Cdk nag causing error generating Amplify outputs

[waltmayf]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React, Next.js

Amplify APIs

GraphQL API

Amplify Version

v6

Amplify Categories

auth

Backend

Amplify Gen 2

Environment information

  System:
    OS: macOS 15.2
    CPU: (11) arm64 Apple M3 Pro
    Memory: 90.50 MB / 18.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.18.1 - ~/.nvm/versions/node/v20.18.1/bin/node
    Yarn: 1.22.22 - /usr/local/bin/yarn
    npm: 11.0.0 - ~/.nvm/versions/node/v20.18.1/bin/npm
  Browsers:
    Chrome: 131.0.6778.265
    Safari: 18.2
  npmPackages:
    %name%:  0.1.0 
    @ampproject/toolbox-optimizer:  undefined ()
    @aws-amplify/backend: ^1.3.2 => 1.3.2 
    @aws-amplify/backend-cli: ^1.2.9 => 1.2.9 
    @aws-amplify/ui-react: ^6.5.3 => 6.5.4 
    @aws-amplify/ui-react-internal:  undefined ()
    @aws-amplify/ui-react-server:  undefined ()
    @aws-amplify/ui-react-storage: ^3.3.8 => 3.3.8 
    @aws-appsync/utils: ^1.9.0 => 1.9.0 
    @aws-cdk/dns_validated_certificate_handler:  undefined (0.0.0)
    @aws-sdk/client-appsync: ^3.670.0 => 3.670.0 
    @aws-sdk/client-athena: ^3.679.0 => 3.679.0 
    @aws-sdk/client-bedrock-agent: ^3.687.0 => 3.687.0 
    @aws-sdk/client-bedrock-agent-runtime: ^3.670.0 => 3.670.0 
    @aws-sdk/client-rds-data: ^3.679.0 => 3.679.0 
    @aws-sdk/client-sfn: ^3.670.0 => 3.670.0 
    @aws-sdk/client-textract: ^3.716.0 => 3.716.0 
    @aws-sdk/credential-provider-node: ^3.670.0 => 3.670.0 (3.651.1, 3.637.0, 3.624.0, 3.666.0, 3.679.0, 3.687.0, 3.621.0, 3.716.0)
    @babel/core:  undefined ()
    @babel/runtime:  7.22.5 
    @cdklabs/generative-ai-cdk-constructs: ^0.1.289 => 0.1.289 
    @cloudscape-design/components: ^3.0.781 => 3.0.781 
    @cloudscape-design/design-tokens: ^3.0.44 => 3.0.44 
    @edge-runtime/cookies:  5.0.0 
    @edge-runtime/ponyfill:  3.0.0 
    @edge-runtime/primitives:  5.0.0 
    @emotion/react: ^11.13.3 => 11.13.3 
    @emotion/styled: ^11.13.0 => 11.13.0 
    @hapi/accept:  undefined ()
    @langchain/aws: ^0.1.1 => 0.1.1 
    @langchain/community: ^0.3.17 => 0.3.17 
    @langchain/langgraph: ^0.2.22 => 0.2.22 
    @mswjs/interceptors:  undefined ()
    @mui/icons-material: ^6.1.3 => 6.1.3 
    @mui/material: ^6.1.3 => 6.1.3 
    @mui/x-data-grid: ^7.22.1 => 7.22.1 
    @napi-rs/triples:  undefined ()
    @next/font:  undefined ()
    @opentelemetry/api:  undefined ()
    @tailwindcss/typography: ^0.5.15 => 0.5.15 
    @types/jsdom: ^21.1.7 => 21.1.7 
    @types/node: ^20 => 20.16.11 (18.19.67, 10.14.22)
    @types/react: ^18 => 18.3.11 
    @types/react-dom: ^18 => 18.3.0 
    @vercel/nft:  undefined ()
    @vercel/og:  0.6.3 
    acorn:  undefined ()
    amphtml-validator:  undefined ()
    anser:  undefined ()
    arg:  undefined ()
    assert:  undefined ()
    async-retry:  undefined ()
    async-sema:  undefined ()
    aws-amplify: ^6.6.4 => 6.6.4 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    aws-cdk: ^2.175.1 => 2.175.1 
    aws-cdk-lib: ^2.161.1 => 2.175.0 (2.109.0)
    aws-sdk: ^2.1691.0 => 2.1691.0 
    babel-packages:  undefined ()
    bedrock-agents-cdk: ^0.0.11 => 0.0.11 
    browserify-zlib:  undefined ()
    browserslist:  undefined ()
    buffer:  undefined ()
    bytes:  undefined ()
    chart.js: ^4.4.6 => 4.4.6 
    chart.js-auto:  undefined ()
    chart.js-helpers:  undefined ()
    chartjs-adapter-date-fns: ^3.0.0 => 3.0.0 
    chartjs-plugin-annotation: ^3.1.0 => 3.1.0 
    chartjs-plugin-datalabels: ^2.2.0 => 2.2.0 
    chartjs-plugin-zoom: ^2.0.1 => 2.0.1 
    ci-info:  undefined ()
    cli-select:  undefined ()
    client-only:  0.0.1 
    commander:  undefined ()
    comment-json:  undefined ()
    compression:  undefined ()
    conf:  undefined ()
    constants-browserify:  undefined ()
    constructs: ^10.4.2 => 10.4.2 
    content-disposition:  undefined ()
    content-type:  undefined ()
    cookie:  undefined ()
    cross-spawn:  undefined ()
    crypto-browserify:  undefined ()
    css.escape:  undefined ()
    data-uri-to-buffer:  undefined ()
    date-fns: ^4.1.0 => 4.1.0 (2.30.0)
    debug:  undefined ()
    devalue:  undefined ()
    domain-browser:  undefined ()
    edge-runtime:  undefined ()
    esbuild: ^0.24.0 => 0.24.0 (0.23.1)
    eslint: ^8 => 8.57.1 
    eslint-config-next: 14.2.14 => 14.2.14 
    events:  undefined ()
    find-cache-dir:  undefined ()
    find-up:  undefined ()
    fresh:  undefined ()
    get-orientation:  undefined ()
    glob:  undefined ()
    graphql-tag: ^2.12.6 => 2.12.6 
    gzip-size:  undefined ()
    http-proxy:  undefined ()
    http-proxy-agent:  undefined ()
    https-browserify:  undefined ()
    https-proxy-agent:  undefined ()
    icss-utils:  undefined ()
    ignore-loader:  undefined ()
    image-size:  undefined ()
    is-animated:  undefined ()
    is-docker:  undefined ()
    is-wsl:  undefined ()
    jest-worker:  undefined ()
    jsdom: ^25.0.1 => 25.0.1 
    json5:  undefined ()
    jsonschema: ^1.4.1 => 1.4.1 
    jsonwebtoken:  undefined ()
    loader-runner:  undefined ()
    loader-utils:  undefined ()
    lodash.curry:  undefined ()
    lru-cache:  undefined ()
    mini-css-extract-plugin:  undefined ()
    nanoid:  undefined ()
    native-url:  undefined ()
    neo-async:  undefined ()
    next: ^14.2.21 => 14.2.22 
    node-fetch:  undefined ()
    node-html-parser:  undefined ()
    ora:  undefined ()
    os-browserify:  undefined ()
    p-limit:  undefined ()
    path-browserify:  undefined ()
    pdf-lib: ^1.17.1 => 1.17.1 
    picomatch:  undefined ()
    platform:  undefined ()
    postcss: ^8 => 8.4.47 (8.4.31)
    postcss-flexbugs-fixes:  undefined ()
    postcss-modules-extract-imports:  undefined ()
    postcss-modules-local-by-default:  undefined ()
    postcss-modules-scope:  undefined ()
    postcss-modules-values:  undefined ()
    postcss-preset-env:  undefined ()
    postcss-safe-parser:  undefined ()
    postcss-scss:  undefined ()
    postcss-value-parser:  undefined ()
    process:  undefined ()
    punycode:  undefined ()
    querystring-es3:  undefined ()
    raw-body:  undefined ()
    react: ^18 => 18.3.1 
    react-builtin:  undefined ()
    react-chartjs-2: ^5.2.0 => 5.2.0 
    react-dom: ^18 => 18.3.1 
    react-dom-builtin:  undefined ()
    react-dom-experimental-builtin:  undefined ()
    react-experimental-builtin:  undefined ()
    react-is:  18.2.0 
    react-markdown: ^9.0.1 => 9.0.1 
    react-plotly.js: ^2.6.0 => 2.6.0 
    react-refresh:  0.12.0 
    react-server-dom-turbopack-builtin:  undefined ()
    react-server-dom-turbopack-experimental-builtin:  undefined ()
    react-server-dom-webpack-builtin:  undefined ()
    react-server-dom-webpack-experimental-builtin:  undefined ()
    react-textarea-autosize: ^8.5.4 => 8.5.4 
    recharts: ^2.13.3 => 2.13.3 
    regenerator-runtime:  0.13.4 
    remark-gfm: ^4.0.0 => 4.0.0 
    sass: ^1.79.4 => 1.79.4 
    sass-loader:  undefined ()
    scheduler-builtin:  undefined ()
    scheduler-experimental-builtin:  undefined ()
    schema-utils:  undefined ()
    semver:  undefined ()
    send:  undefined ()
    server-only:  0.0.1 
    setimmediate:  undefined ()
    shell-quote:  undefined ()
    source-map:  undefined ()
    source-map08:  undefined ()
    stacktrace-parser:  undefined ()
    stream-browserify:  undefined ()
    stream-http:  undefined ()
    string-hash:  undefined ()
    string_decoder:  undefined ()
    strip-ansi:  undefined ()
    superstruct:  undefined ()
    tailwindcss: ^3.4.1 => 3.4.13 
    tar:  undefined ()
    terser:  undefined ()
    text-table:  undefined ()
    timers-browserify:  undefined ()
    tsx: ^4.19.1 => 4.19.1 
    tty-browserify:  undefined ()
    typescript: ^5.6.2 => 5.6.2 (4.4.4, 4.9.5)
    ua-parser-js:  undefined ()
    unistore:  undefined ()
    util:  undefined ()
    vm-browserify:  undefined ()
    watchpack:  undefined ()
    web-vitals:  undefined ()
    webpack:  undefined ()
    webpack-sources:  undefined ()
    ws:  undefined ()
    zod:  undefined ()
  npmGlobalPackages:
    aws-cdk: 2.173.1
    corepack: 0.29.4
    npm: 11.0.0

Describe the bug

When you use cdk nag on an amplify project, the amplify_outputs.json file is not generated due to a ZodError.

Expected behavior

The amplify_outputs.json file should successfully generate.

Reproduction steps

When I run the sandbox command, I get the error below about the amplify_outputs.json not successfully generating.
npx ampx sandbox

Code Snippet

Code to reproduce error:

amplify/backend.ts

import { AwsSolutionsChecks } from 'cdk-nag'
import { auth } from './auth/resource';

const backend = defineBackend({
  auth
})

// Nag Suppression Code

Aspects.of(backend.auth.stack).add(new AwsSolutionsChecks({ verbose: true }))

Log output

✨  Deployment time: 150.97s

Outputs:
...
Stack ARN:
arn:aws:cloudformation:us-east-1:xxxxxxx

✨  Total time: 151.7s


NOTICES         (What's this? https://github.com/aws/aws-cdk/wiki/CLI-Notices)

31885   (cli): Bootstrap stack outdated

        Overview: The bootstrap stack in aws://103761460084/us-east-1 is outdated.
                  We recommend at least version 21, distributed with CDK CLI
                  2.149.0 or higher. Please rebootstrap your environment by
                  runing 'cdk bootstrap aws://103761460084/us-east-1'

        Affected versions: bootstrap: <21

        More information at: https://github.com/aws/aws-cdk/issues/31885


If you don’t want to see a notice anymore, use "cdk acknowledge <id>". For example, "cdk acknowledge 31885".
[Sandbox] Watching for file changes...
[
  {
    "code": "invalid_type",
    "expected": "string",
    "received": "undefined",
    "path": [
      "cdk_nag",
      "version"
    ],
    "message": "Required"
  },
  {
    "code": "invalid_type",
    "expected": "array",
    "received": "undefined",
    "path": [
      "cdk_nag",
      "stackOutputs"
    ],
    "message": "Required"
  }
]
Amplify outputs could not be generated. ZodError: [
  {
    "code": "invalid_type",
    "expected": "string",
    "received": "undefined",
    "path": [
      "cdk_nag",
      "version"
    ],
    "message": "Required"
  },
  {
    "code": "invalid_type",
    "expected": "array",
    "received": "undefined",
    "path": [
      "cdk_nag",
      "stackOutputs"
    ],
    "message": "Required"
  }
]

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hey, @waltmayf 👋. Going to transfer this issue to the amplify-backend repo for better assistance.

[ykethan]

Hey @waltmayf, thank you for reaching out. On a quick test i was unable to reproduce the issue. Could you provide us the following information.
Does the error occur on each deployment and does the error message also occur without the cdk-nag aspects?
Additionally, could try upgrading @aws-amplify/backend and @aws-amplify/backend-cli then retry the sandbox command?

[waltmayf]

@ykethan, Thank you for the reply.
I have upgraded to the most recent @aws-ampliy backend and backend-cli packages. Here is part of the response to npm list
├── @aws-amplify/[email protected]
├── @aws-amplify/[email protected]

I can confirm that I'm still getting the same error.

[ykethan]

Marking this as bug for further investigation. I was able to reproduce the issue using the following

Aspects.of(stack1).add(new AwsSolutionsChecks({ verbose: true }));
Aspects.of(stack2).add(
  new AwsSolutionsChecks({ verbose: true })
);
Aspects.of(stack3).add(new AwsSolutionsChecks({ verbose: true }));

const applyStackSupperssions = (
  stack: Stack,
  suppressions: { id: string; reason: string }[]
) => {
  NagSuppressions.addStackSuppressions(stack, suppressions);
  // Recursively apply suppressions to nested stacks
  const nestedStacks = stack.node.children
    .filter((child) => child instanceof NestedStack)
    .map((child) => child as NestedStack);

  for (const nestedStack of nestedStacks) {
    applyStackSupperssions(nestedStack, suppressions);
  }
};

export const cdkNagSupperssionsHandler = (stack: Stack) => {
  // Apply suppressions to the current stack
  const suppressions = [
    {
      id: "AwsSolutions-IAM4",
      reason:
        "test1",
    },
    {
      id: "AwsSolutions-IAM5",
      reason:
        "test2",
    },
    {
      id: "AwsSolutions-L1",
      reason: `test3'`,
    },
    {
      id: "AwsSolutions-RDS10",
      reason: `test1`,
    },
    {
      id: "AwsSolutions-SMG4",
      reason: "test1",
    },
  ];

error:

Amplify outputs could not be generated. ZodError: [
  {
    "code": "invalid_type",
    "expected": "string",
    "received": "undefined",
    "path": [
      "cdk_nag",
      "version"
    ],
    "message": "Required"
  },
  {
    "code": "invalid_type",
    "expected": "array",
    "received": "undefined",
    "path": [
      "cdk_nag",
      "stackOutputs"
    ],
    "message": "Required"
  }
]

This appears to be due to cdk-nag adding to the stack metadata and Amplify reading from the metadata
https://github.com/cdklabs/cdk-nag/blob/c977f58486fea812516ca459077291f8f9381170/src/nag-suppressions.ts#L30