* fix: resolve cfn-nag failures in CloudFormation templates
- customer_support_lambda.yaml: add cfn_nag suppression metadata
(F3, F38, W11) to GatewayAgentCoreRole; wildcard policy is
intentional for this tutorial sample
- bearer-token-injection/cognito.yaml: MfaConfiguration OFF -> OPTIONAL
- strands-agents/cognito.yaml: MfaConfiguration OFF -> OPTIONAL
- typescript_mastra/github-source.yaml: fix YAML indentation on
ImageScanningConfiguration (was at col 0, causing parse error)
- java_adk/github-source.yaml: same YAML indentation fix
Fixes 6 cfn-nag failures (F3, F38 x1, F78 x2, FATAL x2) across 5 templates.
* fix: correct agentcore-map.png image path in 01-features README
* fix: resolve cdk-nag warnings across features and workshops
* chore: add cfn-nag suppression metadata to 12 CloudFormation templates
Adds cfn_nag rules_to_suppress Metadata blocks to suppress expected
warnings in tutorial/demo templates:
- W60 (VPC flow logs): 10 templates — demo VPCs don't require flow logs
- W33 (MapPublicIpOnLaunch): 8 templates — public subnets need auto-IP
for tutorial accessibility
- W40/W5 (SG open egress/ingress): 8 templates — intentional open
egress in AgentCore SGs and browser-firewall SGs (filtered by Network
Firewall); broad rules in demo ALB/web server SGs
- W2/W9 (SG SSH from 0.0.0.0/0): 2 templates — development EC2
instances use SSM but SSH open for tutorial convenience
- W56 (ALB HTTP listener): cluster.yaml — demo uses HTTP; HTTPS
requires ACM certificate
- W59 (API Gateway no auth): infrastructure_all.yaml — AgentCore
Gateway handles authentication upstream
Files modified (12):
01-features/.../01-claude-code-with-s3-files/cfn-vpc.yaml
01-features/.../02-claude-code-with-efs/cfn-vpc.yaml
01-features/.../05-domain-filtering/agentcore-browser-firewall.yaml
03-integrations/.../common/01-network.yaml
03-integrations/.../ecs/cluster.yaml
06-workshops/.../01-claude-code-with-s3-files/cfn-vpc.yaml
06-workshops/.../02-claude-code-with-efs/cfn-vpc.yaml
06-workshops/.../07-bearer-token-injection/.../infrastructure_all.yaml
06-workshops/.../07-connecting-public-browser-.../cfn-browser.yaml
06-workshops/.../08-Interacting-with-vpc-.../cfn-vpc-browser.yaml
06-workshops/.../09-browser-with-domain-filtering/agentcore-browser-firewall.yaml
06-workshops/.../11-browser-with-proxy/agentcore-browser-proxy.yaml
* fix: move suppression comments after Python syntax tokens
Misplaced # pragma: allowlist secret comments were placed before
trailing commas and closing braces, causing those tokens to be treated
as comment text rather than Python syntax. Moved all commas and
closing brace/comma sequences before the comment in 21 files, resolving
all ruff invalid-syntax errors reported by CI.
* fix: restore missing Python files in 04-entra-obo-mcp-runtime
* style: apply ruff formatting to all PR-touched Python files
* style: apply ruff formatting to pre-existing unformatted Python files
12 files with pre-existing formatting issues were surfaced by the
CI ruff format check because they appear in this PR's changed-files
list. Applied ruff format to bring them into compliance.
Bharathi Srinivasan
02471ab710