(CLI): Identify resource names/Arns with hard-coded partition values #28474
Labels
cli
Issues related to the CDK CLI
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p2
package/tools
Related to AWS CDK Tools or CLI
Comments
bsmitches
added
feature-request
bsmitches
changed the title
bsmitches
changed the title
|
Yes we should either build this support in CDK or just make it a rule for cdk-validator-cfnguard. We welcome PRs from the community and please help us prioritize with 👍 . |
pahud
added
p2
effort/medium
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
When performing a
cdk synth, pass a flag such as--partition-awareness=require|warnto ensure all resource names in synthesized templates utilize the AWS::Partition pseudo parameter rather than a value such asarn:aws:...orarn:aws-us-gov:....This is mainly a risk when non-Construct generated values are used within a Resource Element for an IAM Policy Statement, or a user manually generates an Arn using a
<construct>.nameinstead of referring to the<construct>.arnpropertyWhen the flag value is
require, the synth command would fail and throw an error if a resource or resource policy element or !Ref has a hard coded AWS partition. When the value iswarn, it would simply log a warning, but proceed (with synthesis/deployment).Use Case
It's frustrating when taking a CDK application built in one partition (e.g. aws with us-east-1) and refactoring it to be deployable it in a region in another partition. Some errors (service/feature availability) are only identifiable during deploy-time. Because non-partition aware resource names may result in errors and this can be identified during synthesis, I don't want to have to wait until a CloudFormation Prepare or a CloudFormation [IAM Resource] Create Event fails to identify where invalid resource names are used.
Consistently using the partition pseudo parameter is a good standard that should be an option to enforce during synthesis.
Proposed Solution
I would imagine the feature could be implemented an Aspect, but that would require a user to be familiar with that module.
I think the presence of this flag should result in a scan of all
cdk.out/**/*.templatefiles to identify violations, and therequire|warnvalue determines which exit code is returned from the synth command.Other Information
No response
Acknowledgements
CDK version used
2.110.1
Environment details (OS name and version, etc.)
Mac M1 Ventura | AWS GovCloud West 1 Region
The text was updated successfully, but these errors were encountered: