bug: CdkNagValidationFailure when adding interface endpoints
See original GitHub issueWhat is the problem?
I get a CdkNagValidationFailure
for all interfaceEndpoints added to a VPC:
Reproduction Steps
Using CDK Nag and adding an interface endpoint to a VPC eg:
vpc.addInterfaceEndpoint('KMS', { service: ec2.InterfaceVpcEndpointAwsService.KMS, });
What did you expect to happen?
Not getting a CdkNagValidationFailure but at worst a AwsSolutions-EC23 warning (cdk creates wildcard security groups for interfaceEndpoints)
What actually happened?
When adding CDK Nag to a stack with interface endpoints following entry is contained in the warnings:
CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["VPCB9E5F0B4","CidrBlock"]}", therefore the rule could not be validated.
cdk-nag version
1.12.38
Language
Typescript
Other information
The stack uses cdk 1.153.1
Issue Analytics
- State:
- Created a year ago
- Comments:10
Top GitHub Comments
@dontirun I totally get why the system cannot resolve intrinsic functions but on the other hand the concrete rule could understand
GetAtt CidrBlock
and know that the CIDR range of a VPC is not/0
What do you think?
@dontirun Just clearer instructions on what is available to be used as an ID, my understanding is it was only the id of the rule.