-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: CDK Stages not linted by Nag rules #1726
Comments
This seems to be an issue with cdk Given the following import * as cdk from 'aws-cdk-lib';
import * as codecommit from 'aws-cdk-lib/aws-codecommit';
import { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';
import * as pipeline from 'aws-cdk-lib/pipelines';
import { Construct } from 'constructs';
export class CdktestStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new Bucket(this, 'bucket-test');
}
}
export class CdkTestStage extends cdk.Stage {
constructor(scope: Construct, id: string, props: cdk.StageProps) {
super(scope, id, props);
new CdktestStack(this, 'cdk-test-stack');
}
}
export class PipelineStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: cdk.StackProps) {
super(scope, id, props);
const arnCodeCommit = 'arn:aws:codecommit:us-east-1:00000000:testRepo';
const artifactBucket = new Bucket(this, 'artifact', {
encryption: BucketEncryption.KMS,
bucketName: 'djslkfsdlkf-artifact',
});
// On importe le code-commit dgeq-devops-pes-planb-gep, on doit passer par l'Arn car il est dans un autre compte
const testRepo = codecommit.Repository.fromRepositoryArn(
this,
'testRepo',
arnCodeCommit,
);
const sourceCodeCommit = pipeline.CodePipelineSource.codeCommit(
testRepo,
'main',
);
// Création de l'étape pour CDK Synth
const synthBuildStep = new pipeline.CodeBuildStep('Synth', {
input: sourceCodeCommit,
installCommands: ['npm install -g aws-cdk'],
commands: [],
primaryOutputDirectory: 'pipeline/cdk.out',
});
//Pipeline de base
const pipelineInfra = new pipeline.CodePipeline(this, 'pipelineInfra', {
synth: synthBuildStep,
artifactBucket,
});
pipelineInfra.addStage(new CdkTestStage(this, 'cdk-test-stage', props));
pipelineInfra.buildPipeline();
}
}
export class TestAspect implements cdk.IAspect {
public visit(node: Construct): void {
if (node instanceof cdk.CfnResource) {
console.log(`${node.node.path} : ${node.cfnResourceType}`);
}
}
}
const app = new cdk.App();
new PipelineStack(app, 'PipelineStack', {
env: {
region: 'us-east-1',
account: '111111111',
},
});
cdk.Aspects.of(app).add(new TestAspect); I run PipelineStack/artifact/Key/Resource : AWS::KMS::Key
PipelineStack/artifact/Resource : AWS::S3::Bucket
PipelineStack/artifact/Policy/Resource : AWS::S3::BucketPolicy
PipelineStack/testRepo/PipelineStackpipelineInfraPipeline62852AFC-main-EventRule/Resource : AWS::Events::Rule
PipelineStack/pipelineInfra/Pipeline/Role/Resource : AWS::IAM::Role
PipelineStack/pipelineInfra/Pipeline/Role/DefaultPolicy/Resource : AWS::IAM::Policy
PipelineStack/pipelineInfra/Pipeline/Resource : AWS::CodePipeline::Pipeline
PipelineStack/pipelineInfra/Pipeline/EventsRole/Resource : AWS::IAM::Role
PipelineStack/pipelineInfra/Pipeline/EventsRole/DefaultPolicy/Resource : AWS::IAM::Policy
PipelineStack/pipelineInfra/Pipeline/Build/Synth/CdkBuildProject/Role/Resource : AWS::IAM::Role
PipelineStack/pipelineInfra/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource : AWS::IAM::Policy
PipelineStack/pipelineInfra/Pipeline/Build/Synth/CdkBuildProject/Resource : AWS::CodeBuild::Project
PipelineStack/pipelineInfra/CodeBuildActionRole/Resource : AWS::IAM::Role
PipelineStack/pipelineInfra/CodeBuildActionRole/DefaultPolicy/Resource : AWS::IAM::Policy
PipelineStack/pipelineInfra/UpdatePipeline/SelfMutation/Role/Resource : AWS::IAM::Role
PipelineStack/pipelineInfra/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource : AWS::IAM::Policy
PipelineStack/pipelineInfra/UpdatePipeline/SelfMutation/Resource : AWS::CodeBuild::Project
cross-account-support-stack-00000000/PipelineStackpipelineInfraPipeline62852AFC-Source-testRepo-ActionRole/Resource : AWS::IAM::Role
cross-account-support-stack-00000000/PipelineStackpipelineInfraPipeline62852AFC-Source-testRepo-ActionRole/DefaultPolicy/Resource : AWS::IAM::Policy |
Any updates/workarounds for this? |
No, this issue would need to be raised in the CDK repo to be addressed |
One workaround you can do is to isolate the infra created in the stage in a separated function.
Then your CodePipeline stage will call this function directly, scope will be the stage context Create another entrypoint called lint.ts by example and call directly the generateInfra function, the scope will be cdk.App instance.
Finally, to lint by using use the following script in your package json:
Cdk-nag will works, and you will do not lint the pipeline stack but only your real infra. |
What is the problem?
By using a CDK Stage and using the command
cdk synth '**'
, annotations are correctly generated by cdk but cdk-nag doesn't lint anything from this stack.Seems to be related to #637
Reproduction Steps
cdk synth '**'
Rules regarding to the pipeline will be correctly reported here but the
test-bucket
inside theCdkTestStack
seems to be ignored.Directly instanciating the
CdkTestStack
inside thebin/main.ts
will correctly report S3 rules.What did you expect to happen?
Trying to lint both of the pipeline and stage rules.
What actually happened?
Only pipeline rules are displayed.
cdk-nag version
2.28.144
Language
Typescript
Other information
No response
The text was updated successfully, but these errors were encountered: