add cfn_nag in github static checking workflow

also regroup black and ruff under a single python job

Author: cnfait

.github/workflows/static-checking.yml

@@ -9,23 +9,38 @@ permissions:
   contents: read
 
 jobs:
-  cfnlint:
+  cfn:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
       - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
           python-version: 3.11
+      - name: Set up Ruby 3.2
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2
       - name: install requirements
         run: |
           python -m pip install --upgrade pip
           python -m pip install cfn-lint
+          gem install cfn-nag
       - name: cfn-lint
         run: |
           find . -not \( -path ./sdlf-utils -prune \) -type f -name '*.yaml' -print0 \
           | xargs -0 cfn-lint
-  black:
+      - name: cfn-nag
+        run: |
+          cat <<EOT >> .cfn-nag-deny-list.yml
+          - id: W61
+            reason: |-
+              Certificates are handled by customers downstream, see https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-encryption-enable.html#emr-encryption-certificates
+              This is ignored only during CI as we want customers to be aware they need to update the security configuration should they choose to use it.
+          EOT
+          find . -not \( -path ./sdlf-utils -prune -o -type f -name 'template-glue-job.yaml' -o -type f -name 'template-lambda-layer.yaml' \) -type f -name '*.yaml' -print0 \
+          | xargs -0 -L 1 cfn_nag_scan --fail-on-warnings --ignore-fatal --deny-list-path .cfn-nag-deny-list.yml --input-path
+  python:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -36,21 +51,9 @@ jobs:
       - name: install requirements
         run: |
           python -m pip install --upgrade pip
-          python -m pip install black
+          python -m pip install black ruff
       - name: black
         run: black --check .
-  ruff:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up Python 3.11
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.11
-      - name: install requirements
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install ruff
       - name: ruff
         run: ruff check .
   shellcheck:
@@ -64,4 +67,4 @@ jobs:
       - name: shellcheck
         run: |
           find . -not \( -path ./sdlf-utils -prune \) -type f \( -name '*.sh' -o -name '*.bash' -o -name '*.ksh' \) -print0 \
-          | xargs -0 shellcheck -x --format gcc
+          | xargs -0 shellcheck -x --format gcc

validate.sh

@@ -14,5 +14,6 @@ find . -not \( -path ./sdlf-utils -prune \) -type f \( -name '*.sh' -o -name '*.
 # cloudformation
 find . -not \( -path ./sdlf-utils -prune \) -type f -name '*.yaml' -print0 \
 | xargs -0 cfn-lint
-find . -not \( -path ./sdlf-utils -prune \) -type f -name '*.yaml' -print0 \
-| xargs -0 -L 1 cfn_nag_scan --deny-list-path .cfn-nag-deny-list.yml --input-path
+## unfortunately cfn_nag doesn't support fn::foreach so we exclude files using it: https://github.com/stelligent/cfn_nag/issues/621
+find . -not \( -path ./sdlf-utils -prune -o -type f -name 'template-glue-job.yaml' -o -type f -name 'template-lambda-layer.yaml' \) -type f -name '*.yaml' -print0 \
+| xargs -0 -L 1 cfn_nag_scan --fail-on-warnings --ignore-fatal --deny-list-path .cfn-nag-deny-list.yml --input-path