Allow suppression of cfn_nag rules in manifest.yaml

[willdady]

trafficstars

It should be possible to suppress cfn_nag rules on a per-resource basis for stack-set deployments.

I am trying to add the CDK bootstrap to accounts within my organisation. I retrieve the bootstrap template from the AWS CLI via cdk bootstrap --show-template and save this as a file in my repo. This is then linked as a stack_set resource in my manifest.yaml.

Attempting to deploy this as-is causes the deployment to fail as cfn_nag raises issues. It fails against rules F19 and F76.

To get around this issue I have to edit the template to adding rules_to_suppress where appropriate. As this is a third-party template, generated from an official AWS tool no-less, I really don't want to have to edit the template to get around this issue.

[adam-daily]

Hey Will, thanks for reaching out. We're actually considering removing cfn-nag outright from this step, with the thinking that it's not really the appropriate place to check for that. If we go that route, would that work for your use case?

[willdady]

@adam-daily 100% yes.

If not completely removed perhaps even a flag that can be set in the manifest.yaml? The flag could be a global opt-out or even an opt-out per-resource.

I think it's reasonable for CfCT to be less-opinionated on this. Leave it the responsibility of consumers of CfCT to provide valid templates.

[greenaussie]

There should be an early build step so the pipeline fails as fast as possible when there is a problem.

1. cfn_nag
2. cfn-lint (overlaps with cfn_nag but not the same)
3. aws cloudformation validate-template

I guess different orgs might have different requirements, so levering something like pre-commit could allow .pre-commit.yaml to be owned by the owning enterprise.

Precommit isn't only a pre-commit hook, but the same hooks would work locally for the CfCT operator and thus fewer problems would ever reach the pipeline itself.

[PeterBengtson]

Just get rid of it completely. The present solution is over-engineered.