Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: rules are exported #482

Closed
2 tasks
webratz opened this issue Nov 23, 2021 · 2 comments
Closed
2 tasks

feat: rules are exported #482

webratz opened this issue Nov 23, 2021 · 2 comments
Labels
feature-request A feature should be added or improved.

Comments

@webratz
Copy link

webratz commented Nov 23, 2021

Description

We have a custom set of requirements, but many of the already implemented rules are already super helpful.
Sadly the rules are not exported, so one would have to either copy them or implement them on your own.

Use Case

We have a custom set of rules that apply within our company. So we want to build a custom internal rule pack, combined of custom rules and already existing ones.

Proposed Solution

Export the rules, or make them available in a separate package.

Other information

Currently using the newly release v2 compatible version

Acknowledge

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@webratz webratz added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 23, 2021
@dontirun
Copy link
Collaborator

From what I understand you would like to

  1. Create your own NagPack on an as needed basis without the need for rebuilding the package
  2. Pull from the existing rules and apply them to the NagPack
  3. Create your own rules and apply them to the NagPack

Is that correct?

The drawback with this approach is that unless you build your own package, it would be difficult to scale this across multiple applications without re-implementing the rule additions on each application (though it could be as simple as a copy and paste of the class)

That being said, it could be a good opportunity to move the rule creation helper methods to a package with the rules.

@dontirun dontirun added response-requested waiting on additional information or feedback and removed needs-triage This issue or PR still needs to be triaged. labels Nov 23, 2021
@webratz
Copy link
Author

webratz commented Nov 24, 2021

Yes that is correct.
Also the plan is not to have it per application, but we use a shared cdk lib within the company that takes care of the checks, so we only implement it in one place.

I found another variant to achieve something similar:
I'm adding eg the NagPack provided by cdk-nag, but also add an aspect to add suppressions for rules that are not important / relevant for my organization. With that all new rules added would be auto enabled, which can be good to increase coverage, but of course also lead to new rules added that should have been hidden for my org.

@dontirun dontirun removed the response-requested waiting on additional information or feedback label Nov 24, 2021
This was referenced Nov 24, 2021
Merged
Merged
mergify bot pushed a commit that referenced this issue Nov 24, 2021
@dontirun
feat: export rules as package (#486)
99a6d00 
Closes #482
See #485  for more details

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mergify bot pushed a commit that referenced this issue Nov 24, 2021
@dontirun
feat: export rules as package (#485)
6ed6783 
Related to #482 

Examples for rule imports
```typescript
import { apigw } from 'cdk-nag/lib/rules'
import { rules } from 'cdk-nag';
rules.apigw.APIGWAccessLogging
apigw.APIGWAccessLogging
```

Example for creating a NagPack with an included rule
```typescript
import { Stack, App, StackProps, IConstruct, CfnResource, Aspects } from '@aws-cdk/core';
import { Vpc } from '@aws-cdk/aws-ec2';
import { NagMessageLevel, NagPack, NagPackProps, rules } from 'cdk-nag';


class TestPack extends NagPack {
    constructor(props?: NagPackProps) {
        super(props);
        this.packName = 'Test';
    }
    public visit(node: IConstruct): void {
        if (node instanceof CfnResource) {
            this.applyRule({
                info: 'My brief info.',
                explanation: 'My detailed explanation.',
                level: NagMessageLevel.ERROR,
                rule: rules.vpc.VPCDefaultSecurityGroupClosed,
                node: node,
            });
        }
    }
}
export class CdkTestStack extends Stack {
    constructor(scope: App, id: string, props?: StackProps) {
        super(scope, id, props);
        Aspects.of(this).add(new TestPack())
        new Vpc(this, 'rVpc')
    }
}


```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webratz @dontirun