3.0.0 (#382)

* bumping up to 3.0.0-alpha (#347) * bumping up to 3.0.0 alpha * typo * updating workflow * Populated filename in the output (#358) * Populated filename in the output * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * Support for some function expressions / stateful rules (#361) * init commit for function resolution / stateful rules * more tests + making test rules better * fixed bugs with validation of functions * small cleanup * fixes as per comments * cleanup * add todo * typos * fixed logical error breaking tests * added test for test command with a function * fixed unit test * added comment to clearly explain whats happening in regex_replace cause no one actually understands regex * Combined structured output and updated default rule clause name to include file name (#360) * Populated filename in the output * Structured combine * Changed FileData into DataFile and handle error differently * Resolved lifetime issue with FileReport combine method * Updated status and method * Refactored to use existing DataFile struct * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct * Merged file report * Interim commit for structured * Resolved unit tests * Temporary commit for default rule names * Working prototype for formatting issue --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * Clap Autocompletions (#340) * temp * fixing commands * cleanup * temp * cleanup * adding valuehints * adding valuehints * removed powershell * cleanup * removing derive * removed unecessary ArgActions * bumping up version * refactor to use a function to generate commands * removing unused imports * removed random println * updating readme * fixes * typo * cleanup * typo * adding documentation for functions (#362) * adding documentation for functions * Combined structured output and updated default rule clause name to include file name (#360) * Populated filename in the output * Structured combine * Changed FileData into DataFile and handle error differently * Resolved lifetime issue with FileReport combine method * Updated status and method * Refactored to use existing DataFile struct * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct * Merged file report * Interim commit for structured * Resolved unit tests * Temporary commit for default rule names * Working prototype for formatting issue --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * clarifying docs --------- Co-authored-by: Akshay Rane <aks.rane@gmail.com> Co-authored-by: Akshay Rane <raneaks@amazon.com> * Deprecated migrate and previous engine (#364) * Deprecated migrate and previous engine * Removed a unit test for old engine --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * 3.0.0 beta release changes (#365) * Bump up version to 3.0.0-beta * Updated README.md * Add instances to rules integration tests (#351) * Added 2 runners to integration tests for rules registry * Fixed indent * Added explicit shell name * Moved shell to job parameters * Added powershell commands for windows * Removed test branch * Updated README.md (#352) * Updated README for Guard 3.0 * Update README.md Co-authored-by: Ben Bridts <ben.bridts@gmail.com> --------- Co-authored-by: Ben Bridts <ben.bridts@gmail.com> --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> Co-authored-by: razcloud <34892703+razcloud@users.noreply.github.com> Co-authored-by: Ben Bridts <ben.bridts@gmail.com> * feat: Add cfn-guard-lambda deployment with SAM CLI (#354) * feat: Add cfn-guard-lambda deployment with SAM CLI * Renamed the logical ID for lambda in template & updated README.md * Updated the instructions and added least privileged IAM access policy --------- Co-authored-by: Ben Bridts <ben@cloudar.be> Co-authored-by: Akshay Rane <raneaks@amazon.com> * Revert "Added deprecated short flag for print-json in parse-tree" This reverts commit 93548a4 * Updated names of binaries to reflect v3 * Updated README.md to add new features * Added rogue_one branch to docker workflow * Bump enumflags2 to 0.7.7 --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> Co-authored-by: razcloud <34892703+razcloud@users.noreply.github.com> Co-authored-by: Ben Bridts <ben.bridts@gmail.com> Co-authored-by: Ben Bridts <ben@cloudar.be> * 3.0.0 Beta release (#366) (#369) * bumping up to 3.0.0-alpha (#347) * bumping up to 3.0.0 alpha * typo * updating workflow * Populated filename in the output (#358) * Populated filename in the output * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct --------- * Support for some function expressions / stateful rules (#361) * init commit for function resolution / stateful rules * more tests + making test rules better * fixed bugs with validation of functions * small cleanup * fixes as per comments * cleanup * add todo * typos * fixed logical error breaking tests * added test for test command with a function * fixed unit test * added comment to clearly explain whats happening in regex_replace cause no one actually understands regex * Combined structured output and updated default rule clause name to include file name (#360) * Populated filename in the output * Structured combine * Changed FileData into DataFile and handle error differently * Resolved lifetime issue with FileReport combine method * Updated status and method * Refactored to use existing DataFile struct * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct * Merged file report * Interim commit for structured * Resolved unit tests * Temporary commit for default rule names * Working prototype for formatting issue --------- * Clap Autocompletions (#340) * temp * fixing commands * cleanup * temp * cleanup * adding valuehints * adding valuehints * removed powershell * cleanup * removing derive * removed unecessary ArgActions * bumping up version * refactor to use a function to generate commands * removing unused imports * removed random println * updating readme * fixes * typo * cleanup * typo * adding documentation for functions (#362) * adding documentation for functions * Combined structured output and updated default rule clause name to include file name (#360) * Populated filename in the output * Structured combine * Changed FileData into DataFile and handle error differently * Resolved lifetime issue with FileReport combine method * Updated status and method * Refactored to use existing DataFile struct * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct * Merged file report * Interim commit for structured * Resolved unit tests * Temporary commit for default rule names * Working prototype for formatting issue --------- * clarifying docs --------- * Deprecated migrate and previous engine (#364) * Deprecated migrate and previous engine * Removed a unit test for old engine --------- * 3.0.0 beta release changes (#365) * Bump up version to 3.0.0-beta * Updated README.md * Add instances to rules integration tests (#351) * Added 2 runners to integration tests for rules registry * Fixed indent * Added explicit shell name * Moved shell to job parameters * Added powershell commands for windows * Removed test branch * Updated README.md (#352) * Updated README for Guard 3.0 * Update README.md --------- --------- * feat: Add cfn-guard-lambda deployment with SAM CLI (#354) * feat: Add cfn-guard-lambda deployment with SAM CLI * Renamed the logical ID for lambda in template & updated README.md * Updated the instructions and added least privileged IAM access policy --------- * Revert "Added deprecated short flag for print-json in parse-tree" This reverts commit 93548a4 * Updated names of binaries to reflect v3 * Updated README.md to add new features * Added rogue_one branch to docker workflow * Bump enumflags2 to 0.7.7 --------- --------- Co-authored-by: Akshay Rane <aks.rane@gmail.com> Co-authored-by: Akshay Rane <raneaks@amazon.com> Co-authored-by: razcloud <34892703+razcloud@users.noreply.github.com> Co-authored-by: Ben Bridts <ben.bridts@gmail.com> Co-authored-by: Ben Bridts <ben@cloudar.be> * removed uneeded printing of error parser error on parse-tree command (#368) * improve error message for templates that cause an error (#370) * improve erro message for empty templates * addressing clippy lints for validate.rs * addressed comment, removed uneeded code paths, and cleaned some stuff up * Clippy lints + ci (#371) * init * aws_meta_appender_tests.rs clippy lints * parser.rs clippy lints * cfn_reporter.rs clippy lints * files.rs clippy lints * tf.rs clippy lints * tracker.rs clippy lints * operator.rs clippy lints * values.rs clippy lints * traversal.rs clippy lints * path_value.rs clippy lints * rules/mod.rs clippy lints * eval.rs clippy lints * rulegen.rs clippy lints * summary_table.rs clippy lints * aws_meta_appender.rs clippy lints * path_value_tests.rs clippy lints * eval_tests.rs clippy lints * utils.mod.rs clippy lints * parser_tests.rs clippy lints * traversal_tests.rs clippy lints * generic_summary.rs clippy lints * a bunch of misc clippy lints * tests/utils.rs clippy lints * test_command.rs clippy lints * main.rs clippy lints * tests/validate.rs clippy lints * tests/parse_tree.rs clippy lints * functional.rs clippy lints * helper.rs clippy lints * eval_context clippy lints * cfn.rs clippy lints * value_tests.rs clippy lints * last of the lints * adding linting to ci * last few lints * evaluate_tests.rs lints * fix for bug when introduced when rule fails and resource is not the parent of the node where the failure occurs + misc tests (#372) * Updating reporters to all use serde for both json and yaml + misc improvements (#373) * modifying json/yaml responses to ALL use serde_yaml/json for serialization * adding type information to error message * [Bugfix] Fixing improper console output when using single line summary (#378) * changing count.rs to return a pathawarevalue instead of a primitive * temp * adding unit test for show summary all when failing using count fn * removing unecesssary file * [Enhancement] creating a new error code for rule failures (#379) * temp * adding new exit code for when a rule fails * added integration test to validate error code for a failing test * cleanup * rebase + fix test * removed unecessary double 0 * Refined documentation for functions, join path bugfix & version bump (#381) * Updated table of contents and added a writeup for functions * Bug fix for set path for returned PathAwareValue for join function * Refined documentation for functions * Version bump to 3.0.0 * Added more detailed explanation for function usage limitation * Added integration test for join path bugfix --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * 3.0.0 release changes (#383) * 3.0.0 Beta release (#366) * bumping up to 3.0.0-alpha (#347) * bumping up to 3.0.0 alpha * typo * updating workflow * Populated filename in the output (#358) * Populated filename in the output * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * Support for some function expressions / stateful rules (#361) * init commit for function resolution / stateful rules * more tests + making test rules better * fixed bugs with validation of functions * small cleanup * fixes as per comments * cleanup * add todo * typos * fixed logical error breaking tests * added test for test command with a function * fixed unit test * added comment to clearly explain whats happening in regex_replace cause no one actually understands regex * Combined structured output and updated default rule clause name to include file name (#360) * Populated filename in the output * Structured combine * Changed FileData into DataFile and handle error differently * Resolved lifetime issue with FileReport combine method * Updated status and method * Refactored to use existing DataFile struct * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct * Merged file report * Interim commit for structured * Resolved unit tests * Temporary commit for default rule names * Working prototype for formatting issue --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * Clap Autocompletions (#340) * temp * fixing commands * cleanup * temp * cleanup * adding valuehints * adding valuehints * removed powershell * cleanup * removing derive * removed unecessary ArgActions * bumping up version * refactor to use a function to generate commands * removing unused imports * removed random println * updating readme * fixes * typo * cleanup * typo * adding documentation for functions (#362) * adding documentation for functions * Combined structured output and updated default rule clause name to include file name (#360) * Populated filename in the output * Structured combine * Changed FileData into DataFile and handle error differently * Resolved lifetime issue with FileReport combine method * Updated status and method * Refactored to use existing DataFile struct * Changed FileData into DataFile and handle error differently * Refactored to use existing DataFile struct * Merged file report * Interim commit for structured * Resolved unit tests * Temporary commit for default rule names * Working prototype for formatting issue --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * clarifying docs --------- Co-authored-by: Akshay Rane <aks.rane@gmail.com> Co-authored-by: Akshay Rane <raneaks@amazon.com> * Deprecated migrate and previous engine (#364) * Deprecated migrate and previous engine * Removed a unit test for old engine --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> * 3.0.0 beta release changes (#365) * Bump up version to 3.0.0-beta * Updated README.md * Add instances to rules integration tests (#351) * Added 2 runners to integration tests for rules registry * Fixed indent * Added explicit shell name * Moved shell to job parameters * Added powershell commands for windows * Removed test branch * Updated README.md (#352) * Updated README for Guard 3.0 * Update README.md Co-authored-by: Ben Bridts <ben.bridts@gmail.com> --------- Co-authored-by: Ben Bridts <ben.bridts@gmail.com> --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> Co-authored-by: razcloud <34892703+razcloud@users.noreply.github.com> Co-authored-by: Ben Bridts <ben.bridts@gmail.com> * feat: Add cfn-guard-lambda deployment with SAM CLI (#354) * feat: Add cfn-guard-lambda deployment with SAM CLI * Renamed the logical ID for lambda in template & updated README.md * Updated the instructions and added least privileged IAM access policy --------- Co-authored-by: Ben Bridts <ben@cloudar.be> Co-authored-by: Akshay Rane <raneaks@amazon.com> * Revert "Added deprecated short flag for print-json in parse-tree" This reverts commit 93548a4 * Updated names of binaries to reflect v3 * Updated README.md to add new features * Added rogue_one branch to docker workflow * Bump enumflags2 to 0.7.7 --------- Co-authored-by: Akshay Rane <raneaks@amazon.com> Co-authored-by: razcloud <34892703+razcloud@users.noreply.github.com> Co-authored-by: Ben Bridts <ben.bridts@gmail.com> Co-authored-by: Ben Bridts <ben@cloudar.be> --------- Co-authored-by: Akshay Rane <aks.rane@gmail.com> Co-authored-by: Akshay Rane <raneaks@amazon.com> Co-authored-by: razcloud <34892703+razcloud@users.noreply.github.com> Co-authored-by: Ben Bridts <ben.bridts@gmail.com> Co-authored-by: Ben Bridts <ben@cloudar.be> * Removed unused import --------- Co-authored-by: Josh Fried <112121129+joshfried-aws@users.noreply.github.com> Co-authored-by: Akshay Rane <raneaks@amazon.com> Co-authored-by: razcloud <34892703+razcloud@users.noreply.github.com> Co-authored-by: Ben Bridts <ben.bridts@gmail.com> Co-authored-by: Ben Bridts <ben@cloudar.be> * removing unused import --------- Co-authored-by: Akshay Rane <aks.rane@gmail.com> Co-authored-by: Akshay Rane <raneaks@amazon.com> Co-authored-by: razcloud <34892703+razcloud@users.noreply.github.com> Co-authored-by: Ben Bridts <ben.bridts@gmail.com> Co-authored-by: Ben Bridts <ben@cloudar.be>
aws-cloudformation · Jun 29, 2023 · c7bcce2 · c7bcce2
1 parent a3992ca
commit c7bcce2
Show file tree

Hide file tree

Showing 80 changed files with 1,762 additions and 1,380 deletions.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -2,9 +2,9 @@ name: Rust
 
 on:
   push:
-    branches: [ main, development, rogue_one ]
+    branches: [main, development, rogue_one]
   pull_request:
-    branches: [ main, development, rogue_one ]
+    branches: [main, development, rogue_one]
 
 env:
   CARGO_TERM_COLOR: always
@@ -14,19 +14,19 @@ jobs:
     name: Build all crates & run unit tests
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Build all crates
-      run: cargo build --release --verbose
-    - name: Run unit tests
-      run: cargo test --verbose
+      - uses: actions/checkout@v2
+      - name: Build all crates
+        run: cargo build --release --verbose
+      - name: Run unit tests
+        run: cargo test --verbose
 
   shellcheck:
     name: Shellcheck
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Shellcheck
-      run: shellcheck install-guard.sh
+      - uses: actions/checkout@v2
+      - name: Shellcheck
+        run: shellcheck install-guard.sh
 
   formatting:
     name: Formatting check (cargo fmt)
@@ -39,10 +39,26 @@ jobs:
       - name: Rustfmt Check
         uses: actions-rust-lang/rustfmt@v1
 
+  linting:
+    name: Linting check (clippy)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          override: true
+          components: clippy
+      - uses: actions-rs/clippy-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+          args: -- -D warnings
+
   aws-guard-rules-registry-integration-tests-linux:
     strategy:
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     name: Integration tests against aws-guard-rules-registry
     steps:
@@ -141,10 +157,10 @@ jobs:
       - name: Run integration tests using parse-tree command
         run: |
           cd aws-guard-rules-registry/rules
-          
+
           $FAILED_RULES = @()
           $SKIPPED_RULES = @()
-          
+
           $rules  = @(Get-ChildItem -Path .\ -Filter *.guard -Recurse -File)
 
           Foreach ($rule in $rules) {
@@ -158,19 +174,19 @@ jobs:
               $FAILED_RULES += "$rule"
             }
           }
-          
+
           $SKIPPED_RULE_COUNT = $SKIPPED_RULES.Length
           if ($SKIPPED_RULE_COUNT -gt 0) {
               echo "The following `$SKIPPED_RULE_COUNT.Length` rule(s) were skipped because they contained only comments:"
               echo $SKIPPED_RULES
           }
-          
+
           $FAILED_RULE_COUNT = $FAILED_RULES.Length
-  
+
           if ($FAILED_RULE_COUNT -gt 0) {
               echo "The following $FAILED_RULE_COUNT rule(s) have failed the parse-tree integration tests with a non-zero error code:"
               echo $FAILED_RULES
               exit 1
           } else {
               echo "All the rules have succeeded the parse-tree integration tests."
-          }
+          }
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -35,6 +35,10 @@ Guard can be used for the following domains:
 * [Guard CLI](#guard-cli)
   * [Installation](#installation)
   * [How does Guard CLI work?](#how-does-guard-cli-work?)
+* [Rule authoring references](#references)
+* [Built-in functions & stateful rules](#functions)
+* [AWS Rule Registry](#registry)
+* [Use Guard as a Docker Image](#docker)
 * [License](#license)
 
 ## FAQs
@@ -222,7 +226,7 @@ Check `help` to see if it is working.
 
 ```bash
 $ cfn-guard help
-cfn-guard 3.0.0-beta
+cfn-guard 3.0.0
 
   Guard is a general-purpose tool that provides a simple declarative syntax to define
   policy-as-code as rules to validate against any structured hierarchical data (like JSON/YAML).
@@ -489,7 +493,7 @@ cfn-guard test -r api_gateway_private_access.guard -t api_gateway_private_access
 
 Read [Guard: Unit Testing](docs/UNIT_TESTING.md) for more information on unit testing. To know about other commands read the [Readme in the guard directory](guard/README.md).
 
-## Rule authoring references
+## <a name="references"></a> Rule authoring references
 
 As a starting point for writing Guard rules for yourself or your organisation we recommend following [this official guide](https://docs.aws.amazon.com/cfn-guard/latest/ug/writing-rules.html)
 
@@ -507,15 +511,54 @@ As a starting point for writing Guard rules for yourself or your organisation we
 9. [Composing named-rule blocks in AWS CloudFormation Guard](https://docs.aws.amazon.com/cfn-guard/latest/ug/named-rule-block-composition.html)
 10. [Writing clauses to perform context-aware evaluations](https://docs.aws.amazon.com/cfn-guard/latest/ug/context-aware-evaluations.html)
 
+## <a name="functions"></a> Built-in functions & stateful rules
 
-## AWS Rule Registry
+Guard 3.0 introduces support for functions, allowing for stateful rules that can run on a value that's evaluated based 
+on some properties extracted out of a data template.
+
+### Sample template
+
+Imagine we have a property in our template which consists of a list called as `Collection` and we need to ensure
+it has at least 3 items in it.
+
+```yaml
+Resources:
+  newServer:
+    Type: AWS::New::Service
+    Collection:
+      - a
+      - b
+```
+### Sample rule
+
+We can write a rule to check this condition as follows:
+
+```
+let server = Resources.*[ Type == 'AWS::New::Service' ]
+rule COUNT_CHECK when %server !empty {
+    let collection = %server.Collection.*
+    let count_of_items = count(%collection)
+    %count_of_items >= 3
+    <<
+      Violation: Collection should contain at least 3 items
+    >>
+}
+```
+
+Expected outcome is that rule fails showing us the violation message since our template is non-compliant.
+
+For detailed documentation regarding all supported functions, please [follow this link](./docs/FUNCTIONS.md). For limitations of functions usage, please read [this note](./docs/KNOWN_ISSUES.md#function-limitation).
+
+## <a name="registry"></a> AWS Rule Registry
 
 As a reference for Guard rules and rule-sets that contain (on a best-effort basis) the compliance policies that adhere
 to the industry best practices around usages across AWS resources, we have recently launched
 [AWS Guard Rules Registry](https://github.com/aws-cloudformation/aws-guard-rules-registry).
 
 
-## Guard Docker Image launched on [ECR public gallery](https://gallery.ecr.aws/aws-cloudformation/cloudformation-guard)
+## <a name="docker"></a> Use Guard as a Docker Image  
+
+Guard is also published as an ECR image in [ECR public gallery](https://gallery.ecr.aws/aws-cloudformation/cloudformation-guard) and can be used as an image in a docker container.
 
 ### Prerequisites
 
@@ -541,6 +584,7 @@ We should see the evaluation result emitted out on the console.
 
 * We use the tag `latest` for the most recent docker image that gets published in sync with `main` branch of the `cloudformation-guard` GitHub repository.
 * We use the convention `<branch_name>.<github_shorthand_commit_hash>` for tags of historical docker images
+
 ## License
 
 This project is licensed under the Apache-2.0 License.