When performing a cdk synth, pass a flag such as --partition-awareness=require|warn to ensure all resource names in synthesized templates utilize the AWS::Partition pseudo parameter rather than a value such as arn:aws:... or arn:aws-us-gov:....
This is mainly a risk when non-Construct generated values are used within a Resource Element for an IAM Policy Statement, or a user manually generates an Arn using a <construct>.name instead of referring to the <construct>.arn property
When the flag value is require, the synth command would fail and throw an error if a resource or resource policy element or !Ref has a hard coded AWS partition. When the value is warn, it would simply log a warning, but proceed (with synthesis/deployment).
Use Case
It's frustrating when taking a CDK application built in one partition (e.g. aws with us-east-1) and refactoring it to be deployable it in a region in another partition. Some errors (service/feature availability) are only identifiable during deploy-time. Because non-partition aware resource names may result in errors and this can be identified during synthesis, I don't want to have to wait until a CloudFormation Prepare or a CloudFormation [IAM Resource] Create Event fails to identify where invalid resource names are used.
Consistently using the partition pseudo parameter is a good standard that should be an option to enforce during synthesis.
Proposed Solution
I would imagine the feature could be implemented an Aspect, but that would require a user to be familiar with that module.
I think the presence of this flag should result in a scan of all cdk.out/**/*.template files to identify violations, and the require|warn value determines which exit code is returned from the synth command.
Other Information
No response
Acknowledgements
[ ] I may be able to implement this feature request
Yes we should either build this support in CDK or just make it a rule for cdk-validator-cfnguard. We welcome PRs from the community and please help us prioritize with 👍 .
Describe the feature
When performing a
cdk synth
, pass a flag such as--partition-awareness=require|warn
to ensure all resource names in synthesized templates utilize the AWS::Partition pseudo parameter rather than a value such asarn:aws:...
orarn:aws-us-gov:...
.This is mainly a risk when non-Construct generated values are used within a Resource Element for an IAM Policy Statement, or a user manually generates an Arn using a
<construct>.name
instead of referring to the<construct>.arn
propertyWhen the flag value is
require
, the synth command would fail and throw an error if a resource or resource policy element or !Ref has a hard coded AWS partition. When the value iswarn
, it would simply log a warning, but proceed (with synthesis/deployment).Use Case
It's frustrating when taking a CDK application built in one partition (e.g. aws with us-east-1) and refactoring it to be deployable it in a region in another partition. Some errors (service/feature availability) are only identifiable during deploy-time. Because non-partition aware resource names may result in errors and this can be identified during synthesis, I don't want to have to wait until a CloudFormation Prepare or a CloudFormation [IAM Resource] Create Event fails to identify where invalid resource names are used.
Consistently using the partition pseudo parameter is a good standard that should be an option to enforce during synthesis.
Proposed Solution
I would imagine the feature could be implemented an Aspect, but that would require a user to be familiar with that module.
I think the presence of this flag should result in a scan of all
cdk.out/**/*.template
files to identify violations, and therequire|warn
value determines which exit code is returned from the synth command.Other Information
No response
Acknowledgements
CDK version used
2.110.1
Environment details (OS name and version, etc.)
Mac M1 Ventura | AWS GovCloud West 1 Region