From bb3417c14d60cc89ccea8a0fd1188906bb73e160 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 10 Dec 2024 10:06:47 -0800 Subject: [PATCH 1/7] fix: add folder between temp directory and file Signed-off-by: Scott Schreckengaust --- .../document-ingestion/s3_file_transformer/src/helpers/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda/document-ingestion/s3_file_transformer/src/helpers/utils.py b/lambda/document-ingestion/s3_file_transformer/src/helpers/utils.py index 09b2efb..0ef5c64 100644 --- a/lambda/document-ingestion/s3_file_transformer/src/helpers/utils.py +++ b/lambda/document-ingestion/s3_file_transformer/src/helpers/utils.py @@ -71,7 +71,7 @@ def transform_image_document(input_bucket: str,file_name: str,output_bucket: str lables_txt= convert_lables_to_sentence(result_lables) # upload descriptive text file as .txt for ingested image - with open (tempfile.gettempdir()+name+'.txt','w') as f: + with open (tempfile.gettempdir()+os.sep+name+'.txt','w') as f: f.write(json.dumps(lables_txt)) #s3.upload_file('/tmp/'+name+'.txt',output_bucket,name+".txt") upload_file(output_bucket,f'{name}.txt',f'{name}.txt') From 53ad24723587ce027040358a7403a7568d191193 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 10 Dec 2024 10:13:49 -0800 Subject: [PATCH 2/7] fix: add rekognition to the file transformer Signed-off-by: Scott Schreckengaust --- modules/document-ingestion/data.tf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/document-ingestion/data.tf b/modules/document-ingestion/data.tf index a708c5c..d7de80e 100644 --- a/modules/document-ingestion/data.tf +++ b/modules/document-ingestion/data.tf @@ -215,6 +215,18 @@ data "aws_iam_policy_document" "file_transformer" { effect = "Allow" resources = ["*"] } + + statement { + sid = "Rekognition" + + actions = [ + "rekognition:*" + ] + + effect = "Allow" + + resources = ["*"] + } #checkov:skip=CKV_AWS_356:Lambda VPC and Xray permission require wildcard #checkov:skip=CKV_AWS_111:Lambda VPC and Xray permission require wildcard #checkov:skip=CKV_AWS_109:KMS management permission by IAM user From bfa61a8ee11cd83bbc16b480235df57a0d911ab1 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 10 Dec 2024 10:26:07 -0800 Subject: [PATCH 3/7] fix: add python virtual environment and ruby version Signed-off-by: Scott Schreckengaust --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 57a3dec..5a8a1e8 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,6 @@ go.sum tests/*.auto.tfvars .idea + +.venv +.ruby-version From 4137b7ede3b80c11d28658877c97b3fef22cf31e Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 10 Dec 2024 11:03:45 -0800 Subject: [PATCH 4/7] fix: only DetectModerationLabels needed Signed-off-by: Scott Schreckengaust --- modules/document-ingestion/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/document-ingestion/data.tf b/modules/document-ingestion/data.tf index d7de80e..8cf0b19 100644 --- a/modules/document-ingestion/data.tf +++ b/modules/document-ingestion/data.tf @@ -220,7 +220,7 @@ data "aws_iam_policy_document" "file_transformer" { sid = "Rekognition" actions = [ - "rekognition:*" + "rekognition:DetectModerationLabels" ] effect = "Allow" From 40aec8f19cb134eb1d4385d6cf7eb48ead1fc433 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 10 Dec 2024 11:19:30 -0800 Subject: [PATCH 5/7] fix: bump version Signed-off-by: Scott Schreckengaust --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 0ec25f7..b18d465 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.0.0 +v1.0.1 From 3124f5f24f082fd9265c9e2a5ed2b7765f628d1b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 10 Dec 2024 12:04:34 -0800 Subject: [PATCH 6/7] fix: checkov suppression for internet access Signed-off-by: Scott Schreckengaust --- modules/networking-resources/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/networking-resources/main.tf b/modules/networking-resources/main.tf index 72a5890..3998f0d 100644 --- a/modules/networking-resources/main.tf +++ b/modules/networking-resources/main.tf @@ -27,6 +27,7 @@ resource "aws_vpc_security_group_egress_rule" "to_internet" { ip_protocol = -1 cidr_ipv4 = "0.0.0.0/0" security_group_id = aws_security_group.lambda.id + #checkov:skip=CKV2_AWS_382:access to internet for lambda is required } resource "aws_vpc_security_group_ingress_rule" "https_within_sg" { From ceb3849d813f5850cae789ba670f12833d8ba5d0 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 10 Dec 2024 16:52:28 -0800 Subject: [PATCH 7/7] fix: suppress CKV2_AWS_382 Signed-off-by: Scott Schreckengaust --- modules/networking-resources/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking-resources/main.tf b/modules/networking-resources/main.tf index 3998f0d..a34883a 100644 --- a/modules/networking-resources/main.tf +++ b/modules/networking-resources/main.tf @@ -27,7 +27,7 @@ resource "aws_vpc_security_group_egress_rule" "to_internet" { ip_protocol = -1 cidr_ipv4 = "0.0.0.0/0" security_group_id = aws_security_group.lambda.id - #checkov:skip=CKV2_AWS_382:access to internet for lambda is required + #checkov:skip=CKV_AWS_382:access to internet for lambda is required } resource "aws_vpc_security_group_ingress_rule" "https_within_sg" {