Feedback Wanted: CDK Exclusion Template

[BwL1289]

Use case: exclude all CDK resources from being nuked to avoid rebootstrapping.

There's a lot of redundancy here in an attempt not to miss anything. Any recommendations to make it less verbose but achieve the same coverage is appreciated.

presets:
  # MARK: - Exclude cdk aws resources (see: https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-env.html)
  # Important: KMS key not included in cdk bootstrap resources any longer
  cdk:
    filters:
      # Exclude resources with cdk in the name
      __global__: # Catch all for all resources
        - type: "contains"
          value: "cdk"
        - type: "contains"
          value: "hnb659fds"
        - type: glob
          value: "*cdk*"
        - property: Name
          type: "glob"
          value: "*cdk*"
        - property: ARN
          type: "glob"
          value: "*cdk*"
        - property: Name
          type: "glob"
          value: "*CDK*"
        - property: ARN
          type: "glob"
          value: "*CDK*"
        - property: Name
          type: "glob"
          value: "*hnb659fds*"
        # Important: As of this writing, the exec role does not have a tag associated, so it is not included here
        - property: tag:aws:cloudformation:stack-name
          type: "glob"
          value: "*CDK*"
        - property: tag:aws:aws-cdk:bootstrap-role
          value: "lookup"
        - property: tag:aws:aws-cdk:bootstrap-role
          value: "image-publishing"
        - property: tag:aws:aws-cdk:bootstrap-role
          value: "file-publishing"
        - property: tag:aws:aws-cdk:bootstrap-role
          value: "deploy"
        - property: tag:aws:cloudformation:logical-id
          type: "glob"
          value: "*Cdk*"
        - property: tag:aws:aws:cloudformation:stack-id
          type: "glob"
          value: "*CDK*"
      CloudFormationStack:
        # Example Name: `CDKToolkit` | Example ARN: `arn:aws:cloudformation:us-east-1:${AWS_ACCOUNT_ID}:stack/CDKToolkit/<redacted>`
        - type: "contains"
          value: "cdk"
        - property: Name
          type: "glob"
          value: "*CDK*"
        - property: ARN
          type: "glob"
          value: "*CDK*"
      SSMParameter:
        # Example Name: `/cdk-bootstrap/hnb659fds/version` | Example ARN: `arn:aws:ssm:us-east-1:${AWS_ACCOUNT_ID}:parameter/cdk-bootstrap/hnb659fds/version`
        - type: "contains"
          value: "cdk"
        - property: Name
          type: "glob"
          value: "*cdk*"
        - property: ARN
          type: "glob"
          value: "*cdk*"
      IAMRole:
        # Example Name: `cdk-hnb659fds-cfn-exec-role-${AWS_ACCOUNT_ID}-us-east-1` | Example ARN: `arn:aws:iam::${AWS_ACCOUNT_ID}:role/cdk-hnb659fds-cfn-exec-role-${AWS_ACCOUNT_ID}-us-east-1`
        # Example Name: `cdk-hnb659fds-deploy-role-${AWS_ACCOUNT_ID}-us-east-1` | Example ARN: `arn:aws:iam::${AWS_ACCOUNT_ID}:role/cdk-hnb659fds-deploy-role-${AWS_ACCOUNT_ID}-us-east-1`
        # Example Name: `cdk-hnb659fds-file-publishing-role-${AWS_ACCOUNT_ID}-us-east-1` | Example ARN: `arn:aws:iam::${AWS_ACCOUNT_ID}:role/cdk-hnb659fds-file-publishing-role-${AWS_ACCOUNT_ID}-us-east-1`
        # Example Name: `cdk-hnb659fds-image-publishing-role-${AWS_ACCOUNT_ID}-us-east-1` | Example ARN: `arn:aws:iam::${AWS_ACCOUNT_ID}:role/cdk-hnb659fds-image-publishing-role-${AWS_ACCOUNT_ID}-us-east-1`
        # Example Name: `cdk-hnb659fds-lookup-role-${AWS_ACCOUNT_ID}-us-east-1` | Example ARN: `arn:aws:iam::${AWS_ACCOUNT_ID}:role/cdk-hnb659fds-lookup-role-${AWS_ACCOUNT_ID}-us-east-1`
        - "cdk-hnb659fds-cfn-exec-role-${AWS_ACCOUNT_ID}-us-east-1"
        - "cdk-hnb659fds-deploy-role-${AWS_ACCOUNT_ID}-us-east-1"
        - "cdk-hnb659fds-file-publishing-role-${AWS_ACCOUNT_ID}-us-east-1"
        - "cdk-hnb659fds-image-publishing-role-${AWS_ACCOUNT_ID}-us-east-1"
        - "cdk-hnb659fds-lookup-role-${AWS_ACCOUNT_ID}-us-east-1"
        - "cdk-hnb659fds-lookup-role-${AWS_ACCOUNT_ID}-us-east-1"
        - type: "contains"
          value: "cdk"
        - property: Name
          type: "glob"
          value: "*cdk*"
        - type: glob
          value: "*cdk*"
        - property: ARN
          type: "glob"
          value: "*cdk*"
      IAMRolePolicyAttachment:
        - "cdk-hnb659fds-cfn-exec-role-${AWS_ACCOUNT_ID}-us-east-1 -> *" # AdministratorAccess
        - "cdk-hnb659fds-deploy-role-${AWS_ACCOUNT_ID}-us-east-1 -> *" # default
        - "cdk-hnb659fds-file-publishing-role-${AWS_ACCOUNT_ID}-us-east-1 -> *" # cdk-hnb659fds-file-publishing-role-default-policy-${AWS_ACCOUNT_ID}-us-east-1
        - "cdk-hnb659fds-image-publishing-role-${AWS_ACCOUNT_ID}-us-east-1 -> *" # cdk-hnb659fds-image-publishing-role-default-policy-${AWS_ACCOUNT_ID}-us-east-1
        - "cdk-hnb659fds-lookup-role-${AWS_ACCOUNT_ID}-us-east-1 -> *" # LookupRolePolicy
        - "cdk-hnb659fds-lookup-role-${AWS_ACCOUNT_ID}-us-east-1 -> *" # ReadOnlyAccess
        - type: glob
          value: "*cdk* -> *"
        - type: "contains"
          value: "cdk"
        - type: glob
          value: "*cdk*"
        - type: glob
          value: "*cdk*"
        - property: RoleName
          value: "cdk-hnb659fds-cfn-exec-role-${AWS_ACCOUNT_ID}-us-east"
        - property: RoleName
          value: "cdk-hnb659fds-deploy-role-${AWS_ACCOUNT_ID}-us-east-1"
        - property: RoleName
          value: "cdk-hnb659fds-file-publishing-role-${AWS_ACCOUNT_ID}-us-east-1"
        - property: RoleName
          value: "cdk-hnb659fds-image-publishing-role-${AWS_ACCOUNT_ID}-us-east-1"
        - property: RoleName
          value: "cdk-hnb659fds-lookup-role-${AWS_ACCOUNT_ID}-us-east-1"
        - property: RoleName
          value: "cdk-hnb659fds-lookup-role-${AWS_ACCOUNT_ID}-us-east-1"
      IAMRolePolicy:
        - type: "contains"
          value: "cdk"
        - type: glob
          value: "*cdk*"
      S3Bucket:
        - "cdk-hnb659fds-assets-${AWS_ACCOUNT_ID}-us-east-1"
        # Example Name: `cdk-hnb659fds-assets-${AWS_ACCOUNT_ID}-us-east-1` | `arn:aws:s3:::cdk-hnb659fds-assets-${AWS_ACCOUNT_ID}-us-east-1`
        - type: "contains"
          value: "cdk"
        - property: Name
          type: "glob"
          value: "*cdk*"
        - type: glob
          value: "*cdk*"
        - property: ARN
          type: "glob"
          value: "*cdk*"
      ECRRepository:
        # Example Name: `${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/cdk-hnb659fds-container-assets-${AWS_ACCOUNT_ID}-us-east-1` | `arn:aws:ecr:us-east-1:${AWS_ACCOUNT_ID}:repository/cdk-hnb659fds-container-assets-${AWS_ACCOUNT_ID}-us-east-1`
        - type: "contains"
          value: "cdk"
        - property: Name
          type: "glob"
          value: "*cdk*"
        - type: glob
          value: "*cdk*"
        - property: ARN
          type: "glob"
          value: "*cdk*"

[ekristen]

@BwL1289 If you have it in __global__ you don't need it under a specific resource.

You should convert any of the - "cdk-hnb659fds-cfn-exec-role-${AWS_ACCOUNT_ID}-us-east-1" to

- type: regex
  value: "cdk-hnb659fds-cfn-exec-role-.*-us-east-1"

You could try glob instead

- type: glob
  value: "cdk-hnb659fds-cfn-exec-role-*"

You could also just add to __global__

- type: contains
  value: cdk-hnb659fds

[BwL1289]

@ekristen thanks. I've updated to add to __global__:

- type: contains
value: cdk-hnb659fds

[ekristen]

@BwL1289 it can probably be distilled down to

presets:
  # MARK: - Exclude cdk aws resources (see: https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-env.html)
  # Important: KMS key not included in cdk bootstrap resources any longer
  cdk:
    filters:
      # Exclude resources with cdk in the name
      __global__: # Catch all for all resources
        - type: "contains"
          value: "cdk"
        - type: "contains"
          value: "hnb659fds"
        - type: glob
          value: "*cdk*"
        - property: Name
          type: "glob"
          value: "*cdk*"
        - property: ARN
          type: "glob"
          value: "*cdk*"
        - property: Name
          type: "glob"
          value: "*CDK*"
        - property: ARN
          type: "glob"
          value: "*CDK*"
        - property: Name
          type: "contains"
          value: "hnb659fds"
        # Important: As of this writing, the exec role does not have a tag associated, so it is not included here
        - property: tag:aws:cloudformation:stack-name
          type: "glob"
          value: "*CDK*"
        - property: tag:aws:aws-cdk:bootstrap-role
          value: "lookup"
        - property: tag:aws:aws-cdk:bootstrap-role
          value: "image-publishing"
        - property: tag:aws:aws-cdk:bootstrap-role
          value: "file-publishing"
        - property: tag:aws:aws-cdk:bootstrap-role
          value: "deploy"
        - property: tag:aws:cloudformation:logical-id
          type: "glob"
          value: "*Cdk*"
        - property: tag:aws:aws:cloudformation:stack-id
          type: "glob"
          value: "*CDK*"

[BwL1289]

@ekristen thank you. Appreciate the input and hope we can use this to give to the community.

[BwL1289]

Also, the __global__ approach can probably be adapted to Control Tower as well.

[ekristen]

@BwL1289 test it out, if it works as you expect, let me know or open a PR to update the docs to include it.

[ekristen]

@BwL1289 any luck in testing?

[BwL1289]

Worked beautifully in dev. Testing in production next week. Thanks for the follow up

[ekristen]

@BwL1289 any luck testing in prod?