fix: merge suppressions instead of re-writing

Author: tstephen-nhs

packages/cdkConstructs/src/constants.ts

@@ -17,3 +17,8 @@ export const LAMBDA_RESOURCES = {
   SplunkDeliveryStream: Fn.importValue("lambda-resources:SplunkDeliveryStream"),
   SplunkSubscriptionFilterRole: Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole")
 }
+
+/** Shared cfn-guard rule identifiers used for metadata suppressions. */
+export const CFN_GUARD_RULES = {
+  LogGroupRetentionPeriodCheck: "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
+} as const

packages/cdkConstructs/src/constructs/RestApiGateway.ts

@@ -33,6 +33,7 @@ import {
 import {ApiGateway as ApiGatewayTarget} from "aws-cdk-lib/aws-route53-targets"
 import {NagSuppressions} from "cdk-nag"
 import {ACCOUNT_RESOURCES, LAMBDA_RESOURCES} from "../constants"
+import {addSuppressions} from "../utils/helpers"
 
 /** Configuration for creating a REST API with optional mTLS and log forwarding integrations. */
 export interface RestApiGatewayProps {
@@ -257,13 +258,7 @@ export class RestApiGateway extends Construct {
     })
 
     const cfnStage = apiGateway.deploymentStage.node.defaultChild as CfnStage
-    cfnStage.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "API_GW_CACHE_ENABLED_AND_ENCRYPTED"
-        ]
-      }
-    }
+    addSuppressions([cfnStage], ["API_GW_CACHE_ENABLED_AND_ENCRYPTED"])
 
     // Outputs
     this.api = apiGateway

packages/cdkConstructs/src/constructs/StateMachine.ts

@@ -20,7 +20,8 @@ import {
 } from "aws-cdk-lib/aws-stepfunctions"
 import {Construct} from "constructs"
 import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
-import {ACCOUNT_RESOURCES, LAMBDA_RESOURCES} from "../constants"
+import {ACCOUNT_RESOURCES, CFN_GUARD_RULES, LAMBDA_RESOURCES} from "../constants"
+import {addSuppressions} from "../utils/helpers"
 
 /**
  * Configuration for provisioning an Express Step Functions state machine
@@ -109,13 +110,7 @@ export class ExpressStateMachine extends Construct {
     })
 
     const cfnLogGroup = logGroup.node.defaultChild as CfnLogGroup
-    cfnLogGroup.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
-        ]
-      }
-    }
+    addSuppressions([cfnLogGroup], [CFN_GUARD_RULES.LogGroupRetentionPeriodCheck])
 
     if (addSplunkSubscriptionFilter) {
       if (splunkDeliveryStream) {

packages/cdkConstructs/src/constructs/lambdaSharedResources.ts

@@ -13,7 +13,7 @@ import {
 } from "aws-cdk-lib/aws-iam"
 import {NagSuppressions} from "cdk-nag"
 import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
-import {ACCOUNT_RESOURCES, LAMBDA_RESOURCES} from "../constants"
+import {ACCOUNT_RESOURCES, CFN_GUARD_RULES, LAMBDA_RESOURCES} from "../constants"
 import {addSuppressions} from "../utils/helpers"
 import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
 import {Stream} from "aws-cdk-lib/aws-kinesis"
@@ -74,7 +74,7 @@ export const createSharedLambdaResources = (
   })
 
   const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
-  addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
+  addSuppressions([cfnlogGroup], [CFN_GUARD_RULES.LogGroupRetentionPeriodCheck])
 
   if (addSplunkSubscriptionFilter) {
     // This is in an if statement to ensure correct value is used