CDK Constructs (e.g. aws-cdk-lib.aws_eks.Cluster) do not always synthesize the resource type (e.g. AWS::EKS::Cluster) that registered rules expect.
The Question
What is the best practice for standard cfn-guard rules such as eks_endpoint_no_public_access.guard when the resource is being created in a CDK construct that wraps the creation in a Custom Resource and does not directly synthesize the resource specified in the rule?
For example, the rule mentioned is specific to resource type AWS::EKS::Cluster. However, if using aws-cdk-lib/aws_eks.Cluster, the synthesized resource type is Custom::AWSCDK-EKS-Cluster. In this particular case, a rule could be created that satisfies the eks_endpoint_no_public_access.guard rule requirements since the synthesized resource includes an equivalent property.
I'm assuming there is no method to use the standard rule since the resource type and properties do not match in the CDK synthesized template. That being the case, what is the best practice for emulating this rule? Do we simply create our own rule? Name it the identically or differently?
General Issue
CDK Constructs (e.g.
aws-cdk-lib.aws_eks.Cluster) do not always synthesize the resource type (e.g.AWS::EKS::Cluster) that registered rules expect.The Question
What is the best practice for standard cfn-guard rules such as eks_endpoint_no_public_access.guard when the resource is being created in a CDK construct that wraps the creation in a Custom Resource and does not directly synthesize the resource specified in the rule?
For example, the rule mentioned is specific to resource type AWS::EKS::Cluster. However, if using aws-cdk-lib/aws_eks.Cluster, the synthesized resource type is Custom::AWSCDK-EKS-Cluster. In this particular case, a rule could be created that satisfies the eks_endpoint_no_public_access.guard rule requirements since the synthesized resource includes an equivalent property.
I'm assuming there is no method to use the standard rule since the resource type and properties do not match in the CDK synthesized template. That being the case, what is the best practice for emulating this rule? Do we simply create our own rule? Name it the identically or differently?
CloudFormation Guard Version
n/a
OS
n/a
OS Version
No response
Other information
No response