Feature Request: Exclude Some Resources From CDK Bootstrap Execution.

[case-k-git]

Describe the feature

Exclude Some Resources From CDK Bootstrap Execution.By excluding the selection of resources created by CDK Bootstrap, it becomes possible to execute with only the necessary resource permissions required for business operations. Currently, there are resources that cannot be constructed without administrator permissions, such as S3, which limits the ability of developers to execute CDK bootstrap on their side.

Use Case

In some companies, permissions for S3 are not granted, or the use of ECR is prohibited as a company policy. For example, if it were possible to limit the creation of S3 and ECR resources when deploying Lambda, developers could create stacks on their own, improving development efficiency. To deploy lambda application we use the S3 bucket which has been created by admin team. Also ECR is prohibited, So these company does not use ECR when build application of Lambda ..etc.
We want to avoid the limitations and extra work of having to request deployments from a different administrator due to insufficient permissions.

Proposed Solution

cdk bootstrap --exclude '["AWS::S3::Bucket", "AWS::ECR::Repository"]'

Other Information

Appreciate if you post some advice about this feature. I am not familiar with CDK usage. So if these resources are necessary to use CDK even if not using inside deployment resources. Please let me know it.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

irrelevant

Environment details (OS name and version, etc.)

irrelevant

[pahud]

Do you mean in your cases your team is not allowed to create s3 buckets/objects as well as ECR repositories/images but you still need to use CDK? Please note in that case your CDK app would not be able to upload the bundled assets to S3 or ECR. Is that your use case?

[case-k-git]

@pahud Thank you for your reply. Yea something like that.

As a company policy ECR is not allowed and S3 bucket is allowed but created by AWS admin team(Not developer).

So for example when we want to deploy Lambda function. We are using S3 bucket which Admin team created. Also we can not use ECR because of this is prohibited by company policy(So ECR does not need to deploy in our usecase).

but you still need to use CDK?

Not necessary but want to use because it is convenient if we can use CDK.

Please note in that case your CDK app would not be able to upload the bundled assets to S3 or ECR

Thank you I see. In our case ECR does not need it as it is not allowed as company policy.
In that case can we control and chose S3 bucket which is created by the other team? or May be execute CDK Bootstrap by admin team will help to create S3 bucket. But ECR does not need it and prevent using CDK in our case unless we do not have this kind of option.

So I thought this option will be helpful for some company which is restricted by Security policy. How do you think?

[pahud]

Thank you for your use case sharing.

One option is to allow the admin team to cdk bootstrap for the dev team and optionally remove the ECR repo created by the bootstrap CFN stack(CDKTookKit stack). Please note if you remove the assets ECR repo you will not be able to use the docker image assets bundling capabilities with CDK. Does it make sense for you?

[case-k-git]

Thank you for reply . I see so after deploy both S3 and ECR then remove the ECR manually.

Yea I think that will solve this issue. This is not major use case so I think we can close this request.

My last concern is how often do we need to execute cdk bootstrap I think this is the initial action but do we have chance to execute again like version update ..etc
I just want to avoid each time ask admin team to execute operation

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.