Merge pull request #119 from ASFHyP3/cfn-lint

Fix cfn-lint workflow
ASFHyP3 · Jul 2, 2024 · 1b2ffb6 · 1b2ffb6
2 parents e7a4bfe + 6b09c32
commit 1b2ffb6
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 9 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,7 +5,15 @@
 
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: pip
+    directory: /
     schedule:
-      interval: "daily"
+      interval: weekly
+    labels:
+      - bumpless
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - bumpless
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -3,13 +3,15 @@ name: Static code analysis
 on: push
 
 jobs:
-
   cfn-lint:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
-
-      - uses: scottbrenner/[email protected]
+      - uses: actions/setup-python@v5
         with:
-          args: "--template cloudformation.yml"
+          python-version: 3.9
+      - run: |
+          python -m pip install --upgrade pip
+          python -m pip install -r requirements.txt
+      - run: |
+          cfn-lint --info --template cloudformation.yml
diff --git a/cloudformation.yml b/cloudformation.yml
@@ -6,12 +6,37 @@ Resources:
     Type: AWS::S3::Bucket
     Properties:
       BucketName: !Sub "${AWS::StackName}-logs"
-      AccessControl: LogDeliveryWrite
       PublicAccessBlockConfiguration:
         BlockPublicAcls: True
         IgnorePublicAcls: True
         BlockPublicPolicy: True
         RestrictPublicBuckets: True
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+            BucketKeyEnabled: true
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
+
+  LogBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref LogBucket
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: logging.s3.amazonaws.com
+            Action: s3:PutObject
+            Resource: !Sub "${LogBucket.Arn}/*"
+            Condition:
+              ArnLike:
+                "aws:SourceArn": !GetAtt ContentBucket.Arn
+              StringEquals:
+                "aws:SourceAccount": !Ref AWS::AccountId
 
   ContentBucket:
     Type: AWS::S3::Bucket
@@ -32,6 +57,9 @@ Resources:
         IgnorePublicAcls: True
         BlockPublicPolicy: False
         RestrictPublicBuckets: False
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
 
   BucketPolicy:
     Type: AWS::S3::BucketPolicy

diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1 @@
+cfn-lint==1.4.2