feat: multibyte characters in reason result in false diffs

[KouKinyo]

Description

When you use multibyte characters in reason, false diffs are shown since CloudFormation does not accept them.

For example, you create a bucket and add a suppression with multibyte characters in reason:

const myBucket = new s3.Bucket(this, "MyBucket", {
  blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
  encryption: s3.BucketEncryption.S3_MANAGED,
  enforceSSL: true,
});

NagSuppressions.addResourceSuppressions(myBucket, [{ id: "AwsSolutions-S1", reason: "あいうえおかきくけこ" }]);

After deploying it, cdk diff shows a false diff even though you did not change anything:

Resources
[~] AWS::S3::Bucket MyBucket MyBucketF68F3FF0 
 └─ [~] Metadata
     └─ [~] .cdk_nag:
         └─ [~] .rules_to_suppress:
             └─ @@ -1,6 +1,6 @@
                [ ] [
                [ ]   {
                [ ]     "id": "AwsSolutions-S1",
                [-]     "reason": "??????????"
                [+]     "reason": "あいうえおかきくけこ"
                [ ]   }
                [ ] ]

This makes it hard to understand the true differences of your stacks.

Use Case

In some regions using multibyte character languages, allowing multibyte characters will be useful to get a quick grasp of suppression reasons.

Proposed Solution

• Check if reason string contains multibyte characters.
• If it does, base64 encode it before writing into Cfn metadata.
• If it does not, write it into Cfn metadata as it is.
• Either way, reasons in CSV report should not be encoded for audit.

Other information

Checking if a string contains multibyte characters:
https://stackoverflow.com/a/73307152

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change