All specification of ResourceTypes when deploying stack

[damonmaria]

When deploying a stack with the SDK or aws CLI it's possible to specify ResourceTypes so that IAM users can be restricted to deploying stacks with only certain resources inside them. As far I can can tell this is not possible with the CDK.

Use Case

I want to restrict certain users to only be able to manage HostedZone RecordSets through CloudFormation, as per AWS CloudFormation security best practices.

Proposed Solution

I can see this being implemented in one of a few different ways:

1. CLI argument to cdk deploy like the aws cloudformation create-stack CLI
2. Specifying the resource types on the Stack itself in code
3. CDK automatically scanning the resource types in a stack and specifying that automatically as the resource types to CloudFormation

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[RomainMuller]

What improvement does "automatically specifying the list of resource types" provide over allowing all? It feels like this would be a self-fulfilling prophecy, as the perimeter of what's allowed would automatically expand to fit everything that's used inside the CDK Application... Or am I missing something in what your request is?

[SomayaB]

What improvement does "automatically specifying the list of resource types" provide over allowing all? It feels like this would be a self-fulfilling prophecy, as the perimeter of what's allowed would automatically expand to fit everything that's used inside the CDK Application... Or am I missing something in what your request is?

@damonmaria

[damonmaria]

Hmmmm.... I was thinking the sole purpose of specifying the ResourceTypes would be so that they can be enforced in an IAM policy restricting the user/role executing the template. But I guess they could also be used if the author of the template and the executor of it are different, and the executor wanted to enforce that the author was restricted to certain resource types. So I agree, in that case #3 does not make sense.

[rix0rrr]

Can you not restrict the deployment role's permissions to only be able to do Route53 things, if that's the only thing you want users to be able to do?

If we add the restriction in CDK code, people can always get around them. That does not seem a productive use of engineering effort.

[damonmaria]

As per the AWS CloudFormation Security Best Practices I linked to above I would like to restrict it so that ops users in our master account using CDK (CloudFormation) can only manage stacks that deal solely with Route53 hosted zones. For different projects we add DNS records into a hosted zone that is managed in our master account. I don't want these users to be able to access any other more general stacks in that account. But to do this I need to be able to specify ResourceTypes to CloudFormation.

[rix0rrr]

As far as I can tell, the ResourceTypes parameter to CreateStack will select a subset of resources from the template to deploy.

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.