Open julian-price opened 4 months ago
@julian-price , thanks for reaching out. This feature might require inputs by the team. leaving it upto team for the design considerations.
Hey @julian-price, will bring this up with the team and get back to you. Even if we are of the position of not changing the bootstrap template itself to accommodate the CfCT linting, there may be others way we can alleviate this pain point - especially if it happens on every new version of the bootstrap template.
Will get back to you on this.
Describe the feature
While it is not required to execute the
bootstrap-template.yaml
via Customizations for Control Tower, the CfCT provides a useful mechanism to roll out changes in a consistent, controlled manner, including bootstrapping environments.The CfCT uses cfn_nag as a linting tool to pick up open policy resource/action statements and will validate the correctness of CloudFormation templates before allowing them to be deployed.
Because the
bootstrap-template.yaml
contains a number of open resource/action policy statements, cfn_nag fails the deployment unless suppression metatags are added to the CloudFormation template. These have to be added manually each time a newbootstrap-template.yaml
is released.Use Case
The
bootstrap-template.yaml
already contains a number of elements to ensure that it does not generate SecurityHub violations. This would just further add rules that enable thebootstrap-template.yaml
to be executed via the CfCT without modifications.Proposed Solution
I propose adding (at minimum) the following failure (Fxx) suppression rules so that failures do not cause the CfCT to prevent rollout of the StackSet. For berevity, I have only listed the
Metadata
blocks describing the cfn_nag suppressions.There are a number of warnings (Wxx) also, which could be included for completeness, but which do not cause the CfCT pipeline to fail.
Other Information
Adding the cfn_nag suppressions would not break any functionality, but it having an out-of-the-box solution to allow the CfCT to execute the template may encourage wider adoption of the CfCT as a mechanism for rolling out stacksets.
Acknowledgements
CDK version used
Latest bootstrap version (20)
Environment details (OS name and version, etc.)
CfCT 2.7.1