New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] Introduce Parameter Inputs for checking the CF scripts #39
Comments
This is a very reasonable use-case. We're kicking this kind of thing around already. Let's use this issue to track the work. |
Guys is there any ETA on this feature release? |
No ETA yet but still a high priority. |
This raises larger questions of CloudFormation template syntax: dynamic references, intrinsic functions, psuedoparameters, parameters, mappings, conditions, transforms, etc. |
@PatMyron indeed supporting all these "dynamic" features of Cloudformation will be necessary for a tool like this. From my point of view, the Input Parameter support has the highest priority of those features and its the bare minimum functionality we require to include it as a compliance mechanism in our CICD Pipelines |
Also it would be great if we allow the parameter json files needed for CodePipeline Cloudformation Action. Like this :
|
Any update on this feature request? |
Any update on this? Basically we would like CFN-guard to resolve the "Ref" from "Parameters" and allow us to validate the input value. W/o this feature, I don't see major uptake on this. Thanks |
we use taskcat in CI/CD Pipelines for testing Cloudformation templates, we have written a lot of taskcat files for templates with different test cases like eg enable/disable encryption, encryption with kms/user manged keys. |
I also see this feature as essential, both for testing new templates and running validation checks on pre-existing templates. Parameters are essential in all but the simplest of cloudformation templates, and therefore cloudformation-guard MUST support it to be usable on a large scale. Perhaps CLI args can be passed in for each parameter, and cfn guard creates a new template with the previously-parameterized values now hardcoded into the template. CFN guard then runs checks on that template? Where parameters support have default values, CFN guard will default to those values unless overridden? This would reduce the need to specify many parameter values for each test |
is there any update on this please. Eagerly waiting for utilizing it. |
is this something handled in release 2.0 ? |
@sriram9707 @lachlan-vass @konkerama Currently this would require re-implementing the entire CFN server-side resolution semantics again in Guard. Would it be okay if we provided a separate binary/library that does CFN resolution semantics given a template and parameter file in JSON/YAML (complete support for intrinsic resolutions, will not have support for Macros/Transforms, however initially) and have that piped to guard. E.g.
|
The usage of what you're proposing still looks quite simple. I'm fine with it |
is there any ETA on this ? @dchakrav-github |
@dchakrav-github @PatMyron any ETA for this ?. we have been trying to leverage cfn guard thorugh our pipeline which will have template and respective parameters file. or is there any workaround for this ? |
We do not have an ETA on this as of today; however, we are discussing internally to determine how best to approach this. |
Was there any progress on this, or same position as one year ago? |
Hi @fabiodouek This item is currently in our backlog. We do not have an estimate on when this feature will be delivered. |
Is the above issue resolved on latest Cloud Formation Guard version i.e 2.1.3 as it is basic use case in most of the cfn templates ? |
@sha-aegon Hi, this is still in our backlog. We do not have an estimate for when this will be implemented/released. Thanks |
Is your feature request related to a problem? Please describe.
In its current form, cfn-guard checks the Cloudformation script without any input.
Example, Lets say I have a Cloudformation script similar to the following (simplified version)
I want to create an RDS Database and I have a CF parameter input for encryption (true/false). Currently there is no way in cfn-guard to verify that the RDS will be created using encryption. I can only verify that the StorageEncrypted will have the value "RDSEncryption" (please correct me if I'm wrong)
Describe the solution you'd like
I would prefer an option to provide a json document with the CF parameter inputs and be able to check the Cloudformation script after all those values have been implemented.
The example I gave above would look like:
rules:
input.json:
cfn-guard:
cfn-guard will change the
RDSEncryption
Rerefence with the inputtrue
and will be able to check against thatThe text was updated successfully, but these errors were encountered: