Add Support for adding Metadata to deal with 3rd party tools

[Zirkonium88]

Hi ,thanks for your greate effort on CDK development!

Please add the posssibillty to add custom meta data to Cloudformation templates via the CDK.

Use Case

I would like to use cfn_nag. This is security scanning CLI tool for Cloudformation templates. Not all rules apply to my organization. You can add metadata to Cloudformation which disables unnecessary rules of cfn_snag.

Proposed Solution

This snippet

PublicAlbSecurityGroup:
  Properties:
    GroupDescription: 'Security group for a public Application Load Balancer'
    VpcId:
      Ref: vpc
  Type: AWS::EC2::SecurityGroup
PublicAlbSecurityGroupHttpIngress:
  Properties:
    CidrIp: 0.0.0.0/0
    FromPort: 80
    GroupId:
      Ref: PublicAlbSecurityGroup
    IpProtocol: tcp
    ToPort: 80
  Type: AWS::EC2::SecurityGroupIngress

shall be adapted to this

PublicAlbSecurityGroup:
  Properties:
    GroupDescription: 'Security group for a public Application Load Balancer'
    VpcId:
      Ref: vpc
  Type: AWS::EC2::SecurityGroup
  Metadata:
    cfn_nag:
      rules_to_suppress:
        - id: W9
          reason: "This is a public facing ELB and ingress from the internet should be permitted."
        - id: W2
          reason: "This is a public facing ELB and ingress from the internet should be permitted."
PublicAlbSecurityGroupHttpIngress:
  Properties:
    CidrIp: 0.0.0.0/0
    FromPort: 80
    GroupId:
      Ref: PublicAlbSecurityGroup
    IpProtocol: tcp
    ToPort: 80
  Type: AWS::EC2::SecurityGroupIngress

My idea

alb_sg.node.add_metadata(
{
   "cfn_nag": {
      "rules_to_suppress": [
         {
            "id": "W9",
            "reason": "This is a public facing ELB and ingress from the internet should be permitted."
         },
         {
            "id": "W2",
            "reason": "This is a public facing ELB and ingress from the internet should be permitted."
         }
      ]
   }
}
)

Other

Related #6379

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[Zirkonium88]

I just found this part of the documentation:

# Get the AWS CloudFormation resource
cfn_bucket = bucket.node.default_child

# Change its properties
cfn_bucket.analytics_configuration = [
    {
        "id": "Config",
        # ...
    }
]

This not very straight forward, but it works. It would be nice to extend the documentation witth hints for metadata and cfn-init. This way would also close this issue #777

[longtv2222]

Commenting on this issue since this is the first result on Google.

According to the documentation, to add metadata, we do:

// Get the CloudFormation resource
const cfnBucket = bucket.node.defaultChild as s3.CfnBucket;

// add metadata
cfnBucket.cfnOptions.metadata = {
  MetadataKey: 'MetadataValue'
};

But the above removes all other metadata values (notably aws:cdk:path). If we want to preserve other metadata values, it's better to do:

cfnBucket.addMetadata('MetadataKey', 'MetadataValue');

I've submitted documentation feedback for https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html#cfn_layer_resource