Skip to content

API Reference

Constructs

PDKNagApp

Initializers 

import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNagApp(
  analytics_reporting: bool = None,
  auto_synth: bool = None,
  context: typing.Mapping[typing.Any] = None,
  default_stack_synthesizer: IReusableStackSynthesizer = None,
  outdir: str = None,
  policy_validation_beta1: typing.List[IPolicyValidationPluginBeta1] = None,
  post_cli_context: typing.Mapping[typing.Any] = None,
  stack_traces: bool = None,
  tree_metadata: bool = None,
  fail_on_error: bool = None,
  fail_on_warning: bool = None,
  nag_packs: typing.List[NagPack] = None
)
Name Type Description
analytics_reporting bool Include runtime versioning information in the Stacks of this app.
auto_synth bool Automatically call synth() before the program exits.
context typing.Mapping[typing.Any] Additional context values for the application.
default_stack_synthesizer aws_cdk.IReusableStackSynthesizer The stack synthesizer to use by default for all Stacks in the App.
outdir str The output directory into which to emit synthesized artifacts.
policy_validation_beta1 typing.List[aws_cdk.IPolicyValidationPluginBeta1] Validation plugins to run after synthesis.
post_cli_context typing.Mapping[typing.Any] Additional context values for the application.
stack_traces bool Include construct creation stack trace in the aws:cdk:trace metadata key of all constructs.
tree_metadata bool Include construct tree metadata as part of the Cloud Assembly.
fail_on_error bool Determines whether any errors encountered should trigger a test failure.
fail_on_warning bool Determines whether any warnings encountered should trigger a test failure.
nag_packs typing.List[cdk_nag.NagPack] Custom nag packs to execute.
analytics_reportingOptional
  • Type: bool
  • Default: Value of 'aws:cdk:version-reporting' context key

Include runtime versioning information in the Stacks of this app.

auto_synthOptional
  • Type: bool
  • Default: true if running via CDK CLI (CDK_OUTDIR is set), false otherwise

Automatically call synth() before the program exits.

If you set this, you don't have to call synth() explicitly. Note that this feature is only available for certain programming languages, and calling synth() is still recommended.

contextOptional
  • Type: typing.Mapping[typing.Any]
  • Default: no additional context

Additional context values for the application.

Context set by the CLI or the context key in cdk.json has precedence.

Context can be read from any construct using node.getContext(key).

default_stack_synthesizerOptional
  • Type: aws_cdk.IReusableStackSynthesizer
  • Default: A DefaultStackSynthesizer with default settings

The stack synthesizer to use by default for all Stacks in the App.

The Stack Synthesizer controls aspects of synthesis and deployment, like how assets are referenced and what IAM roles to use. For more information, see the README of the main CDK package.

outdirOptional
  • Type: str
  • Default: If this value is not set, considers the environment variable CDK_OUTDIR. If CDK_OUTDIR is not defined, uses a temp directory.

The output directory into which to emit synthesized artifacts.

You should never need to set this value. By default, the value you pass to the CLI's --output flag will be used, and if you change it to a different directory the CLI will fail to pick up the generated Cloud Assembly.

This property is intended for internal and testing use.

policy_validation_beta1Optional
  • Type: typing.List[aws_cdk.IPolicyValidationPluginBeta1]
  • Default: no validation plugins

Validation plugins to run after synthesis.

post_cli_contextOptional
  • Type: typing.Mapping[typing.Any]
  • Default: no additional context

Additional context values for the application.

Context provided here has precedence over context set by:

  • The CLI via --context
  • The context key in cdk.json
  • The AppProps.context property

This property is recommended over the AppProps.context property since you can make final decision over which context value to take in your app.

Context can be read from any construct using node.getContext(key).

Example

// context from the CLI and from `cdk.json` are stored in the
// CDK_CONTEXT env variable
const cliContext = JSON.parse(process.env.CDK_CONTEXT!);

// determine whether to take the context passed in the CLI or not
const determineValue = process.env.PROD ? cliContext.SOMEKEY : 'my-prod-value';
new App({
  postCliContext: {
    SOMEKEY: determineValue,
  },
});
stack_tracesOptional
  • Type: bool
  • Default: true stack traces are included unless aws:cdk:disable-stack-trace is set in the context.

Include construct creation stack trace in the aws:cdk:trace metadata key of all constructs.

tree_metadataOptional
  • Type: bool
  • Default: true

Include construct tree metadata as part of the Cloud Assembly.

fail_on_errorOptional
  • Type: bool
  • Default: false

Determines whether any errors encountered should trigger a test failure.

fail_on_warningOptional
  • Type: bool
  • Default: false

Determines whether any warnings encountered should trigger a test failure.

nag_packsOptional
  • Type: typing.List[cdk_nag.NagPack]
  • Default: DEFAULT_NAG_PACKS

Custom nag packs to execute.

Methods

Name Description
to_string Returns a string representation of this construct.
synth Synthesize this stage into a cloud assembly.
add_extended_nag_results No description.
add_nag_result No description.
extended_nag_results Returns a list of ExtendedNagResult.
nag_results Returns a list of NagResult.
to_string 
def to_string() -> str

Returns a string representation of this construct.

synth 
def synth(
  force: bool = None,
  skip_validation: bool = None,
  validate_on_synthesis: bool = None
) -> CloudAssembly

Synthesize this stage into a cloud assembly.

Once an assembly has been synthesized, it cannot be modified. Subsequent calls will return the same assembly.

forceOptional
  • Type: bool
  • Default: false

Force a re-synth, even if the stage has already been synthesized.

This is used by tests to allow for incremental verification of the output. Do not use in production.

skip_validationOptional
  • Type: bool
  • Default: false

Should we skip construct validation.

validate_on_synthesisOptional
  • Type: bool
  • Default: false

Whether the stack should be validated after synthesis to check for error metadata.

add_extended_nag_results 
def add_extended_nag_results(
  compliance: NagResultCompliance,
  nag_pack_name: str,
  resource: CfnResource,
  rule_explanation: str,
  rule_id: str,
  rule_info: str,
  rule_level: NagMessageLevel,
  rule_original_name: str,
  error_message: str = None,
  finding_id: str = None,
  suppression_reason: str = None
) -> None
complianceRequired

Compliance status of the rule against the resource.

nag_pack_nameRequired
  • Type: str

The name of the nag pack this rule is from.

resourceRequired
  • Type: aws_cdk.CfnResource

The resource the rule was applied to.

rule_explanationRequired
  • Type: str

Why the rule exists.

rule_idRequired
  • Type: str

The ID of the rule in this nag pack.

rule_infoRequired
  • Type: str

Why the rule was triggered.

rule_levelRequired
  • Type: cdk_nag.NagMessageLevel

The severity level of the rule.

rule_original_nameRequired
  • Type: str

The original name of the rule (regardless of nag pack).

error_messageOptional
  • Type: str

The error that was thrown, only set for error results.

finding_idOptional
  • Type: str

The finding that was checked, only set for non-compliant results.

suppression_reasonOptional
  • Type: str

The reason the rule was suppressed, if any.

add_nag_result 
def add_nag_result(
  messages: typing.List[Message],
  resource: str
) -> None
messagesRequired

List of messages.

resourceRequired
  • Type: str

Resource which triggered the message.

extended_nag_results 
def extended_nag_results() -> typing.List[ExtendedNagResult]

Returns a list of ExtendedNagResult.

Note: app.synth() must be called before this to retrieve results.

nag_results 
def nag_results() -> typing.List[NagResult]

Returns a list of NagResult.

Note: app.synth() must be called before this to retrieve results.

Static Functions

Name Description
is_construct Checks if x is a construct.
is_stage Test whether the given construct is a stage.
of Return the stage this construct is contained with, if available.
is_app Checks if an object is an instance of the App class.
is_construct 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNagApp.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: typing.Any

Any object.

is_stage 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNagApp.is_stage(
  x: typing.Any
)

Test whether the given construct is a stage.

xRequired
  • Type: typing.Any
of 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNagApp.of(
  construct: IConstruct
)

Return the stage this construct is contained with, if available.

If called on a nested stage, returns its parent.

constructRequired
  • Type: constructs.IConstruct
is_app 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNagApp.is_app(
  obj: typing.Any
)

Checks if an object is an instance of the App class.

objRequired
  • Type: typing.Any

The object to evaluate.

Properties

Name Type Description
node constructs.Node The tree node.
artifact_id str Artifact ID of the assembly if it is a nested stage. The root stage (app) will return an empty string.
asset_outdir str The cloud assembly asset output directory.
outdir str The cloud assembly output directory.
policy_validation_beta1 typing.List[aws_cdk.IPolicyValidationPluginBeta1] Validation plugins to run during synthesis.
stage_name str The name of the stage.
account str The default account for all resources defined within this stage.
parent_stage aws_cdk.Stage The parent stage or undefined if this is the app.
region str The default region for all resources defined within this stage.
nag_packs typing.List[cdk_nag.NagPack] No description.
nodeRequired 
node: Node
  • Type: constructs.Node

The tree node.

artifact_idRequired 
artifact_id: str
  • Type: str

Artifact ID of the assembly if it is a nested stage. The root stage (app) will return an empty string.

Derived from the construct path.

asset_outdirRequired 
asset_outdir: str
  • Type: str

The cloud assembly asset output directory.

outdirRequired 
outdir: str
  • Type: str

The cloud assembly output directory.

policy_validation_beta1Required 
policy_validation_beta1: typing.List[IPolicyValidationPluginBeta1]
  • Type: typing.List[aws_cdk.IPolicyValidationPluginBeta1]
  • Default: no validation plugins are used

Validation plugins to run during synthesis.

If any plugin reports any violation, synthesis will be interrupted and the report displayed to the user.

stage_nameRequired 
stage_name: str
  • Type: str

The name of the stage.

Based on names of the parent stages separated by hypens.

accountOptional 
account: str
  • Type: str

The default account for all resources defined within this stage.

parent_stageOptional 
parent_stage: Stage
  • Type: aws_cdk.Stage

The parent stage or undefined if this is the app.

*

regionOptional 
region: str
  • Type: str

The default region for all resources defined within this stage.

nag_packsRequired 
nag_packs: typing.List[NagPack]
  • Type: typing.List[cdk_nag.NagPack]

Structs

ExtendedNagResult

Represents the result of applying a CDK Nag rule to a resource.

Initializer 

import aws.pdk.pdk_nag

aws.pdk.pdk_nag.ExtendedNagResult(
  compliance: NagResultCompliance,
  nag_pack_name: str,
  resource: CfnResource,
  rule_explanation: str,
  rule_id: str,
  rule_info: str,
  rule_level: NagMessageLevel,
  rule_original_name: str,
  error_message: str = None,
  finding_id: str = None,
  suppression_reason: str = None
)

Properties

Name Type Description
compliance NagResultCompliance Compliance status of the rule against the resource.
nag_pack_name str The name of the nag pack this rule is from.
resource aws_cdk.CfnResource The resource the rule was applied to.
rule_explanation str Why the rule exists.
rule_id str The ID of the rule in this nag pack.
rule_info str Why the rule was triggered.
rule_level cdk_nag.NagMessageLevel The severity level of the rule.
rule_original_name str The original name of the rule (regardless of nag pack).
error_message str The error that was thrown, only set for error results.
finding_id str The finding that was checked, only set for non-compliant results.
suppression_reason str The reason the rule was suppressed, if any.
complianceRequired 
compliance: NagResultCompliance

Compliance status of the rule against the resource.

nag_pack_nameRequired 
nag_pack_name: str
  • Type: str

The name of the nag pack this rule is from.

resourceRequired 
resource: CfnResource
  • Type: aws_cdk.CfnResource

The resource the rule was applied to.

rule_explanationRequired 
rule_explanation: str
  • Type: str

Why the rule exists.

rule_idRequired 
rule_id: str
  • Type: str

The ID of the rule in this nag pack.

rule_infoRequired 
rule_info: str
  • Type: str

Why the rule was triggered.

rule_levelRequired 
rule_level: NagMessageLevel
  • Type: cdk_nag.NagMessageLevel

The severity level of the rule.

rule_original_nameRequired 
rule_original_name: str
  • Type: str

The original name of the rule (regardless of nag pack).

error_messageOptional 
error_message: str
  • Type: str

The error that was thrown, only set for error results.

finding_idOptional 
finding_id: str
  • Type: str

The finding that was checked, only set for non-compliant results.

suppression_reasonOptional 
suppression_reason: str
  • Type: str

The reason the rule was suppressed, if any.

Message

Message instance.

Initializer 

import aws.pdk.pdk_nag

aws.pdk.pdk_nag.Message(
  message_description: str,
  message_type: str
)

Properties

Name Type Description
message_description str Message description.
message_type str Message type as returned from cdk-nag.
message_descriptionRequired 
message_description: str
  • Type: str

Message description.

message_typeRequired 
message_type: str
  • Type: str

Message type as returned from cdk-nag.

NagResult

Nag result.

Initializer 

import aws.pdk.pdk_nag

aws.pdk.pdk_nag.NagResult(
  messages: typing.List[Message],
  resource: str
)

Properties

Name Type Description
messages typing.List[Message] List of messages.
resource str Resource which triggered the message.
messagesRequired 
messages: typing.List[Message]

List of messages.

resourceRequired 
resource: str
  • Type: str

Resource which triggered the message.

PDKNagAppProps

Initializer 

import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNagAppProps(
  analytics_reporting: bool = None,
  auto_synth: bool = None,
  context: typing.Mapping[typing.Any] = None,
  default_stack_synthesizer: IReusableStackSynthesizer = None,
  outdir: str = None,
  policy_validation_beta1: typing.List[IPolicyValidationPluginBeta1] = None,
  post_cli_context: typing.Mapping[typing.Any] = None,
  stack_traces: bool = None,
  tree_metadata: bool = None,
  fail_on_error: bool = None,
  fail_on_warning: bool = None,
  nag_packs: typing.List[NagPack] = None
)

Properties

Name Type Description
analytics_reporting bool Include runtime versioning information in the Stacks of this app.
auto_synth bool Automatically call synth() before the program exits.
context typing.Mapping[typing.Any] Additional context values for the application.
default_stack_synthesizer aws_cdk.IReusableStackSynthesizer The stack synthesizer to use by default for all Stacks in the App.
outdir str The output directory into which to emit synthesized artifacts.
policy_validation_beta1 typing.List[aws_cdk.IPolicyValidationPluginBeta1] Validation plugins to run after synthesis.
post_cli_context typing.Mapping[typing.Any] Additional context values for the application.
stack_traces bool Include construct creation stack trace in the aws:cdk:trace metadata key of all constructs.
tree_metadata bool Include construct tree metadata as part of the Cloud Assembly.
fail_on_error bool Determines whether any errors encountered should trigger a test failure.
fail_on_warning bool Determines whether any warnings encountered should trigger a test failure.
nag_packs typing.List[cdk_nag.NagPack] Custom nag packs to execute.
analytics_reportingOptional 
analytics_reporting: bool
  • Type: bool
  • Default: Value of 'aws:cdk:version-reporting' context key

Include runtime versioning information in the Stacks of this app.

auto_synthOptional 
auto_synth: bool
  • Type: bool
  • Default: true if running via CDK CLI (CDK_OUTDIR is set), false otherwise

Automatically call synth() before the program exits.

If you set this, you don't have to call synth() explicitly. Note that this feature is only available for certain programming languages, and calling synth() is still recommended.

contextOptional 
context: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
  • Default: no additional context

Additional context values for the application.

Context set by the CLI or the context key in cdk.json has precedence.

Context can be read from any construct using node.getContext(key).

default_stack_synthesizerOptional 
default_stack_synthesizer: IReusableStackSynthesizer
  • Type: aws_cdk.IReusableStackSynthesizer
  • Default: A DefaultStackSynthesizer with default settings

The stack synthesizer to use by default for all Stacks in the App.

The Stack Synthesizer controls aspects of synthesis and deployment, like how assets are referenced and what IAM roles to use. For more information, see the README of the main CDK package.

outdirOptional 
outdir: str
  • Type: str
  • Default: If this value is not set, considers the environment variable CDK_OUTDIR. If CDK_OUTDIR is not defined, uses a temp directory.

The output directory into which to emit synthesized artifacts.

You should never need to set this value. By default, the value you pass to the CLI's --output flag will be used, and if you change it to a different directory the CLI will fail to pick up the generated Cloud Assembly.

This property is intended for internal and testing use.

policy_validation_beta1Optional 
policy_validation_beta1: typing.List[IPolicyValidationPluginBeta1]
  • Type: typing.List[aws_cdk.IPolicyValidationPluginBeta1]
  • Default: no validation plugins

Validation plugins to run after synthesis.

post_cli_contextOptional 
post_cli_context: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
  • Default: no additional context

Additional context values for the application.

Context provided here has precedence over context set by:

  • The CLI via --context
  • The context key in cdk.json
  • The AppProps.context property

This property is recommended over the AppProps.context property since you can make final decision over which context value to take in your app.

Context can be read from any construct using node.getContext(key).

Example

// context from the CLI and from `cdk.json` are stored in the
// CDK_CONTEXT env variable
const cliContext = JSON.parse(process.env.CDK_CONTEXT!);

// determine whether to take the context passed in the CLI or not
const determineValue = process.env.PROD ? cliContext.SOMEKEY : 'my-prod-value';
new App({
  postCliContext: {
    SOMEKEY: determineValue,
  },
});
stack_tracesOptional 
stack_traces: bool
  • Type: bool
  • Default: true stack traces are included unless aws:cdk:disable-stack-trace is set in the context.

Include construct creation stack trace in the aws:cdk:trace metadata key of all constructs.

tree_metadataOptional 
tree_metadata: bool
  • Type: bool
  • Default: true

Include construct tree metadata as part of the Cloud Assembly.

fail_on_errorOptional 
fail_on_error: bool
  • Type: bool
  • Default: false

Determines whether any errors encountered should trigger a test failure.

fail_on_warningOptional 
fail_on_warning: bool
  • Type: bool
  • Default: false

Determines whether any warnings encountered should trigger a test failure.

nag_packsOptional 
nag_packs: typing.List[NagPack]
  • Type: typing.List[cdk_nag.NagPack]
  • Default: DEFAULT_NAG_PACKS

Custom nag packs to execute.

Classes

AwsPrototypingChecks

Check best practices for prototypes.

Initializers 

import aws.pdk.pdk_nag

aws.pdk.pdk_nag.AwsPrototypingChecks(
  additional_loggers: typing.List[INagLogger] = None,
  log_ignores: bool = None,
  report_formats: typing.List[NagReportFormat] = None,
  reports: bool = None,
  suppression_ignore_condition: INagSuppressionIgnore = None,
  verbose: bool = None
)
Name Type Description
additional_loggers typing.List[cdk_nag.INagLogger] Additional NagLoggers for logging rule validation outputs.
log_ignores bool Whether or not to log suppressed rule violations as informational messages (default: false).
report_formats typing.List[cdk_nag.NagReportFormat] If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV).
reports bool Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true).
suppression_ignore_condition cdk_nag.INagSuppressionIgnore Conditionally prevent rules from being suppressed (default: no user provided condition).
verbose bool Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
additional_loggersOptional
  • Type: typing.List[cdk_nag.INagLogger]

Additional NagLoggers for logging rule validation outputs.

log_ignoresOptional
  • Type: bool

Whether or not to log suppressed rule violations as informational messages (default: false).

report_formatsOptional
  • Type: typing.List[cdk_nag.NagReportFormat]

If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV).

reportsOptional
  • Type: bool

Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true).

suppression_ignore_conditionOptional
  • Type: cdk_nag.INagSuppressionIgnore

Conditionally prevent rules from being suppressed (default: no user provided condition).

verboseOptional
  • Type: bool

Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).

Methods

Name Description
visit Check if CfnResource and apply rules.
visit 
def visit(
  node: IConstruct
) -> None

Check if CfnResource and apply rules.

nodeRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
read_pack_name str No description.
read_pack_nameRequired 
read_pack_name: str
  • Type: str

PDKNag

Helper for create a Nag Enabled App.

Initializers 

import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNag()
Name Type Description

Static Functions

Name Description
add_resource_suppressions_by_path_no_throw Wrapper around NagSuppressions which does not throw.
app Returns an instance of an App with Nag enabled.
get_stack_account_regex Returns a stack account regex.
get_stack_partition_regex Returns a stack partition regex.
get_stack_prefix Returns a prefix comprising of a delimited set of Stack Ids.
get_stack_region_regex Returns a stack region regex.
add_resource_suppressions_by_path_no_throw 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNag.add_resource_suppressions_by_path_no_throw(
  stack: Stack,
  path: str,
  suppressions: typing.List[NagPackSuppression],
  apply_to_children: bool = None
)

Wrapper around NagSuppressions which does not throw.

stackRequired
  • Type: aws_cdk.Stack

stack instance.

pathRequired
  • Type: str

resource path.

suppressionsRequired
  • Type: typing.List[cdk_nag.NagPackSuppression]

list of suppressions to apply.

apply_to_childrenOptional
  • Type: bool

whether to apply to children.

app 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNag.app(
  analytics_reporting: bool = None,
  auto_synth: bool = None,
  context: typing.Mapping[typing.Any] = None,
  default_stack_synthesizer: IReusableStackSynthesizer = None,
  outdir: str = None,
  policy_validation_beta1: typing.List[IPolicyValidationPluginBeta1] = None,
  post_cli_context: typing.Mapping[typing.Any] = None,
  stack_traces: bool = None,
  tree_metadata: bool = None,
  fail_on_error: bool = None,
  fail_on_warning: bool = None,
  nag_packs: typing.List[NagPack] = None
)

Returns an instance of an App with Nag enabled.

analytics_reportingOptional
  • Type: bool
  • Default: Value of 'aws:cdk:version-reporting' context key

Include runtime versioning information in the Stacks of this app.

auto_synthOptional
  • Type: bool
  • Default: true if running via CDK CLI (CDK_OUTDIR is set), false otherwise

Automatically call synth() before the program exits.

If you set this, you don't have to call synth() explicitly. Note that this feature is only available for certain programming languages, and calling synth() is still recommended.

contextOptional
  • Type: typing.Mapping[typing.Any]
  • Default: no additional context

Additional context values for the application.

Context set by the CLI or the context key in cdk.json has precedence.

Context can be read from any construct using node.getContext(key).

default_stack_synthesizerOptional
  • Type: aws_cdk.IReusableStackSynthesizer
  • Default: A DefaultStackSynthesizer with default settings

The stack synthesizer to use by default for all Stacks in the App.

The Stack Synthesizer controls aspects of synthesis and deployment, like how assets are referenced and what IAM roles to use. For more information, see the README of the main CDK package.

outdirOptional
  • Type: str
  • Default: If this value is not set, considers the environment variable CDK_OUTDIR. If CDK_OUTDIR is not defined, uses a temp directory.

The output directory into which to emit synthesized artifacts.

You should never need to set this value. By default, the value you pass to the CLI's --output flag will be used, and if you change it to a different directory the CLI will fail to pick up the generated Cloud Assembly.

This property is intended for internal and testing use.

policy_validation_beta1Optional
  • Type: typing.List[aws_cdk.IPolicyValidationPluginBeta1]
  • Default: no validation plugins

Validation plugins to run after synthesis.

post_cli_contextOptional
  • Type: typing.Mapping[typing.Any]
  • Default: no additional context

Additional context values for the application.

Context provided here has precedence over context set by:

  • The CLI via --context
  • The context key in cdk.json
  • The AppProps.context property

This property is recommended over the AppProps.context property since you can make final decision over which context value to take in your app.

Context can be read from any construct using node.getContext(key).

Example

// context from the CLI and from `cdk.json` are stored in the
// CDK_CONTEXT env variable
const cliContext = JSON.parse(process.env.CDK_CONTEXT!);

// determine whether to take the context passed in the CLI or not
const determineValue = process.env.PROD ? cliContext.SOMEKEY : 'my-prod-value';
new App({
  postCliContext: {
    SOMEKEY: determineValue,
  },
});
stack_tracesOptional
  • Type: bool
  • Default: true stack traces are included unless aws:cdk:disable-stack-trace is set in the context.

Include construct creation stack trace in the aws:cdk:trace metadata key of all constructs.

tree_metadataOptional
  • Type: bool
  • Default: true

Include construct tree metadata as part of the Cloud Assembly.

fail_on_errorOptional
  • Type: bool
  • Default: false

Determines whether any errors encountered should trigger a test failure.

fail_on_warningOptional
  • Type: bool
  • Default: false

Determines whether any warnings encountered should trigger a test failure.

nag_packsOptional
  • Type: typing.List[cdk_nag.NagPack]
  • Default: DEFAULT_NAG_PACKS

Custom nag packs to execute.

get_stack_account_regex 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNag.get_stack_account_regex(
  stack: Stack
)

Returns a stack account regex.

stackRequired
  • Type: aws_cdk.Stack

stack instance.

get_stack_partition_regex 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNag.get_stack_partition_regex(
  stack: Stack
)

Returns a stack partition regex.

stackRequired
  • Type: aws_cdk.Stack

stack instance.

get_stack_prefix 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNag.get_stack_prefix(
  stack: Stack
)

Returns a prefix comprising of a delimited set of Stack Ids.

For example: StackA/NestedStackB/

stackRequired
  • Type: aws_cdk.Stack

stack instance.

get_stack_region_regex 
import aws.pdk.pdk_nag

aws.pdk.pdk_nag.PDKNag.get_stack_region_regex(
  stack: Stack
)

Returns a stack region regex.

stackRequired
  • Type: aws_cdk.Stack

stack instance.

Enums

NagResultCompliance

Possible statuses for nag rules.

Members

Name Description
COMPLIANT Resource complies with the rule.
NON_COMPLIANT Resource does not comply with the rule.
NON_COMPLIANT_SUPPRESSED Resource does not comply with the rule, but the rule was suppressed.
ERROR An error occurred applying the rule.
ERROR_SUPPRESSED An error occurred applying the rule, but the rule was suppressed.
NOT_APPLICABLE The rule is not applicable to the resource.
COMPLIANT

Resource complies with the rule.

NON_COMPLIANT

Resource does not comply with the rule.

NON_COMPLIANT_SUPPRESSED

Resource does not comply with the rule, but the rule was suppressed.

ERROR

An error occurred applying the rule.

ERROR_SUPPRESSED

An error occurred applying the rule, but the rule was suppressed.

NOT_APPLICABLE

The rule is not applicable to the resource.

Last update: 2025-07-17