(migrate): fails on unrecognized properties (AbacStatus, SecurityPolicy, RecursiveLoop)

[Rutika-Karande]

Describe the bug

When running 'cdk migrate --from-scan' to generate a CDK application from existing AWS resources, the migration fails during stack generation because unsupported or invalid properties are included in the generated CloudFormation/CDK template.
This issue affects multiple services such as Amazon S3, API Gateway (REST API), and AWS Lambda. Some of the detected properties (for example, new security or policy‑related settings) are newly introduced at the AWS service level, and AWS CDK is not yet aware of or compatible with them. As a result, cdk migrate is unable to correctly convert these properties into CDK code, causing the migration to fail.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

cdk migrate --from-scan should generate a valid CDK app successfully. If it encounters new or unsupported properties, it should skip them or show warnings, not fail the migration.

Current Behavior

When running cdk migrate --from-scan (with or without --ignore-errors), the scan completes successfully and the CloudFormation template generation starts. Although the template is reported as “successfully generated,” the migration fails during stack generation due to unsupported properties detected in the scanned resources.
Observed failures:

1. Amazon S3 (AWS::S3::Bucket)
   Migration fails with:
   AbacStatus is not a valid property for resource AWS::S3::Bucket

2. AWS Lambda (AWS::Lambda::Function)
   Migration fails with:
   RecursiveLoop is not a valid property for resource AWS::Lambda::Function

3. API Gateway REST API (AWS::ApiGateway::RestApi)
   Migration fails with:
   SecurityPolicy is not a valid property for resource AWS::ApiGateway::RestApi

Reproduction Steps

1. Bucket
   npx cdk migrate --stack-name BucketStackNorthMigrated --language typescript --from-scan most-recent --filter "type=AWS::S3::Bucket,identifier=bucketformigratenorth" --region ap-northeast-2 --ignore-errors
   This command is an experimental feature.
   Using the latest successful scan which is 0 days, 6 hours, and 57 minutes old.
   Applying filters to resource scan.
   finding related resources.
   Found 1 resources.
   Generating CFN template from scanned resources.
   Please wait, template creation in progress. This may take a couple minutes.
   [CREATE_IN_PROGRESS] Template Creation in Progress
   Template successfully generated!
   ❌ Migrate failed for BucketStackNorthMigrated: BucketStackNorthMigratedStack could not be generated because AbacStatus is not a valid property for resource S3BucketBucketformigratenorth of type AWS::S3::Bucket
   BucketStackNorthMigratedStack could not be generated because AbacStatus is not a valid property for resource S3BucketBucketformigratenorth of type AWS::S3::Bucket

2. RestApi Trigger Lambda Function
   npx cdk migrate --stack-name RESTAPILambdaMigrateStack --language typescript --from-scan new --region ap-northeast-3 --filter "type=AWS::Lambda::Function,identifier=MigrateFunction" --filter "type=AWS::ApiGateway::RestApi,identifier=dley3w7bhc"
   This command is an experimental feature.
   Starting new scan for account unknown-account in region ap-northeast-3
   Resource scan in progress. Please wait, this can take 10 minutes or longer.
   [████████████████████████████] (100%)
   ✅ Scan Complete!
   Using the latest successful scan which is 0 days, 0 hours, and 4 minutes old.
   Applying filters to resource scan.
   finding related resources.
   Found 10 resources.
   Generating CFN template from scanned resources.
   Please wait, template creation in progress. This may take a couple minutes.
   [CREATE_IN_PROGRESS] Template Creation in Progress
   Template successfully generated!
   ❌ Migrate failed for RESTAPILambdaMigrateStack: RestapiLambdaMigrateStackStack could not be generated because RecursiveLoop is not a valid property for resource LambdaFunctionMigrateFunction of type AWS::Lambda::Function
   RestapiLambdaMigrateStackStack could not be generated because RecursiveLoop is not a valid property for resource LambdaFunctionMigrateFunction of type AWS::Lambda::Function
   PS C:\Users\RUTCHAND\Desktop\Project\RestapiLambda\RESTAPILambdaMigrate>
   PS C:\Users\RUTCHAND\Desktop\Project\RestapiLambda\RESTAPILambdaMigrate> npx cdk migrate --stack-name RESTAPILambdaMigrateStack --language typescript --from-scan new --region ap-northeast-3 --filter "type=AWS::ApiGateway::RestApi,identifier=dley3w7bhc" --ignore-errors
   This command is an experimental feature.
   Starting new scan for account unknown-account in region ap-northeast-3
   Resource scan in progress. Please wait, this can take 10 minutes or longer.
   [████████████████████████████] (100%)
   ✅ Scan Complete!
   Using the latest successful scan which is 0 days, 0 hours, and 3 minutes old.
   Applying filters to resource scan.
   finding related resources.
   Found 6 resources.
   Generating CFN template from scanned resources.
   Please wait, template creation in progress. This may take a couple minutes.

Template successfully generated!
❌ Migrate failed for RESTAPILambdaMigrateStack: RestapiLambdaMigrateStackStack could not be generated because SecurityPolicy is not a valid property for resource ApiGatewayRestApi of type AWS::ApiGateway::RestApi
RestapiLambdaMigrateStackStack could not be generated because SecurityPolicy is not a valid property for resource ApiGatewayRestApi of type AWS::ApiGateway::RestApi

Possible Solution

No response

Additional Information/Context

This issue appears to be related to other CDK migrate problems where
unsupported properties are generated during migration.
Examples:

• cdk migrate: could not be generated because Tags is not a valid property for resource LambdaEventSourceMapping aws-cdk#31987

AWS CDK Library version (aws-cdk-lib)

na

AWS CDK CLI version

2.1120.0

Node.js Version

v25.8.2

OS

Window

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi @Rutika-Karande,

Issue at a Glance

┌──────────────────────────────┐     ┌──────────────────────────────┐     ┌──────────────────────────────┐
│ cdk migrate --from-scan      │ ──> │ IaC Generator returns        │ ──> │ cdk-from-cfn rejects         │
│ scans AWS resources          │     │ template with new properties │     │ unknown properties           │
└──────────────────────────────┘     └──────────────────────────────┘     └──────────────────────────────┘

This is a known limitation of cdk migrate — it uses cdk-from-cfn (a Rust-based transpiler) which maintains its own property schema. When AWS adds new resource properties (like AbacStatus, RecursiveLoop, SecurityPolicy), cdk-from-cfn doesn't recognize them and throws.

The error originates here:

https://github.com/cdklabs/cdk-from-cfn/blob/296ff3dbc356271859ed88c501c448141b07c027/src/ir/resources/mod.rs#L465

This is the same root cause as aws/aws-cdk#30872 and aws/aws-cdk#29293. The --ignore-errors flag doesn't help because the failure occurs during code generation, not template scanning.

Workaround: You can manually remove the unsupported properties from the generated CloudFormation template before passing it to cdk migrate --from-path, or use CfnInclude to import the template directly without transpilation.

Linking this to aws/aws-cdk#30872 for tracking. The proper fix would be making cdk-from-cfn tolerant of unknown properties (skip with warning instead of hard failure). Making this a p1 and move to cdk cli repo.