aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.72k stars 3.94k forks source link

(CLI): Identify resource names/Arns with hard-coded partition values #28474

Open bsmitches opened 11 months ago

bsmitches commented 11 months ago

Describe the feature

When performing a cdk synth, pass a flag such as --partition-awareness=require|warn to ensure all resource names in synthesized templates utilize the AWS::Partition pseudo parameter rather than a value such as arn:aws:... or arn:aws-us-gov:....

This is mainly a risk when non-Construct generated values are used within a Resource Element for an IAM Policy Statement, or a user manually generates an Arn using a <construct>.name instead of referring to the <construct>.arn property

When the flag value is require, the synth command would fail and throw an error if a resource or resource policy element or !Ref has a hard coded AWS partition. When the value is warn, it would simply log a warning, but proceed (with synthesis/deployment).

Use Case

It's frustrating when taking a CDK application built in one partition (e.g. aws with us-east-1) and refactoring it to be deployable it in a region in another partition. Some errors (service/feature availability) are only identifiable during deploy-time. Because non-partition aware resource names may result in errors and this can be identified during synthesis, I don't want to have to wait until a CloudFormation Prepare or a CloudFormation [IAM Resource] Create Event fails to identify where invalid resource names are used.

Consistently using the partition pseudo parameter is a good standard that should be an option to enforce during synthesis.

Proposed Solution

I would imagine the feature could be implemented an Aspect, but that would require a user to be familiar with that module.

I think the presence of this flag should result in a scan of all cdk.out/**/*.template files to identify violations, and the require|warn value determines which exit code is returned from the synth command.

Other Information

No response

Acknowledgements

CDK version used

2.110.1

Environment details (OS name and version, etc.)

Mac M1 Ventura | AWS GovCloud West 1 Region

pahud commented 11 months ago

Yes we should either build this support in CDK or just make it a rule for cdk-validator-cfnguard. We welcome PRs from the community and please help us prioritize with 👍 .