Open fiserv-plat-eng opened 1 year ago
@fiserv-plat-eng you shouldn't be relying on the console output to produce valid JSON/YAML. The template will be written to the cdk.out
directory which will be valid and is the template that you should use.
@corymhall - unfortunately this would be a breaking change for other workflows which expects valid outputs from cdk synth like wiz cli.
I would recommend wiz cli update to read from the supported output (i.e. cdk.out
). We will never guarantee that what is printed will be machine readable.
Also note that the Validation Report is not included in the outputted yaml.
cdk synth > template.yaml
Validation Report
-----------------
Policy Validation Report Summary
╔════════════════════════╤═════════╗
║ Plugin │ Status ║
╟────────────────────────┼─────────╢
║ cdk-validator-cfnguard │ success ║
╚════════════════════════╧═════════╝
head -n 4 template.yaml
Performing Policy Validations
Policy Validation Successful!
Resources:
I will reach out to teams to make changes so long
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Example docs of how wiz cli recommends scanning CDK projects:
So when you have a pipeline with multiple deployment stacks, your cdk.out
includes multiple entries.
$ cdk ls
infra-only-pipeline
infra-only-pipeline/infra-only/Alpha-us-east-1/infra-only
infra-only-pipeline/infra-only/Beta-us-east-1/infra-only
infra-only-pipeline/infra-only/Gamma-us-east-1/infra-only
infra-only-pipeline/infra-only/Prod-us-east-1/infra-only
So before this change you could just do a cdk synth infra-only-pipeline/infra-only/Alpha-us-east-1/infra-only > template.yaml
to only get the output for that stack.
Now you need to parse the cdk.out
folder and seek for a matching stack, but the naming is different ie:
cdk.out/assembly-infra-only-pipeline-infra-only-Alpha-us-east-1/infraonlypipelineinfraonlyAlphauseast1infraonly27F51A2D.template.json
I am not sure why there is the requirement for console.log
only in this case, but not all other cases in CDK?
Agree with @corymhall to use cdk.out
for reading the generated template. The validator plugin is experimental though, but it would print the findings to stdout
(unsure if there would be a property to emit the validation to some file).
Describe the bug
Using
CfnGuardValidator
with your CDK app will produce invalid Cloudformation YAML at synth time.Expected Behavior
Generated yaml should be valid when using a policy validation plugin:
policyValidationBeta1
eg:
const app = new App({policyValidationBeta1: [new CfnGuardValidator()],});
Current Behavior
cdk synth > template.yml
adds the following to the beginning of the outputted yamlReproduction Steps
When using
CfnGuardValidator
with your CDK appWhen generating cloudformation output
The generated cloudformation is no longer valid
Add the produced yaml includes the following lines
Possible Solution
Don't use
console.log
when printing "Performing Policy Validations" and "Policy Validation Successful!"See:
Additional Information/Context
The output of
cdk synth > template.yml
is being used by existing workflows that expects a validtemplate.yml
like wiz cli.Also
yaml
output is a more human readable form.CDK CLI Version
2.76.0 (build 78c411b)
Framework Version
No response
Node.js Version
v20.0.0
OS
MacOS
Language
Typescript
Language Version
TypeScript 5.0.3
Other information
No response