From 617a4f21a7085e71702cd98cfee98b1e9eda5629 Mon Sep 17 00:00:00 2001 From: Michael Wittig Date: Fri, 2 Feb 2024 19:02:23 +0100 Subject: [PATCH 1/2] [Improvement] * - Update Lambda runtime to Node.js 20 (#733) --- .github/FUNDING.yml | 3 --- .github/workflows/lint.yml | 10 +++++----- ecs/cluster-cost-optimized.yaml | 13 +++++-------- ecs/cluster.yaml | 14 ++++++-------- operations/alb-access-logs-anonymizer.yaml | 10 +--------- operations/cloudfront-access-logs-anonymizer.yaml | 11 +---------- security/account-password-policy.yaml | 3 +-- security/config.yaml | 3 +-- security/securityhub-controls.yaml | 2 +- state/elasticache-memcached.yaml | 3 +-- state/s3.yaml | 3 +-- static-website/lambdaedge-index-document.yaml | 6 +++--- 12 files changed, 26 insertions(+), 55 deletions(-) delete mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index e7f0e3dba..000000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1,3 +0,0 @@ -# These are supported funding model platforms - -github: widdix diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d1eef1d38..55cf9e8b9 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,17 +11,17 @@ jobs: runs-on: ['hyperenv', 'medium'] steps: - uses: 'actions/checkout@v4' - - uses: 'actions/setup-python@v4' + - uses: 'actions/setup-python@v5' with: - python-version: '3.8' + python-version: '3.12' - name: yamlllint run: | - pip install yamllint==1.27.1 + pip install yamllint==1.33.0 yamllint . - name: cfn-lint run: | - pip install cfn-lint==0.79.11 - cfn-lint -i W2001 W4002 W6001 W8003 E3026 E2520 -t '**/*.yaml' + pip install cfn-lint==0.85.0 + cfn-lint -i W2001 W3045 W4002 W6001 W8003 E3026 -t '**/*.yaml' - name: license run: | find . -type f -name '*.yaml' -not -name '.readthedocs.yaml' | while read file; do set -ex && grep -q 'LICENSE-2.0' "$file"; done; diff --git a/ecs/cluster-cost-optimized.yaml b/ecs/cluster-cost-optimized.yaml index b8a77a2ac..eb041dca5 100644 --- a/ecs/cluster-cost-optimized.yaml +++ b/ecs/cluster-cost-optimized.yaml @@ -1183,8 +1183,7 @@ Resources: Properties: Code: ZipFile: | - 'use strict'; - const { AutoScalingClient, ExecutePolicyCommand } = require("@aws-sdk/client-auto-scaling"); + const { AutoScalingClient, ExecutePolicyCommand } = require('@aws-sdk/client-auto-scaling'); const autoscaling = new AutoScalingClient({apiVersion: '2011-01-01'}); const sp = process.env.SCALING_POLICY_NAME; exports.handler = async function(event, context) { @@ -1195,7 +1194,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'ScaleUpLambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 60 Environment: Variables: @@ -1308,13 +1307,11 @@ Resources: Properties: Code: ZipFile: | - 'use strict'; - const AWS = require('aws-sdk'); - const { ECSClient, UpdateContainerInstancesStateCommand, ListTasksCommand, ListContainerInstancesCommand } = require("@aws-sdk/client-ecs"); + const { ECSClient, UpdateContainerInstancesStateCommand, ListTasksCommand, ListContainerInstancesCommand } = require('@aws-sdk/client-ecs'); const ecs = new ECSClient({apiVersion: '2014-11-13'}); const { SQSClient, SendMessageCommand } = require("@aws-sdk/client-sqs"); const sqs = new SQSClient({apiVersion: '2012-11-05'}); - const { AutoScalingClient, CompleteLifecycleActionCommand, RecordLifecycleActionHeartbeatCommand } = require("@aws-sdk/client-auto-scaling"); + const { AutoScalingClient, CompleteLifecycleActionCommand, RecordLifecycleActionHeartbeatCommand } = require('@aws-sdk/client-auto-scaling'); const asg = new AutoScalingClient({apiVersion: '2011-01-01'}); const cluster = process.env.CLUSTER; const queueUrl = process.env.QUEUE_URL; @@ -1398,7 +1395,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'DrainInstanceLambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 30 Environment: Variables: diff --git a/ecs/cluster.yaml b/ecs/cluster.yaml index abeeed05c..5d973b1cf 100644 --- a/ecs/cluster.yaml +++ b/ecs/cluster.yaml @@ -1239,10 +1239,9 @@ Resources: Properties: Code: ZipFile: !Sub | - 'use strict'; - const { ECSClient, ListContainerInstancesCommand, DescribeContainerInstancesCommand } = require("@aws-sdk/client-ecs"); + const { ECSClient, ListContainerInstancesCommand, DescribeContainerInstancesCommand } = require('@aws-sdk/client-ecs'); const ecs = new ECSClient({apiVersion: '2014-11-13'}); - const { CloudWatchClient, PutMetricDataCommand } = require("@aws-sdk/client-cloudwatch"); + const { CloudWatchClient, PutMetricDataCommand } = require('@aws-sdk/client-cloudwatch'); const cloudwatch = new CloudWatchClient({apiVersion: '2010-08-01'}); const CONTAINER_MAX_CPU = ${ContainerMaxCPU}; const CONTAINER_MAX_MEMORY = ${ContainerMaxMemory}; @@ -1307,7 +1306,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'SchedulableContainersLambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 60 SchedulableContainersLogGroup: Type: 'AWS::Logs::LogGroup' @@ -1417,12 +1416,11 @@ Resources: Properties: Code: ZipFile: | - 'use strict'; - const { ECSClient, ListContainerInstancesCommand, UpdateContainerInstancesStateCommand, ListTasksCommand } = require("@aws-sdk/client-ecs"); + const { ECSClient, ListContainerInstancesCommand, UpdateContainerInstancesStateCommand, ListTasksCommand } = require('@aws-sdk/client-ecs'); const ecs = new ECSClient({apiVersion: '2014-11-13'}); const { SQSClient, SendMessageCommand } = require("@aws-sdk/client-sqs"); const sqs = new SQSClient({apiVersion: '2012-11-05'}); - const { AutoScalingClient, CompleteLifecycleActionCommand, RecordLifecycleActionHeartbeatCommand } = require("@aws-sdk/client-auto-scaling"); + const { AutoScalingClient, CompleteLifecycleActionCommand, RecordLifecycleActionHeartbeatCommand } = require('@aws-sdk/client-auto-scaling'); const asg = new AutoScalingClient({apiVersion: '2011-01-01'}); const cluster = process.env.CLUSTER; const queueUrl = process.env.QUEUE_URL; @@ -1506,7 +1504,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'DrainInstanceLambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 30 Environment: Variables: diff --git a/operations/alb-access-logs-anonymizer.yaml b/operations/alb-access-logs-anonymizer.yaml index 3c1c4b9d9..9b5fa5f5f 100644 --- a/operations/alb-access-logs-anonymizer.yaml +++ b/operations/alb-access-logs-anonymizer.yaml @@ -109,19 +109,16 @@ Resources: const { S3Client, GetObjectCommand, HeadObjectCommand, DeleteObjectCommand } = require('@aws-sdk/client-s3'); const { Upload } = require('@aws-sdk/lib-storage'); const s3 = new S3Client({apiVersion: '2006-03-01'}); - function anonymizeIPv4Address(str) { const s = str.split('.'); s[3] = '0'; return s.join('.'); } - function anonymizeIPv6Address(str) { const s = str.split(':').slice(0, 2); s.push(':'); return s.join(':'); } - function anonymizeIpAddress(str) { const s = str.split(':'); const address = s.slice(0, -1).join(':'); @@ -134,7 +131,6 @@ Resources: return str; } } - function transformLine(line) { if (line.trim() === '') { return line; @@ -143,7 +139,6 @@ Resources: values[3] = anonymizeIpAddress(values[3]); return values.join(' '); } - async function process(record) { const anonymizedKey = record.s3.object.key.slice(0, -2) + 'anonymized.gz'; let chunk = Buffer.alloc(0); @@ -175,7 +170,6 @@ Resources: try { const getObjectResponse = await s3.send(new GetObjectCommand(params)); - const writePipeline = pipeline( getObjectResponse.Body, zlib.createGunzip(), @@ -185,7 +179,6 @@ Resources: zlib.createGzip(), () => {} ); - await new Upload({ client: s3, params: { @@ -220,7 +213,6 @@ Resources: await s3.send(new DeleteObjectCommand(params)); } } - exports.handler = async (event) => { console.log(JSON.stringify(event)); for (let record of event.Records) { @@ -234,7 +226,7 @@ Resources: Handler: 'index.handler' MemorySize: 1024 Role: !GetAtt 'Role.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 300 ErrorsTooHighAlarm: Condition: HasAlertTopic diff --git a/operations/cloudfront-access-logs-anonymizer.yaml b/operations/cloudfront-access-logs-anonymizer.yaml index 12c3ac2cd..971d2c1d2 100644 --- a/operations/cloudfront-access-logs-anonymizer.yaml +++ b/operations/cloudfront-access-logs-anonymizer.yaml @@ -109,19 +109,16 @@ Resources: const { S3Client, GetObjectCommand, HeadObjectCommand, DeleteObjectCommand } = require('@aws-sdk/client-s3'); const { Upload } = require('@aws-sdk/lib-storage'); const s3 = new S3Client({apiVersion: '2006-03-01'}); - function anonymizeIPv4Address(str) { const s = str.split('.'); s[3] = '0'; return s.join('.'); } - function anonymizeIPv6Address(str) { const s = str.split(':').slice(0, 2); s.push(':'); return s.join(':'); } - function anonymizeIpAddress(str) { if (str === '-' || str === 'unknown') { return str; @@ -134,7 +131,6 @@ Resources: return str; } } - function transformLine(line) { if (line.startsWith('#') || line.trim() === '') { return line; @@ -144,7 +140,6 @@ Resources: values[19] = anonymizeIpAddress(values[19]); return values.join('\t'); } - async function process(record) { const anonymizedKey = record.s3.object.key.slice(0, -2) + 'anonymized.gz'; let chunk = Buffer.alloc(0); @@ -173,10 +168,8 @@ Resources: if ('versionId' in record.s3.object) { params.VersionId = record.s3.object.versionId; } - try { const getObjectResponse = await s3.send(new GetObjectCommand(params)); - const writePipeline = pipeline( getObjectResponse.Body, zlib.createGunzip(), @@ -214,14 +207,12 @@ Resources: throw err; } } - if (chunk.length > 0) { throw new Error('file was not read completly'); } else { await s3.send(new DeleteObjectCommand(params)); } } - exports.handler = async (event) => { console.log(JSON.stringify(event)); for (let record of event.Records) { @@ -235,7 +226,7 @@ Resources: Handler: 'index.handler' MemorySize: 1024 Role: !GetAtt 'Role.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 300 ErrorsTooHighAlarm: Condition: HasAlertTopic diff --git a/security/account-password-policy.yaml b/security/account-password-policy.yaml index 959acc04b..d5f6fd01f 100644 --- a/security/account-password-policy.yaml +++ b/security/account-password-policy.yaml @@ -151,7 +151,6 @@ Resources: Properties: Code: ZipFile: | - 'use strict'; const response = require('cfn-response'); const { IAMClient, DeleteAccountPasswordPolicyCommand, UpdateAccountPasswordPolicyCommand } = require('@aws-sdk/client-iam'); const iam = new IAMClient({apiVersion: '2010-05-08'}); @@ -191,7 +190,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'LambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 60 LambdaLogGroup: Type: 'AWS::Logs::LogGroup' diff --git a/security/config.yaml b/security/config.yaml index ad9e9d457..f94eaf441 100644 --- a/security/config.yaml +++ b/security/config.yaml @@ -199,7 +199,6 @@ Resources: Properties: Code: ZipFile: | - 'use strict'; const response = require('cfn-response'); const { ConfigServiceClient, DeleteRetentionConfigurationCommand, PutRetentionConfigurationCommand } = require('@aws-sdk/client-config-service'); const config = new ConfigServiceClient({apiVersion: '2014-11-12'}); @@ -228,7 +227,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'LambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 60 LambdaLogGroup: Type: 'AWS::Logs::LogGroup' diff --git a/security/securityhub-controls.yaml b/security/securityhub-controls.yaml index 7b2dc96e4..b2e154bed 100644 --- a/security/securityhub-controls.yaml +++ b/security/securityhub-controls.yaml @@ -155,7 +155,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'LambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 60 LambdaLogGroup: Type: 'AWS::Logs::LogGroup' diff --git a/state/elasticache-memcached.yaml b/state/elasticache-memcached.yaml index 1e5541fb5..ce0cdf2b0 100644 --- a/state/elasticache-memcached.yaml +++ b/state/elasticache-memcached.yaml @@ -252,7 +252,6 @@ Resources: Properties: Code: ZipFile: | - 'use strict'; const response = require('cfn-response'); exports.handler = (event, context, cb) => { const nodes = parseInt(event.ResourceProperties.NumCacheNodes, 10); @@ -265,7 +264,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'CustomResourceLambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 60 CustomResourceLambdaLogGroup: Type: 'AWS::Logs::LogGroup' diff --git a/state/s3.yaml b/state/s3.yaml index 325bed288..58a6fd710 100644 --- a/state/s3.yaml +++ b/state/s3.yaml @@ -410,7 +410,6 @@ Resources: Properties: Code: ZipFile: | - 'use strict'; const response = require('cfn-response'); const { S3Client, GetBucketAclCommand, PutBucketAclCommand } = require('@aws-sdk/client-s3'); const s3 = new S3Client({apiVersion: '2006-03-01'}); @@ -471,7 +470,7 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'LambdaRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 60 LambdaLogGroup: Condition: HasCloudFrontAccessLogWrite diff --git a/static-website/lambdaedge-index-document.yaml b/static-website/lambdaedge-index-document.yaml index f393b1ba4..c76c0c2e6 100644 --- a/static-website/lambdaedge-index-document.yaml +++ b/static-website/lambdaedge-index-document.yaml @@ -153,9 +153,9 @@ Resources: Handler: 'index.handler' MemorySize: 128 Role: !GetAtt 'ViewerRequestRole.Arn' - Runtime: 'nodejs18.x' + Runtime: 'nodejs20.x' Timeout: 5 - ViewerRequestVersionV4: + ViewerRequestVersionV5: Type: 'AWS::Lambda::Version' Properties: FunctionName: !Ref ViewerRequestFunction @@ -176,4 +176,4 @@ Outputs: Value: !Sub '${AWS::StackName}' ViewerRequestLambdaEdgeFunctionVersionARN: Description: 'Version ARN of Lambda@Edge viewer request function.' - Value: !Ref ViewerRequestVersionV4 + Value: !Ref ViewerRequestVersionV5 From 9be16658ea18ee748b9634c470c91e6dfdba6c49 Mon Sep 17 00:00:00 2001 From: Michael Wittig Date: Tue, 6 Feb 2024 08:42:38 +0100 Subject: [PATCH 2/2] [Security] jenkins/* - Update Jenkins to 2.426.3 (#730) --- jenkins/jenkins2-ha-agents.yaml | 2 +- jenkins/jenkins2-ha.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/jenkins/jenkins2-ha-agents.yaml b/jenkins/jenkins2-ha-agents.yaml index 33f1208e4..af46555ba 100644 --- a/jenkins/jenkins2-ha-agents.yaml +++ b/jenkins/jenkins2-ha-agents.yaml @@ -1015,7 +1015,7 @@ Resources: install: packages: rpm: - jenkins: 'https://ftp-chi.osuosl.org/pub/jenkins/redhat-stable/jenkins-2.426.2-1.1.noarch.rpm' + jenkins: 'https://ftp-chi.osuosl.org/pub/jenkins/redhat-stable/jenkins-2.426.3-1.1.noarch.rpm' files: '/etc/cfn/cfn-hup.conf': content: !Sub | diff --git a/jenkins/jenkins2-ha.yaml b/jenkins/jenkins2-ha.yaml index be7489fdc..bdea8b5a6 100644 --- a/jenkins/jenkins2-ha.yaml +++ b/jenkins/jenkins2-ha.yaml @@ -906,7 +906,7 @@ Resources: install: packages: rpm: - jenkins: 'https://ftp-chi.osuosl.org/pub/jenkins/redhat-stable/jenkins-2.426.2-1.1.noarch.rpm' + jenkins: 'https://ftp-chi.osuosl.org/pub/jenkins/redhat-stable/jenkins-2.426.3-1.1.noarch.rpm' files: '/etc/cfn/cfn-hup.conf': content: !Sub |