Develop

CODEOWNERS

@@ -0,0 +1 @@
+* @davmayd

templates/okta-asa-bastion.template.yaml

@@ -1,6 +1,10 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: This AWS CloudFormation template deploys a bastion host enrolled with Okta Advanced Server Access (qs-1rm280cl1)
 Metadata:
+  cfn-lint:
+    config:
+      ignore_checks:
+        - W9006
   LICENSE: Apache License, Version 2.0
   QuickStartDocumentation:
     EntrypointName: "Parameters for deploying Okta ASA into an existing VPC"
@@ -95,7 +99,6 @@ Metadata:
         default: Root volume size
       EnrollmentToken:
         default: Okta Advanced Server Access enrollment token
-  cfn-lint: { config: { ignore_checks: [E9007] } }
 Parameters:
   EC2AMIOS:
     AllowedValues:
@@ -456,6 +459,15 @@ Resources:
         - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy'
   BastionHostPolicy:
     Type: 'AWS::IAM::Policy'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - EIAMPolicyWildcardResource
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "EC2 requires wildcard access"
     Properties:
       PolicyName: BastionPolicy
       PolicyDocument:
@@ -481,7 +493,7 @@ Resources:
           - Action:
               - 'ec2:AssociateAddress'
               - 'ec2:DescribeAddresses'
-            Resource: '*'
+            Resource: '*' # Only supported resource per the documentation
             Effect: Allow
       Roles:
         - !If
@@ -702,6 +714,13 @@ Resources:
               - 'Null'
   BastionSecurityGroup:
     Type: 'AWS::EC2::SecurityGroup'
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F1000
+            reason: "Standard Amazon practice"
+          - id: W36
+            reason: "Group description is sufficient"
     Properties:
       GroupDescription: Enables SSH Access to Bastion Hosts
       VpcId: !Ref VPCID

templates/okta-asa-main.template.yaml

@@ -1,6 +1,10 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: This AWS CloudFormation template deploys an environment – VPC, bastion, and target hosts – with Okta Advanced Server Access (qs-1rm280cig)
 Metadata:
+  cfn-lint:
+    config:
+      ignore_checks:
+        - W9006
   LICENSE: Apache License, Version 2.0 
   QuickStartDocumentation:
     EntrypointName: "Parameters for deploying Okta ASA into a new VPC"
@@ -92,7 +96,6 @@ Metadata:
         default: VPC CIDR
       EnrollmentToken:
         default: Okta Advanced Server Access enrollment token
-  cfn-lint: { config: { ignore_checks: [E9007] } }
 Parameters:
   AvailabilityZones:
     Description: 'Availability Zones to use for the subnets in the VPC. The logical order is preserved. This deployment uses 2 Availability Zones.'

templates/okta-asa-target.template.yaml

@@ -1,6 +1,10 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: This AWS CloudFormation template deploys a target host enrolled with Okta Advanced Server Access (qs-1rm280cl7)
 Metadata:
+  cfn-lint:
+    config:
+      ignore_checks:
+        - W9006
   LICENSE: Apache License, Version 2.0
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -95,7 +99,6 @@ Metadata:
         default: Root volume size
       EnrollmentToken:
         default: Okta Advanced Server Access enrollment token
-  cfn-lint: { config: { ignore_checks: [E9007] } }
 Parameters:
   BastionSecurityGroupID:
     Description: ID of the bastion host security group to enable SSH connections (e.g.,
@@ -442,6 +445,15 @@ Resources:
         - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy'
   TargetHostPolicy:
     Type: 'AWS::IAM::Policy'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - EIAMPolicyWildcardResource
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "EC2 requires wildcard access"
     Properties:
       PolicyName: TargetPolicy
       PolicyDocument:
@@ -467,7 +479,7 @@ Resources:
           - Action:
               - 'ec2:AssociateAddress'
               - 'ec2:DescribeAddresses'
-            Resource: '*'
+            Resource: '*' # Only supported resource per the documentation
             Effect: Allow
       Roles:
         - !If
@@ -653,6 +665,13 @@ Resources:
             [ $(qs_status) == 0 ] && cfn_success || cfn_fail
   TargetSecurityGroup:
     Type: 'AWS::EC2::SecurityGroup'
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F1000
+            reason: "Standard Amazon practice"
+          - id: W36
+            reason: "EC2 requires wildcard access"
     Properties:
       GroupDescription: Enables SSH Access to Target Hosts
       VpcId: !Ref VPCID