CLI: add flag when running garbage collector to ignore non-authorized stacks

[TiagoVentosa]

Describe the feature

add some kind of flag to the cdk gc command (for example --skip-unauthorized-stacks) so that when checking the stacks (GetTemplateSummary) it ignores those that the user does not have access instead of failing the command

Use Case

I was very excited for this new feature, but when I tried running it, I got the following error:

npx cdk gc --unstable=gc --rollback-buffer-days 5
 ⏳  Garbage Collecting environment aws://<ACCOUNT>/eu-west-1...
Error refreshing stacks: AccessDenied: User: arn:aws:sts::<ACCOUNT>:assumed-role/<ROLE> is not authorized 
to perform: cloudformation:GetTemplateSummary on 
resource: arn:aws:cloudformation:eu-west-1:<ACCOUNT>:stack/<ORGANIZATION-STACK> 
with an explicit deny in a service control policy

(newlines added to improve readability)

Where is a stack used my my company to do initial setup of AWS accounts.

Proposed Solution

Instead of automatically failing, have some way to ignore stacks in error. Right now I know of no way to skip it

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.171.1

Environment details (OS name and version, etc.)

macOS Sonoma 14.7

[khushail]

Hi @TiagoVentosa , thanks for reaching out and requesting this.
I see that cdk gc support was implemented recently with the idea of collecting unused assets in your bootstrapped S3 bucket with these PRs -

• feat(cli): garbage collect s3 assets (under --unstable flag) #31611
• feat(cli): garbage collect ecr assets (under --unstable flag) #31841

But what you are suggesting also seems to be a good add-on.

Requesting team's thoughts on this feature as it would be great to have their say whether its something on their radar for future implementation or would be considered from community.

[rix0rrr]

It will be unsafe to do garbage collection in that configuration. I suppose we can add a flag, but can you add a bit more color to this story?

Why are you in a situation where you are trying to GC assets on an account that you don't have access to all stacks in?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[TiagoVentosa]

@rix0rrr I can give my context.

In my company a platform team is responsible for providing accounts and limiting resources on them to guarantee compliance with the platform rules.

Some of these resources are provided through stacks in the accounts, but with some limitations on what the account users can use it for. I don't know specifically if GetTemplateSummary is really necessary to be blocked or not, but I do know that these stacks do not contain any assets, and even if they did, it is not assets that I would want to manage.

[kaizencc]

The ask here is to add a flag like --ignore-non-cdk-stacks=['stackName'] where we make it clear that if you misuse this command and include CDK stacks in in the array, its assets will get deleted.

[tenjaa]

It would be cool to be able to provide a regex because for us the managed stacks all adhere to the same format.
e.g. --ignore-non-cdk-stacks=['StackSet-customprefix-*']

[daschaa]

I would also like to ask why stacks that are not managed in the current app are considered at all?
I think the default behavior should be: If I run the garbage collection in an environment where I have an CDK app, all the assets for the stacks of the app should be deleted.