Merge pull request #91 from andywick-aws/actions

GitHub actions and fixes for flake8 findings

Author: andywick-aws

.flake8

@@ -1,8 +1,8 @@
 [flake8]
 max-line-length = 150
-max-complexity = 10
-max-cognitive-complexity = 10
-max-parameters-amount = 7
+max-complexity = 15
+max-cognitive-complexity = 15
+max-parameters-amount = 8
 min_python_version = 3.9.0
 copyright-regexp = Copyright Amazon.com, Inc\..*
 exclude =

.github/workflows/bandit.yml

@@ -0,0 +1,22 @@
+name: bandit - Python Scan
+
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ['3.9']
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install bandit
+      - name: Bandit Check
+        run: bandit -r -lll -ii .

.github/workflows/cfn-nag.yml

@@ -0,0 +1,29 @@
+name: cfn-nag - CloudFormation Scan
+
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Ruby 2.6
+        uses: actions/setup-ruby@v1
+        with:
+          ruby-version: '2.6'
+      - name: Install cfn-nag
+        run: gem install cfn-nag
+      - name: Scan files in all templates folders
+        run: |
+          export deployment_dir=`pwd`
+          echo "$deployment_dir"
+          for i in $(find . -type f | grep -E '.template$|.yaml$|.yml$|.json$' | sed 's/^.\///') ; do
+            echo $i
+            if [[ "$i" == *"templates"* ]]; then
+              cfn_nag_scan --input-path "$deployment_dir/$i"
+              if [ $? -ne 0 ]; then
+                echo "cfn-nag failed validation - $i"
+                exit 1
+              fi
+            fi
+          done

.github/workflows/checkov.yml

@@ -0,0 +1,22 @@
+name: checkov - CloudFormation Scan
+
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ['3.9']
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install checkov
+      - name: checkov scan
+        run: checkov --quiet -d  aws_sra_examples

.github/workflows/markdown-links.yml

@@ -0,0 +1,13 @@
+name: Markdown Link Check
+
+on: push
+
+jobs:
+  markdown-link-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: gaurav-nelson/github-action-markdown-link-check@v1
+        with:
+          use-quiet-mode: 'yes'
+          use-verbose-mode: 'no'

.github/workflows/pylic.yml

@@ -0,0 +1,58 @@
+name: pylic - Python License Check
+
+on: push
+
+jobs:
+  Linting:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        python-version: [3.9]
+    steps:
+      #----------------------------------------------
+      #       check-out repo and set-up python
+      #----------------------------------------------
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Set up python
+        id: setup-python
+        uses: actions/setup-python@v3
+        with:
+          python-version: 3.9
+      #----------------------------------------------
+      #  -----  install & configure poetry  -----
+      #----------------------------------------------
+      - name: Load Cached Poetry Installation
+        uses: actions/cache@v3
+        with:
+          path: ~/.local # the path depends on the OS
+          key: poetry-no-dev-2 # increment to reset cache
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+      #----------------------------------------------
+      #       load cached venv if cache exists
+      #----------------------------------------------
+      - name: Load cached venv
+        id: cached-poetry-no-dev-dependencies
+        uses: actions/cache@v3
+        with:
+          path: .venv
+          key: venv-no-dev-dependencies-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}
+      #----------------------------------------------
+      # install dependencies if cache does not exist
+      #----------------------------------------------
+      - name: Install dependencies
+        if: steps.cached-poetry-no-dev-dependencies.outputs.cache-hit != 'true'
+        run: poetry install --no-dev --no-root
+      #----------------------------------------------
+      # Run pylic check
+      #----------------------------------------------
+      - name: pylic check
+        run: |
+          poetry run pip install pylic
+          poetry run pylic check

.github/workflows/safety.yml

@@ -0,0 +1,58 @@
+name: safety - Python Dependency Check
+
+on: push
+
+jobs:
+  Linting:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        python-version: [3.9]
+    steps:
+      #----------------------------------------------
+      #       check-out repo and set-up python
+      #----------------------------------------------
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Set up python
+        id: setup-python
+        uses: actions/setup-python@v3
+        with:
+          python-version: 3.9
+      #----------------------------------------------
+      #  -----  install & configure poetry  -----
+      #----------------------------------------------
+      - name: Load Cached Poetry Installation
+        uses: actions/cache@v3
+        with:
+          path: ~/.local # the path depends on the OS
+          key: poetry-no-dev-2 # increment to reset cache
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+      #----------------------------------------------
+      #       load cached venv if cache exists
+      #----------------------------------------------
+      - name: Load cached venv
+        id: cached-poetry-no-dev-dependencies
+        uses: actions/cache@v3
+        with:
+          path: .venv
+          key: venv-no-dev-dependencies-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}
+      #----------------------------------------------
+      # install dependencies if cache does not exist
+      #----------------------------------------------
+      - name: Install dependencies
+        if: steps.cached-poetry-no-dev-dependencies.outputs.cache-hit != 'true'
+        run: poetry install --no-dev --no-root
+      #----------------------------------------------
+      # Run Safety check
+      #----------------------------------------------
+      - name: Safety check
+        run: |
+          poetry run pip install safety
+          poetry run safety check

.github/workflows/static-checking.yml

@@ -0,0 +1,77 @@
+name: Static Checks (mypy, flake8, black, isort)
+
+on: push
+
+jobs:
+  Linting:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        python-version: [3.9]
+    steps:
+      #----------------------------------------------
+      #       check-out repo and set-up python
+      #----------------------------------------------
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Set up python
+        id: setup-python
+        uses: actions/setup-python@v3
+        with:
+          python-version: 3.9
+      #----------------------------------------------
+      #  -----  install & configure poetry  -----
+      #----------------------------------------------
+      - name: Load Cached Poetry Installation
+        uses: actions/cache@v3
+        with:
+          path: ~/.local # the path depends on the OS
+          key: poetry-with-dev-0 # increment to reset cache
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+
+      #----------------------------------------------
+      #       load cached venv if cache exists
+      #----------------------------------------------
+      - name: Load cached venv
+        id: cached-poetry-with-dev-dependencies
+        uses: actions/cache@v3
+        with:
+          path: .venv
+          key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}
+      #----------------------------------------------
+      # install dependencies if cache does not exist
+      #----------------------------------------------
+      - name: Install dependencies
+        if: steps.cached-poetry-with-dev-dependencies.outputs.cache-hit != 'true'
+        run: poetry install --no-interaction --no-root
+      #----------------------------------------------
+      # Activate virtual environment
+      #----------------------------------------------
+      - name: Activate Virtual Environment
+        run: source .venv/bin/activate
+      #----------------------------------------------
+      # Run MyPY check
+      #----------------------------------------------
+      - name: mypy check
+        run: poetry run mypy aws_sra_examples
+      #----------------------------------------------
+      # Run Flake8 check
+      #----------------------------------------------
+      - name: Flake8 Lint
+        run: poetry run flake8 aws_sra_examples
+      #----------------------------------------------
+      # Run Python Black check
+      #----------------------------------------------
+      - name: Black style check
+        run: poetry run black --check aws_sra_examples
+      #----------------------------------------------
+      # Run isort check
+      #----------------------------------------------
+      - name: Imports order check (isort)
+        run: poetry run isort --check aws_sra_examples

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2022-04-10](#2022-04-10)
 - [2022-04-04](#2022-04-04)
 - [2022-03-29](#2022-03-29)
 - [2022-03-16](#2022-03-16)
@@ -24,6 +25,17 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2022-04-10
+
+### Added<!-- omit in toc -->
+
+- Added GitHub action workflow templates to run code quality and security checks.
+
+### Changed<!-- omit in toc -->
+
+- Updated Lambda python files to fix and suppress flake8 findings.
+- Updated dependencies within the pyproject.toml file to the latest version.
+
 ## 2022-04-04
 
 ### Changed<!-- omit in toc -->

aws_sra_examples/solutions/cloudtrail/cloudtrail_org/lambda/src/app.py

@@ -12,7 +12,7 @@
 import logging
 import os
 import re
-from typing import TYPE_CHECKING, Union
+from typing import TYPE_CHECKING, Optional
 
 import boto3
 from crhelper import CfnResource
@@ -129,7 +129,7 @@ def get_cloudtrail_parameters(is_create: bool, params: dict) -> dict:
     return cloudtrail_params
 
 
-def parameter_pattern_validator(parameter_name: str, parameter_value: Union[str, None], pattern: str) -> None:
+def parameter_pattern_validator(parameter_name: str, parameter_value: Optional[str], pattern: str) -> None:
     """Validate CloudFormation Custom Resource Parameters.
 
     Args: