Chore/cdk nag gen fixes#925
Merged
Merged
Conversation
added 3 commits
July 3, 2026 11:20
jqwik was used for a single "property" whose input space was just the three IdeArch enum values - equivalent to a JUnit @ParameterizedTest with @EnumSource, and with no extra dependency. - Convert IdePropsTest.architectureDeterminesInstanceTypes to @ParameterizedTest + @EnumSource(IdeArch.class). - Remove the net.jqwik:jqwik-engine test dependency. - Remove the now-unused .jqwik-database .gitignore entry. Also removes the jqwik-engine 1.10.1 anti-AI-agent banner it printed to test stdout during synth. All 7 tests pass.
`npm run gen` synthesizes WorkshopStack with template.type=java-on-aws (and 4 other template types), which create far more IAM than the default synth. The previous enumerated appliesTo lists only matched the default template's findings, so cdk synth failed with 87 uncovered AwsSolutions-IAM4/IAM5 errors (Ide/UserPolicy, WorkshopBoundary, EKS, Unicorn, ThreadAnalysis, AiJvmAnalyzer, PerfPlatform roles). Replace the brittle enumerated appliesTo with RegexAppliesTo so the suppressions match every IAM4 (Policy::*) and IAM5 (Action::* / Resource::*) finding, robust across all template types and generated resource names. Broad IAM is intentional for the ephemeral workshop environment. Verified: cdk synth passes (rc=0, 0 non-compliant) for all five template types - java-on-aws, java-on-amazon-eks, java-spring-ai-agents, java-ai-agents, java-ai-agents-advanced.
Now that IAM4/IAM5 are suppressed via regex appliesTo, cdk-nag 2.38.2 works on the latest aws-cdk-lib. Verified: cdk synth passes with 0 non-compliant findings for all five template types on 2.260. The earlier 2.250 "ceiling" was wrong - it was caused by enumerated appliesTo not matching the full template's findings, not by the native Validations framework introduced in 2.251. Rewrite NAG.md accordingly: no aws-cdk-lib ceiling on the 2.x line; cdk-nag stays 2.x (3.x is plugin-only and unneeded).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.