@dontirun Another question which may be out of scope of this PR, but because the logs templates here need to be deployed to us-east-1 and our main stack is in a different region, we are passing through the distribution's ARN using a StringParameter to avoid cross Stack export errors. Unfortunately when using this, it means that child.resourceArn in this PR resolves to SsmParameterValuedistributionarnC96584B6F00A464EAD1953AFF4B05118Parameter and not directly to the ARN value.

Do you know if there's a way to look up this in the Stack? I can see a resource with the ID of SsmParameterValue:distribution-arn:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter but obviously it's dropped the :-. characters at some point. We could loop through all of the CfnParameter's manually and store them in a hashmap, but I was wondering if you knew of a more efficient helper method to do it for us? Let me know if any of that doesn't make any sense and I'll try to clarify it some more!

I've just pushed a commit to resolve SSM parameters as well by traversing the stack again. If it's out of scope for this PR we can just revert the commit, but I think others will also be using parameters to try and avoid any cross-stack reference errors as I detailed above, so it could be useful.

@dontirun Have you had time to take an initial look into this? I hope I haven't confused you with too many questions! I'm hoping that the initial issue explains what I'm trying to do, and we can always descope it if we think it's too much.

Sorry about the delay. I'll try to get a review in this week

@dontirun Another question which may be out of scope of this PR, but because the logs templates here need to be deployed to us-east-1 and our main stack is in a different region, we are passing through the distribution's ARN using a StringParameter to avoid cross Stack export errors. Unfortunately when using this, it means that child.resourceArn in this PR resolves to SsmParameterValuedistributionarnC96584B6F00A464EAD1953AFF4B05118Parameter and not directly to the ARN value.

Do you know if there's a way to look up this in the Stack? I can see a resource with the ID of SsmParameterValue:distribution-arn:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter but obviously it's dropped the :-. characters at some point. We could loop through all of the CfnParameter's manually and store them in a hashmap, but I was wondering if you knew of a more efficient helper method to do it for us? Let me know if any of that doesn't make any sense and I'll try to clarify it some more!

I don't think there is a good way to this. In this particular case cdk-nag would have to determine whether something is a CfnParameter then search through a Map, then search for a Stack that might exist in the application, and then traverse that stack. I think this is a good use case for using the suppression system and documenting how this was addressed

I don't think there is a good way to this. In this particular case cdk-nag would have to determine whether something is a CfnParameter then search through a Map, then search for a Stack that might exist in the application, and then traverse that stack. I think this is a good use case for using the suppression system and documenting how this was addressed

Thanks, I thought it might be out of scope for this PR. I'll remove it, but do you think it'll be useful to implement in a separate PR later down the line? I feel like a few rules could benefit from tracking parameters and/or stack exports and we may be able to seamlessly integrate it into the traversal flow.

I don't think there is a good way to this. In this particular case cdk-nag would have to determine whether something is a CfnParameter then search through a Map, then search for a Stack that might exist in the application, and then traverse that stack. I think this is a good use case for using the suppression system and documenting how this was addressed

Thanks, I thought it might be out of scope for this PR. I'll remove it, but do you think it'll be useful to implement in a separate PR later down the line? I feel like a few rules could benefit from tracking parameters and/or stack exports and we may be able to seamlessly integrate it into the traversal flow.

Yes, it's definitely something worth looking into

I've updated aws-cdk-lib in the devDependencies so that I can use outputFormat in CfnDeliveryDestination in the tests, but when I run npx projen build, it downgrades the package again. Is it because it needs to stay in line with peerDependencies even if we only use it in the tests?

I've updated aws-cdk-lib in the devDependencies so that I can use outputFormat in CfnDeliveryDestination in the tests, but when I run npx projen build, it downgrades the package again. Is it because it needs to stay in line with peerDependencies even if we only use it in the tests?

You'll need to update the version in the .projen.js file

The .projen.js file controls all dependencies and project configurations. The package.json is generated from what is specified there.

Ah I see, does that look good to you now?