Open willdady opened 2 years ago
Hey Will, thanks for reaching out. We're actually considering removing cfn-nag
outright from this step, with the thinking that it's not really the appropriate place to check for that. If we go that route, would that work for your use case?
@adam-daily 100% yes.
If not completely removed perhaps even a flag that can be set in the manifest.yaml
? The flag could be a global opt-out or even an opt-out per-resource.
I think it's reasonable for CfCT to be less-opinionated on this. Leave it the responsibility of consumers of CfCT to provide valid templates.
There should be an early build step so the pipeline fails as fast as possible when there is a problem.
I guess different orgs might have different requirements, so levering something like pre-commit could allow .pre-commit.yaml to be owned by the owning enterprise.
Precommit isn't only a pre-commit hook, but the same hooks would work locally for the CfCT operator and thus fewer problems would ever reach the pipeline itself.
Just get rid of it completely. The present solution is over-engineered.
Any update on removing cfn-nag?
Yes, please. This issue alone bars the use of this tool.
@adam-daily Can we get an update on this? Our team finds cfn_nag extremely annoying to deal with as it often results in a lot of trial and error when doing deployments which are already slow enough with CfCT. There should be simple way to opt out of using it (or just remove it from the project entirely). Linting should not be a concern of this project.
yes, please remove cfn_nag entirely. It is of no use whatsoever. Currently, we only do SCP deployments using CfCT, as the StackSet functionality is, for all intents and purposes, completely useless.
cfn_nag appears to be abandoned by its authors. There are multiple issues with it that prevent CfCT from deploying stacks using common CloudFormation constructs (Fn::ForEach, etc.) that show no sign of being resolved. Could it be removed entirely from CfCT?
It should be possible to suppress cfn_nag rules on a per-resource basis for stack-set deployments.
I am trying to add the CDK bootstrap to accounts within my organisation. I retrieve the bootstrap template from the AWS CLI via
cdk bootstrap --show-template
and save this as a file in my repo. This is then linked as astack_set
resource in mymanifest.yaml
.Attempting to deploy this as-is causes the deployment to fail as cfn_nag raises issues. It fails against rules F19 and F76.
To get around this issue I have to edit the template to adding
rules_to_suppress
where appropriate. As this is a third-party template, generated from an official AWS tool no-less, I really don't want to have to edit the template to get around this issue.