New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
@collaborne/custom-cloudformation-resources
Advanced tools
@collaborne/custom-cloudformation-resources - npm Package Compare versions
Comparing version 0.5.5 to 0.5.6
| { | ||
| "name": "@collaborne/custom-cloudformation-resources", | ||
| "version": "0.5.5", | ||
| "version": "0.5.6", | ||
| "description": "Custom CloudFormation resources", | ||
@@ -5,0 +5,0 @@ "main": "dist/index.js", |
@@ -469,66 +469,77 @@ import { ACM, Route53 } from 'aws-sdk'; | ||
| // Request the certificate | ||
| const request: ACM.RequestCertificateRequest = { | ||
| ...baseRequest, | ||
| IdempotencyToken: rawIdempotencyToken.replace(/[^\w]/g, '').slice(0, 32), | ||
| DomainValidationOptions: | ||
| emailDomainValidationOptions.length === 0 | ||
| ? undefined | ||
| : emailDomainValidationOptions, | ||
| Options: { | ||
| CertificateTransparencyLoggingPreference: ctLoggingPreference, | ||
| }, | ||
| }; | ||
| const { CertificateArn: certificateArn } = await this.acm | ||
| .requestCertificate(request) | ||
| .promise(); | ||
| if (!certificateArn) { | ||
| // Hopefully some hints are in Cloudtrail now ... | ||
| throw new Error( | ||
| 'Failed to request certificate: No certificate ARN returned', | ||
| ); | ||
| } | ||
| try { | ||
| // Request the certificate | ||
| const request: ACM.RequestCertificateRequest = { | ||
| ...baseRequest, | ||
| IdempotencyToken: rawIdempotencyToken | ||
| .replace(/[^\w]/g, '') | ||
| .slice(0, 32), | ||
| DomainValidationOptions: | ||
| emailDomainValidationOptions.length === 0 | ||
| ? undefined | ||
| : emailDomainValidationOptions, | ||
| Options: { | ||
| CertificateTransparencyLoggingPreference: ctLoggingPreference, | ||
| }, | ||
| }; | ||
| const { CertificateArn: certificateArn } = await this.acm | ||
| .requestCertificate(request) | ||
| .promise(); | ||
| if (!certificateArn) { | ||
| // Hopefully some hints are in Cloudtrail now ... | ||
| throw new Error( | ||
| 'Failed to request certificate: No certificate ARN returned', | ||
| ); | ||
| } | ||
| // We have an ARN, so at least all initial parameters were good enough. Proceed working on the validation ... | ||
| this.logger.log(`Certificate requested: ${certificateArn}`); | ||
| // We have an ARN, so at least all initial parameters were good enough. Proceed working on the validation ... | ||
| this.logger.log(`Certificate requested: ${certificateArn}`); | ||
| // If validation was supposed to happen via email, or there are no options provided for DNS validation, then we're | ||
| // done and the caller knows what to do. | ||
| // Otherwise we need to go to Route53 and upsert the needed RR there. | ||
| if (dnsDomainValidationOptions.length !== 0) { | ||
| const resourceRecords = await this.getValidationResourceRecords( | ||
| certificateArn, | ||
| ); | ||
| const hostedZoneId = dnsDomainValidationOptions[0].HostedZoneId; | ||
| const result = await this.route53 | ||
| .changeResourceRecordSets({ | ||
| HostedZoneId: hostedZoneId, | ||
| ChangeBatch: { | ||
| Changes: resourceRecords.map(resourceRecord => ({ | ||
| Action: 'UPSERT', | ||
| ResourceRecordSet: { | ||
| Name: resourceRecord.Name, | ||
| Type: resourceRecord.Type, | ||
| // The TTL can in theory be very large, but that would potentially hinder our ability | ||
| // to quickly revoke a certificate. As there shouldn't be many requests to this either, 300 | ||
| // should be just fine. | ||
| TTL: 300, | ||
| ResourceRecords: [ | ||
| { | ||
| Value: resourceRecord.Value, | ||
| }, | ||
| ], | ||
| }, | ||
| })), | ||
| }, | ||
| }) | ||
| .promise(); | ||
| // If validation was supposed to happen via email, or there are no options provided for DNS validation, then we're | ||
| // done and the caller knows what to do. | ||
| // Otherwise we need to go to Route53 and upsert the needed RR there. | ||
| if (dnsDomainValidationOptions.length !== 0) { | ||
| this.logger.log('Validation is DNS Domain Validation'); | ||
| const resourceRecords = await this.getValidationResourceRecords( | ||
| certificateArn, | ||
| ); | ||
| this.logger.log(`resourceRecords: ${JSON.stringify(resourceRecords)}`); | ||
| const hostedZoneId = dnsDomainValidationOptions[0].HostedZoneId; | ||
| this.logger.log(`hostedZoneId: ${hostedZoneId}`); | ||
| const result = await this.route53 | ||
| .changeResourceRecordSets({ | ||
| HostedZoneId: hostedZoneId, | ||
| ChangeBatch: { | ||
| Changes: resourceRecords.map(resourceRecord => ({ | ||
| Action: 'UPSERT', | ||
| ResourceRecordSet: { | ||
| Name: resourceRecord.Name, | ||
| Type: resourceRecord.Type, | ||
| // The TTL can in theory be very large, but that would potentially hinder our ability | ||
| // to quickly revoke a certificate. As there shouldn't be many requests to this either, 300 | ||
| // should be just fine. | ||
| TTL: 300, | ||
| ResourceRecords: [ | ||
| { | ||
| Value: resourceRecord.Value, | ||
| }, | ||
| ], | ||
| }, | ||
| })), | ||
| }, | ||
| }) | ||
| .promise(); | ||
| this.logger.log(`Route53 change set: ${result.ChangeInfo.Id}`); | ||
| this.logger.log(`Route53 change set: ${result.ChangeInfo.Id}`); | ||
| } | ||
| return { | ||
| Arn: certificateArn, | ||
| CertificateId: getCertificateId(certificateArn), | ||
| }; | ||
| } catch (error) { | ||
| this.logger.error(error); | ||
| throw error; | ||
| } | ||
| return { | ||
| Arn: certificateArn, | ||
| CertificateId: getCertificateId(certificateArn), | ||
| }; | ||
| } | ||
@@ -535,0 +546,0 @@ |
@@ -16,2 +16,13 @@ import { CloudWatchEvents } from 'aws-sdk'; | ||
| CW_EVENTS_CONTINUATION_RULE_ROLE_ARN, | ||
| /** | ||
| * ARN of the optional role to use by CloudWatch Events to use the service token | ||
| * | ||
| * From the `PutTargets` documentation: | ||
| * > To be able to make API calls against the resources that you own, Amazon EventBridge needs | ||
| * > the appropriate permissions. For Lambda and Amazon SNS resources, EventBridge relies on | ||
| * > resource-based policies. For EC2 instances, Kinesis Data Streams, Step Functions state | ||
| * > machines and API Gateway REST APIs, EventBridge relies on IAM roles that you specify in the | ||
| * > RoleARN argument in PutTargets. For more information, see Authentication and Access Control | ||
| * > in the Amazon EventBridge User Guide . | ||
| */ | ||
| CW_EVENTS_CONTINUATION_TARGET_ROLE_ARN, | ||
@@ -18,0 +29,0 @@ } = process.env; |
Fixed alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 3 instances in 1 package
Improved metrics
- Number of low supply chain risk alerts
- decreased by-100%
0
- Number of medium supply chain risk alerts
- decreased by-100%
0
Worsened metrics
- Total package byte prevSize
- decreased by-75.54%
41110
- Number of package files
- decreased by-57.89%
16
- Lines of code
- decreased by-46.29%
1101
No dependency changes