SERVICE_NAME, environment, version, self.datadog_configuration)

        self.api = ApiConstruct(
            self,
            self.shared_props,
            get_construct_name(stack_prefix=id, construct_name='Crud'),
            is_production_env=is_production_env,
        )

        # add security check
        self._add_security_tests()


    def _add_stack_tags(self) -> None:
        # best practice to help identify resources in the console
        Tags.of(self).add(SERVICE_NAME_TAG, SERVICE_NAME)

    def _add_security_tests(self) -> None:
        Aspects.of(self).add(AwsSolutionsChecks(verbose=True))
        # Suppress a specific rule for this resource
        NagSuppressions.add_stack_suppressions(
            self,
            [
                {'id': 'AwsSolutions-IAM4', 'reason': 'policy for cloudwatch logs.'},
                {'id': 'AwsSolutions-IAM5', 'reason': 'policy for cloudwatch logs.'},
                {'id': 'AwsSolutions-APIG2', 'reason': 'lambda does input validation'},
                {'id': 'AwsSolutions-APIG1', 'reason': 'not mandatory in a sample blueprint'},
                {'id': 'AwsSolutions-APIG3', 'reason': 'not mandatory in a sample blueprint'},
                {'id': 'AwsSolutions-APIG6', 'reason': 'not mandatory in a sample blueprint'},
                {'id': 'AwsSolutions-APIG4', 'reason': 'authorization not mandatory in a sample blueprint'},
                {'id': 'AwsSolutions-COG4', 'reason': 'not using cognito'},
                {'id': 'AwsSolutions-L1', 'reason': 'False positive'},
                {'id': 'AwsSolutions-SQS4', 'reason': 'DLQ configured correctly via CDK'},
            ],
        )