Bump up version to 2.1.3 & remove test-lambda workflow (#307)

* Bump up version to 2.1.3

* Revert test-lambda workflow

Co-authored-by: Akshay Rane <raneaks@amazon.com>

.github/workflows/pr.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v2
     - name: Build
       run: cargo build --release --verbose
     - name: Run tests
@@ -29,118 +29,3 @@ jobs:
     - uses: actions/checkout@v2
     - name: Shellcheck
       run: shellcheck install-guard.sh
-
-  test-lambda:
-
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-region: ${{ secrets.LAMBDA_CREATION_AWS_REGION }}
-          role-to-assume: ${{ secrets.LAMBDA_CREATION_ROLE_NAME }}
-          role-session-name: LambdaTestGitHubAction
-
-
-      - name: Generate identifiers
-        id: generate-identifiers
-        run: |
-          LAMBDA_FUNCTION_PREFIX=GhCfnGrd
-          git_hash=$(git rev-parse --short "$GITHUB_SHA")
-          
-          if [[ $GITHUB_REF == *"/heads/"* ]]; then
-            git_branch_or_pr=${GITHUB_REF#refs/heads/}
-          else
-            git_branch_or_pr="PR$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')"
-          fi
-        
-          commit_hash=${git_branch_or_pr}_${git_hash}
-          
-          LAMBDA_FUNCTION_NAME=${LAMBDA_FUNCTION_PREFIX}_${commit_hash}
-          ROLE_NAME="${LAMBDA_FUNCTION_NAME}Role"
-          
-          echo "LAMBDA_FUNCTION_NAME=${LAMBDA_FUNCTION_NAME}" >> $GITHUB_OUTPUT
-          echo "ROLE_NAME=${ROLE_NAME}" >> $GITHUB_OUTPUT
-
-
-      - name: Deploy cfn-guard-lambda
-        env:
-          AWS_ACCOUNT_ID: ${{ secrets.LAMBDA_CREATION_AWS_ACCOUNT_ID }}
-          AWS_REGION: ${{ secrets.LAMBDA_CREATION_AWS_REGION }}
-          LAMBDA_FUNCTION_NAME: ${{ steps.generate-identifiers.outputs.LAMBDA_FUNCTION_NAME }}
-          ROLE_NAME: ${{ steps.generate-identifiers.outputs.ROLE_NAME }}
-        run: |
-          rustup target add x86_64-unknown-linux-musl
-          cd guard-lambda
-          cargo build --release --target x86_64-unknown-linux-musl --verbose
-          cp ./../target/x86_64-unknown-linux-musl/release/cfn-guard-lambda ./bootstrap && zip lambda.zip bootstrap && rm bootstrap
-        
-          aws iam create-role \
-            --role-name $ROLE_NAME \
-            --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'
-          
-          aws iam attach-role-policy --role-name $ROLE_NAME \
-            --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-          
-          sleep 10
-          
-          aws lambda create-function \
-            --function-name $LAMBDA_FUNCTION_NAME \
-            --handler guard.handler \
-            --zip-file fileb://./lambda.zip \
-            --runtime provided \
-            --role "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLE_NAME}" \
-            --environment Variables={RUST_BACKTRACE=1} \
-            --tracing-config Mode=Active \
-            --region $AWS_REGION
-
-
-      - name: Invoke Lambda and test output
-        env:
-          LAMBDA_FUNCTION_NAME: ${{ steps.generate-identifiers.outputs.LAMBDA_FUNCTION_NAME }}
-        run: |
-          aws lambda invoke \
-            --function-name $LAMBDA_FUNCTION_NAME \
-            --payload '{"data":"{\"Resources\":{\"NewVolume\":{\"Type\":\"AWS::EC2::Volume\",\"Properties\":{\"Size\":500,\"Encrypted\":true,\"AvailabilityZone\":\"us-west-2b\"}},\"NewVolume2\":{\"Type\":\"AWS::EC2::Volume\",\"Properties\":{\"Size\":50,\"Encrypted\":true,\"AvailabilityZone\":\"us-west-2c\"}}}}","rules":["let ec2_volumes = Resources.*[ Type == /EC2::Volume/ ]\nrule EC2_ENCRYPTION_BY_DEFAULT when %ec2_volumes !empty {\n    %ec2_volumes.Properties.Encrypted == true \n      <<\n            Violation: All EBS Volumes should be encryped \n            Fix: Set Encrypted property to true\n       >>\n}"],"verbose":false}' \
-            --cli-binary-format raw-in-base64-out \
-            output.json
-          
-          echo '{"message":[{"data_from":"lambda-payload","rules_from":"lambda-rule","not_compliant":{},"not_applicable":[],"compliant":["EC2_ENCRYPTION_BY_DEFAULT"]}]}' > expected-output.json
-          
-          difference=`diff expected-output.json output.json -w | wc -c`
-          
-          if [ "$difference" != 0 ]
-          then
-            echo "Lambda output does not match the expected one"
-            echo "--------------------------------"
-            echo "Actual output:"
-            cat output.json
-            echo "--------------------------------"
-            echo "Expected output:"
-            cat expected-output.json
-            echo "--------------------------------"
-            echo "diff:"
-            echo "$difference"
-            exit 1
-          fi
-
-
-      - name: Clean up resources
-        if: success() || failure()
-        env:
-          LAMBDA_FUNCTION_NAME: ${{ steps.generate-identifiers.outputs.LAMBDA_FUNCTION_NAME }}
-          ROLE_NAME: ${{ steps.generate-identifiers.outputs.ROLE_NAME }}
-        run: |
-          aws lambda delete-function --function-name $LAMBDA_FUNCTION_NAME
-          aws iam detach-role-policy \
-            --role-name $ROLE_NAME \
-            --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-          aws iam delete-role --role-name $ROLE_NAME

.github/workflows/publish_docker.yml

@@ -21,7 +21,7 @@ jobs:
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
-        aws-region: ${{ secrets.PUBLISHER_AWS_REGION }}
+        aws-region: ${{ secrets.AWS_REGION }}
         role-to-assume: ${{ secrets.PUBLISHER_ROLE_NAME }}
         role-session-name: PublishToElasticContainerRegistry
 

README.md

@@ -12,7 +12,7 @@ Guard 2.0 release is a complete re-write of the earlier 1.0 version to make the
 2. **Detective Governance and Compliance:** validate conformity of Configuration Management Database (CMDB) resources such as AWS Config-based configuration items (CIs). For example, developers can use Guard policies against AWS Config CIs to continuously monitor state of deployed AWS and non-AWS resources, detect violations from policies, and trigger remediation.
 3. **Deployment Safety:** validate CloudFormation ChangeSets to ensure changes are safe before deployment. For example, renaming an Amazon DynamoDB Table will cause a replacement of the Table. With Guard 2.0, you can prevent such changes in your CI/CD pipelines. 
 
-> **NOTE**: If you are using Guard 1.0, we highly recommend adopting Guard 2.0 because Guard 2.0 is a major release that introduces multiple features to simplify your current policy-as-code experience. Guard 2.1.2 is backward incompatible with your Guard 1.0 rules and can result in breaking changes. To migrate from Guard 1.0 to Guard 2.0, 1) use migrate command to transition your existing 1.0 rules to 2.0 rules and 2) read all new Guard 2.0 features.
+> **NOTE**: If you are using Guard 1.0, we highly recommend adopting Guard 2.0 because Guard 2.0 is a major release that introduces multiple features to simplify your current policy-as-code experience. Guard 2.0 and higher versions are backward incompatible with your Guard 1.0 rules and can result in breaking changes. To migrate from Guard 1.0 to Guard 2.0, 1) use migrate command to transition your existing 1.0 rules to 2.0 rules and 2) read all new Guard 2.0 features.
 > 
 > You can find code related to Guard 2.0 on the main branch of the repo and code related to Guard 1.0 on [Guard1.0 branch](https://github.com/aws-cloudformation/cloudformation-guard/tree/Guard1.0) of the repo.
 
@@ -216,11 +216,11 @@ Check `help` to see if it is working.
 
 ```bash
 $ cfn-guard help
-cfn-guard 2.1.2
+cfn-guard 2.1.3
 
   Guard is a general-purpose tool that provides a simple declarative syntax to define 
-  policy-as-code as rules to validate against any structed hierarchical data (like JSON/YAML).
-  Rules are composed of clauses expressed using Conjuctive Normal Form
+  policy-as-code as rules to validate against any structured hierarchical data (like JSON/YAML).
+  Rules are composed of clauses expressed using Conjunctive Normal Form
   (fancy way of saying it is a logical AND of OR clauses). Guard has deep
   integration with CloudFormation templates for evaluation but is a general tool
   that equally works for any JSON- and YAML- data.
@@ -241,12 +241,12 @@ SUBCOMMANDS:
     test          Built in unit testing capability to validate a Guard rules file against
                   unit tests specified in YAML format to determine each individual rule's success
                   or failure testing.
-    validate      Evaluates rules against the data files to determine success or failure. 
-                  You can point rules flag to a rules directory and point data flag to a data directory. 
-                  When pointed to a directory it will read all rules in the directory file and evaluate 
+    validate      Evaluates rules against the data files to determine success or failure.
+                  You can point rules flag to a rules directory and point data flag to a data directory.
+                  When pointed to a directory it will read all rules in the directory file and evaluate
                   them against the data files found in the directory. The command can also point to a
                   single file and it would work as well.
-                  Note - When pointing the command to a directory, the directory may not contain a mix of 
+                  Note - When pointing the command to a directory, the directory may not contain a mix of
                   rules and data files. The directory being pointed to must contain only data files,
                   or rules files.
 ```

guard-ffi/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cfn-guard-ffi"
-version = "2.1.2"
+version = "2.1.3"
 edition = "2018"
 authors = ["Diwakar Chakravarthy", "John Tompkins", "Omkar Hegde", "Priya Padmanaban", "aws-cloudformation-developers <aws-cloudformation-developers@amazon.com>", "Tyler Southwick"]
 description = "AWS CloudFormation Guard is an open-source general-purpose policy-as-code evaluation tool. It provides developers with a simple-to-use, yet powerful and expressive domain-specific language (DSL) to define policies and enables developers to validate JSON- or YAML- formatted structured data with those policies."
@@ -14,6 +14,6 @@ keywords = ["policy-as-code", "guard", "cfn-guard", "security", "compliance"]
 crate-type = ["rlib", "dylib"]
 
 [dependencies]
-cfn-guard = { version = "2.1.2", path = "../guard" }
+cfn-guard = { version = "2.1.3", path = "../guard" }
 ffi-support = "0.4.4"
 

guard-lambda/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cfn-guard-lambda"
-version = "2.1.2"
+version = "2.1.3"
 authors = ["Diwakar Chakravarthy", "John Tompkins", "Omkar Hegde", "Priya Padmanaban",
     "Bryan Ayala", "Kexiang Wang", "Akshay Rane", "Josh Fried", "aws-cloudformation-developers <aws-cloudformation-developers@amazon.com>"]
 description = "Lambda version of cfn-guard. Checks JSON- or YAML- formatted structured data for policy compliance using a simple, policy-as-code, declarative syntax"
@@ -17,4 +17,4 @@ serde_derive = "1.0.92"
 simple_logger = "4.0.0"
 log = "0.4.6"
 tokio = "1.8.4"
-cfn-guard = { version = "2.1.2", path = "../guard" }
+cfn-guard = { version = "2.1.3", path = "../guard" }

guard/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cfn-guard"
-version = "2.1.2"
+version = "2.1.3"
 edition = "2018"
 authors = ["Diwakar Chakravarthy", "John Tompkins", "Omkar Hegde", "Priya Padmanaban",
     "Bryan Ayala", "Kexiang Wang", "Akshay Rane", "Tyler Southwick", "Josh Fried", "aws-cloudformation-developers <aws-cloudformation-developers@amazon.com>"]