Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
String comparisons fail to handle Intrinsic functions
See original GitHub issueWe are experience synthesis failure due to an unhandled error during from the NIST SP 800-53 checks; however, this code seems to be partially duplicated between HIPAA and AWS Solutions as well. Specifically, it looks like our VPC stack currently is the source of the issue and the underlying error is from src/NIST-800-53/rules/ec2/nist80053EC2CheckSSHRestricted.ts:
/home/klaker/Documents/ccpo/atat-web-api/node_modules/cdk-nag/src/NIST-800-53/rules/ec2/nist80053EC2CheckSSHRestricted.ts:22
resolvedRule.cidrIp.includes('/0')) ||
^
TypeError: resolvedRule.cidrIp.includes is not a function
at Object.default_1 (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/cdk-nag/src/NIST-800-53/rules/ec2/nist80053EC2CheckSSHRestricted.ts:22:33)
at NIST80053Checks.checkEC2 (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/cdk-nag/src/NIST-800-53/nist-800-53.ts:399:8)
at NIST80053Checks.visit (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/cdk-nag/src/NIST-800-53/nist-800-53.ts:102:12)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:110:14)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at invokeAspects (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:95:3)
This seems to be because in this case resolvedRule.cidrIp is an object (not a string), with the value { Fn::GetAtt: [ "VpcLogicalId", "CidrBlock" ] }. Without cdk-nag, the stack synthesizes and deploys without issue; however the relevant snippet from the template seems to be the following; if I just add a console.log in to print resolvedRule.cidrIp, the value of CidrIp seen below is what gets printed.
"SecurityGroupIngress": [
{
"CidrIp": {
"Fn::GetAtt": [
"AtatVpc28460212",
"CidrBlock"
]
},
"Description": {
"Fn::Join": [
"",
[
"from ",
{
"Fn::GetAtt": [
"AtatVpc28460212",
"CidrBlock"
]
},
":443"
]
]
},
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443
}
],
This was encountered with cdg-nag v0.0.114 as well as 0.0.98 and with CDK v1.124.0 and v1.125.0.
The full output of synthesis (without running cdk-nag) is available as a workflow artifact at https://github.com/dod-ccpo/atat-web-api/suites/3921230865/artifacts/98054835. The workflow run with the error during synthesis is available at https://github.com/dod-ccpo/atat-web-api/runs/3757681913?check_suite_focus=true#step:9:83.
If there’s information that’d be useful that I didn’t include, I am happy to do so. This library has been super helpful to start building towards compliance with best practices early on!
Issue Analytics
- State:
- Created 2 years ago
- Comments:5
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
That took care of it for us! Thanks for quick fix!
I’m leaning toward something relating to the latter since equality comparisons can occur with other types like integers as well