Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cdk synth returns exit code 0 despite policy validation failures #26844

Closed
rittneje opened this issue Aug 22, 2023 · 4 comments
Closed

cdk synth returns exit code 0 despite policy validation failures #26844

rittneje opened this issue Aug 22, 2023 · 4 comments
Assignees
@peterwoodworth
Labels
@aws-cdk/core Related to core CDK functionality bug This issue is a bug. p1 package/tools Related to AWS CDK Tools or CLI

Comments

@rittneje
Copy link

Describe the bug

If a custom policy validation reports a failure, cdk synth still exits successfully (exit code 0).

Expected Behavior

A policy validation failure should result in a non-zero exit code.

Current Behavior

It reports the failure on stdout/stderr but still exits successfully.

Reproduction Steps

@jsii.implements(aws_cdk.IPolicyValidationPluginBeta1)
class MyPlugin:
    def validate(self, context):
        return aws_cdk.PolicyValidationPluginReportBeta1(success=False)

def main():
    app = aws_cdk.App(policy_validation_beta1=[MyPlugin()])
    env = aws_cdk.Environment(region="us-east-1", account="...")
    stack = aws_cdk.Stack(app, "test-stack", env=env)
    app.synth()

if __name__ == "__main__":
    main()
cdk synth
echo $?

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.85.0 (build 4e0d726)

Framework Version

No response

Node.js Version

v18.16.1

OS

Alpine 3.18

Language

Python

Language Version

Python 3.11.4

Other information

No response
@rittneje rittneje added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 22, 2023
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Aug 22, 2023
@indrora indrora added p1 @aws-cdk/core Related to core CDK functionality language/python Related to Python bindings cli Issues related to the CDK CLI and removed needs-triage This issue or PR still needs to be triaged. labels Aug 22, 2023
@indrora indrora changed the title cdk synth does not exit with failure if policy validation fails cdk synth returns exit code 0 despite policy validation failures Aug 22, 2023
@peterwoodworth peterwoodworth added needs-review and removed language/python Related to Python bindings cli Issues related to the CDK CLI labels Aug 22, 2023
@peterwoodworth peterwoodworth added p1 and removed p2 labels Aug 23, 2023
@peterwoodworth
Copy link
Contributor

We are setting the exitCode to 1 here

aws-cdk/packages/aws-cdk-lib/core/lib/private/synthesis.ts

Line 162 in 9ccab73

process.exitCode = 1;

We know that the code is getting to here because the message right above it is printing in the console before succeeding
Screenshot 2023-08-29 at 2 44 23 PM

So I tried this on TypeScript, and the process successfully failed. So this would be an issue or limitation of JSII
Screenshot 2023-08-29 at 2 42 37 PM

It's also interesting that the Performing Policy Validations loggings statement seems to appear late in Python compared to TypeScript

@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
@peterwoodworth
Copy link
Contributor

Hey, we're going to keep the design this way. Thanks for bringing this up still 🙂

The reason for that is that policy validation plugin is not an enforcement tool. As a developer, you need to opt in for the plugin, you also have an option to skip some rules. There is nothing that stops you from deploying the generated template, despite of policies violations. So, we decided that there is no point to return different values, since this can be confusing (return non-zero exit code can be trggered by other issues)

@peterwoodworth peterwoodworth closed this as not planned Won't fix, can't repro, duplicate, stale Oct 16, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@rittneje
Copy link
Author

@peterwoodworth Then the plugin is completely worthless. Please re-open this issue until it is properly resolved.

@rittneje rittneje mentioned this issue Oct 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peterwoodworth peterwoodworth

Labels
@aws-cdk/core Related to core CDK functionality bug This issue is a bug. p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mrgrain @indrora @rittneje @peterwoodworth