(CLI): Identify resource names/Arns with hard-coded partition values #28474
Labels
cli
Issues related to the CDK CLI
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p2
package/tools
Related to AWS CDK Tools or CLI
Describe the feature
When performing a
cdk synth
, pass a flag such as--partition-awareness=require|warn
to ensure all resource names in synthesized templates utilize the AWS::Partition pseudo parameter rather than a value such asarn:aws:...
orarn:aws-us-gov:...
.This is mainly a risk when non-Construct generated values are used within a Resource Element for an IAM Policy Statement, or a user manually generates an Arn using a
<construct>.name
instead of referring to the<construct>.arn
propertyWhen the flag value is
require
, the synth command would fail and throw an error if a resource or resource policy element or !Ref has a hard coded AWS partition. When the value iswarn
, it would simply log a warning, but proceed (with synthesis/deployment).Use Case
It's frustrating when taking a CDK application built in one partition (e.g. aws with us-east-1) and refactoring it to be deployable it in a region in another partition. Some errors (service/feature availability) are only identifiable during deploy-time. Because non-partition aware resource names may result in errors and this can be identified during synthesis, I don't want to have to wait until a CloudFormation Prepare or a CloudFormation [IAM Resource] Create Event fails to identify where invalid resource names are used.
Consistently using the partition pseudo parameter is a good standard that should be an option to enforce during synthesis.
Proposed Solution
I would imagine the feature could be implemented an Aspect, but that would require a user to be familiar with that module.
I think the presence of this flag should result in a scan of all
cdk.out/**/*.template
files to identify violations, and therequire|warn
value determines which exit code is returned from the synth command.Other Information
No response
Acknowledgements
CDK version used
2.110.1
Environment details (OS name and version, etc.)
Mac M1 Ventura | AWS GovCloud West 1 Region
The text was updated successfully, but these errors were encountered: