bootstrap-template.yaml: consider adding cfn_nag suppressions

[julian-price]

Describe the feature

While it is not required to execute the bootstrap-template.yaml via Customizations for Control Tower, the CfCT provides a useful mechanism to roll out changes in a consistent, controlled manner, including bootstrapping environments.

The CfCT uses cfn_nag as a linting tool to pick up open policy resource/action statements and will validate the correctness of CloudFormation templates before allowing them to be deployed.

Because the bootstrap-template.yaml contains a number of open resource/action policy statements, cfn_nag fails the deployment unless suppression metatags are added to the CloudFormation template. These have to be added manually each time a new bootstrap-template.yaml is released.

Use Case

The bootstrap-template.yaml already contains a number of elements to ensure that it does not generate SecurityHub violations. This would just further add rules that enable the bootstrap-template.yaml to be executed via the CfCT without modifications.

Proposed Solution

I propose adding (at minimum) the following failure (Fxx) suppression rules so that failures do not cause the CfCT to prevent rollout of the StackSet. For berevity, I have only listed the Metadata blocks describing the cfn_nag suppressions.

There are a number of warnings (Wxx) also, which could be included for completeness, but which do not cause the CfCT pipeline to fail.

Resources:
  FileAssetsBucketEncryptionKey:
    Type: AWS::KMS::Key
    # Metadata block to suppress cfn_nag rules that cause CfCT template validation to fail
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F76
            reason: Template provided by AWS so cannot change
          - id: F19
            reason: Template provided by AWS so cannot change
...
  CdkBoostrapPermissionsBoundaryPolicy:
    # Edit the template prior to boostrap in order to have this example policy created
    Condition: ShouldCreatePermissionsBoundary
    Type: AWS::IAM::ManagedPolicy
    # Metadata block to suppress cfn_nag rules that cause CfCT template validation to fail
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F5
            reason: Template provided by AWS so cannot change
          - id: F40
            reason: Template provided by AWS so cannot change
          - id: F13
            reason: Template provided by AWS so cannot change
...

Other Information

Adding the cfn_nag suppressions would not break any functionality, but it having an out-of-the-box solution to allow the CfCT to execute the template may encourage wider adoption of the CfCT as a mechanism for rolling out stacksets.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

Latest bootstrap version (20)

Environment details (OS name and version, etc.)

CfCT 2.7.1

[khushail]

@julian-price , thanks for reaching out. This feature might require inputs by the team. leaving it upto team for the design considerations.

[scanlonp]

Hey @julian-price, will bring this up with the team and get back to you. Even if we are of the position of not changing the bootstrap template itself to accommodate the CfCT linting, there may be others way we can alleviate this pain point - especially if it happens on every new version of the bootstrap template.

Will get back to you on this.