Open fiserv-plat-eng opened 1 year ago
corymhall
commented
1 year ago @fiserv-plat-eng you shouldn't be relying on the console output to produce valid JSON/YAML. The template will be written to the cdk.out directory which will be valid and is the template that you should use.
fiserv-plat-eng
commented
1 year ago @corymhall - unfortunately this would be a breaking change for other workflows which expects valid outputs from cdk synth like wiz cli.
corymhall
commented
1 year ago I would recommend wiz cli update to read from the supported output (i.e. cdk.out). We will never guarantee that what is printed will be machine readable.
fiserv-plat-eng
commented
1 year ago Also note that the Validation Report is not included in the outputted yaml.
cdk synth > template.yaml
Validation Report
-----------------
Policy Validation Report Summary
╔════════════════════════╤═════════╗
║ Plugin │ Status ║
╟────────────────────────┼─────────╢
║ cdk-validator-cfnguard │ success ║
╚════════════════════════╧═════════╝head -n 4 template.yaml
Performing Policy Validations
Policy Validation Successful!
Resources:I will reach out to teams to make changes so long
github-actions[bot]
commented
1 year ago Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
fiserv-plat-eng
commented
12 months ago Example docs of how wiz cli recommends scanning CDK projects:
So when you have a pipeline with multiple deployment stacks, your cdk.out includes multiple entries.
$ cdk ls
infra-only-pipeline
infra-only-pipeline/infra-only/Alpha-us-east-1/infra-only
infra-only-pipeline/infra-only/Beta-us-east-1/infra-only
infra-only-pipeline/infra-only/Gamma-us-east-1/infra-only
infra-only-pipeline/infra-only/Prod-us-east-1/infra-onlySo before this change you could just do a cdk synth infra-only-pipeline/infra-only/Alpha-us-east-1/infra-only > template.yaml to only get the output for that stack.
Now you need to parse the cdk.out folder and seek for a matching stack, but the naming is different ie:
cdk.out/assembly-infra-only-pipeline-infra-only-Alpha-us-east-1/infraonlypipelineinfraonlyAlphauseast1infraonly27F51A2D.template.json
I am not sure why there is the requirement for console.log only in this case, but not all other cases in CDK?
ashishdhingra
commented
1 month ago Agree with @corymhall to use cdk.out for reading the generated template. The validator plugin is experimental though, but it would print the findings to stdout (unsure if there would be a property to emit the validation to some file).
Describe the bug
Using
CfnGuardValidatorwith your CDK app will produce invalid Cloudformation YAML at synth time.Expected Behavior
Generated yaml should be valid when using a policy validation plugin:
policyValidationBeta1eg:
const app = new App({policyValidationBeta1: [new CfnGuardValidator()],});Current Behavior
cdk synth > template.ymladds the following to the beginning of the outputted yamlReproduction Steps
When using
CfnGuardValidatorwith your CDK appWhen generating cloudformation output
The generated cloudformation is no longer valid
Add the produced yaml includes the following lines
Possible Solution
Don't use
console.logwhen printing "Performing Policy Validations" and "Policy Validation Successful!"See:
Additional Information/Context
The output of
cdk synth > template.ymlis being used by existing workflows that expects a validtemplate.ymllike wiz cli.Also
yamloutput is a more human readable form.CDK CLI Version
2.76.0 (build 78c411b)
Framework Version
No response
Node.js Version
v20.0.0
OS
MacOS
Language
Typescript
Language Version
TypeScript 5.0.3
Other information
No response