Enterprise CDK use centralizing bootstrap resources

[aarondodd]

I'm currently working with a customer who's been seeing CDK usage tick up dramatically (which is good!) but there are several concerns, notably with "bucket sprawl" and "ECR sprawl". Infosec requirements are stringent for how a bucket is configured initially and we're looking for some prescriptive guidance on the best way to add some governance to CDK use while hindering teams as little as possible.

Specifically, they would like to have one S3 bucket and one ECR repository (or one per region) in a central account and have all member accounts in their AWS Organizations use these instead of self-creating.

I've found cli: Use existing S3 bucket for cdk bootstrap #3684 and confirmed the steps do work for updating the bootstrap template to create and use a specifically-named bucket and repo.

My concerns are, if this is adopted Enterprise wide, that would mean:

1. Creating a Stack Set and updating the account provisioning scripts to deploy this (not a big deal)
2. Watching for changes in CDK for what it expects from a bootstrap and updating this central process (seems like a bigger deal and could potentially break wide swathes of users depending on what changes in CDK, or hinder teams wanting to use the latest CDK before the changes are deployed)

Is there an alternative to the bootstrap template? I.e. could we create Parameter Store keys for the required settings as an override for certain bootstrap entries?

Does the CDK team have any thoughts on the best approach to an enterprise governance workflow for CDK use?

[indrora]

Setting up SSO aligned access to a smaller subset of accounts that are allowed to interact with the CDK is one way you could reasonably slim down the number of accounts/buckets/etc that are created by the CDK.

You are correct that there are very few centralized controls on the CDK, as it is mostly a wrapper around existing tools such as CloudFormation.