Support for cdk-nag and similar tools

Question

Support for cdk-nag and similar tools

karakter98 opened this issue a year ago · 2 comments

Hello!

Vote on this issue by adding a 👍 reaction
If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

CDK supports adding metadata such as warnings and errors at synth time, which can be deprecation warnings (from CDK itself) or compliance checks (from tools like cdk-nag). These errors don't throw a runtime exception, they are instead added to the cloud assembly as "metadata messages".

The CDK CLI uses the StackCollection(...).processMetadataMessages(...) method to print all messages in the console and then throw. This library could use the same mechanism. I got around this by subclassing pulumicdk.Stack, so I could open a PR with my changes if this sounds like a good feature to add.

Affected area/feature

This would allow usage of cdk-nag and its comprehensive set of infrastructure compliance checks with Pulumi.

Answer 1 · 2023-08-28T13:43:47.000Z

I got around this by subclassing pulumicdk.Stack, so I open a PR with my changes if this sounds like a good feature to add.

Yeah - a PR would be very welcome

Answer 2 · 2023-09-05T13:59:23.000Z

@lukehoban I opened a PR for this: #89