search

aws-cloudformation / cloudformation-cli

The CloudFormation Provider Development Toolkit allows you to author your own resource providers and modules that can be used by CloudFormation.
Apache License 2.0
316 stars 157 forks source link

Added SGR validation to `cfn validate` #1070

Open ammokhov opened 1 month ago

ammokhov commented 1 month ago

Issue #, if available:

Description of changes:

This is a draft PR and subject to discussion.

This change enhances cfn validate command by invoking https://github.com/aws-cloudformation/resource-schema-guard-rail/ for schema compliance evaluation.

It invokes both stateful and stateless assessment.

Stateless

This evaluation runs on the current version of the resource schema

Stateful

This attempts to retrieve original schema from CloudFormation registry by calling describe_type.

If for whatever reason API call has not succeeded it will be recorded in logs but will not fail the command.

Some CX Considerations

API Call to Retrieve schema from registry is a default behavior for backward compatibility compliance assessment (stateful). Perhaps, it is useful to provide an argument to the user to specify static file of the original schema (without making an api call)

Example Output:

•100%     cfn validate
Type Exists in CloudFormation Registry. Evaluating Resource Schema Backward Compatibility Compliance
────────────────────────────────────────────────────────────────────────────────────────────── [GENERATED DIFF BETWEEN SCHEMAS] ──────────────────────────────────────────────────────────────────────────────────────────────
{
    'description': {
        'changed': [
            {
                'property': '',
                'old_value': 'The AWS::KMS::Alias resource specifies a display name for a customer master key (CMK) in AWS Key Management Service (AWS KMS). You can use an alias to identify a CMK in cryptographic operations. ',
                'new_value': 'The AWS::KMS::Alias resource specifies a display name for an AWS KMS key in AWS Key Management Service (AWS KMS). You can use an alias to identify an AWS KMS key in cryptographic operations.'
            },
            {
                'property': '/properties/AliasName',
                'old_value': 'Specifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias. The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed CMKs.',
                'new_value': 'Specifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias. The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed keys.'
            },
            {
                'property': '/properties/TargetKeyId',
                'old_value': 'Identifies the CMK to which the alias refers. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. You cannot specify another alias. For help finding the key ID and ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide.',
                'new_value': 'Identifies the AWS KMS key to which the alias refers. Specify the key ID or the Amazon Resource Name (ARN) of the AWS KMS key. You cannot specify another alias. For help finding the key ID and ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide.'
            }
        ]
    }
}
                               Schema Compliance Report
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━┓
┃                                     Rule Name ┃ Check Id ┃ Message ┃ Path ┃  Status ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━┩
│                 ensure_minimum_not_contracted │ -        │ -       │ -    │ skipped │
│                ensure_minitems_not_contracted │ -        │ -       │ -    │ skipped │
│                       ensure_enum_not_changed │ -        │ -       │ -    │ skipped │
│               ensure_maxlength_not_contracted │ -        │ -       │ -    │ skipped │
│      ensure_old_property_not_turned_writeonly │ -        │ -       │ -    │ skipped │
│ ensure_old_property_not_removed_from_readonly │ -        │ -       │ -    │ skipped │
│               ensure_minlength_not_contracted │ -        │ -       │ -    │ skipped │
│                ensure_maxitems_not_contracted │ -        │ -       │ -    │ skipped │
│               ensure_old_property_not_removed │ -        │ -       │ -    │ skipped │
│            ensure_no_more_required_properties │ -        │ -       │ -    │ skipped │
│                 ensure_maximum_not_contracted │ -        │ -       │ -    │ skipped │
│      ensure_old_property_not_turned_immutable │ -        │ -       │ -    │ skipped │
│         ensure_primary_identifier_not_changed │ -        │ -       │ -    │ skipped │
│              ensure_property_type_not_changed │ -        │ -       │ -    │ skipped │
│    ensure_property_string_pattern_not_changed │ -        │ -       │ -    │ skipped │
└───────────────────────────────────────────────┴──────────┴─────────┴──────┴─────────┘
Evaluating Resource Schema Compliance
                                                                       Schema Compliance Report
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┓
┃                                                  Rule Name ┃ Check Id ┃ Message                                                  ┃ Path                  ┃  Status ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━┩
│                      ensure_arn_properties_contain_pattern │ -        │ -                                                        │ -                     │ skipped │
│                          ensure_arn_properties_type_string │ -        │ -                                                        │ -                     │ skipped │
│                              ensure_array_doesnt_use_anyof │ -        │ -                                                        │ -                     │ skipped │
│          ensure_create_and_read_only_intersection_is_empty │ -        │ -                                                        │ -                     │ skipped │
│           ensure_write_and_read_only_intersection_is_empty │ -        │ -                                                        │ -                     │ skipped │
│                         ensure_default_replacementStrategy │ -        │ -                                                        │ -                     │ skipped │
│                             ensure_property_tags_exists_v2 │ -        │ -                                                        │ -                     │ skipped │
│                             ensure_property_tags_exists_v1 │ -        │ -                                                        │ -                     │ skipped │
│                 ensure_properties_do_not_support_multitype │ -        │ -                                                        │ -                     │  passed │
│   ensure_resource_list_handler_exists_and_have_permissions │ -        │ -                                                        │ -                     │  passed │
│ ensure_resource_delete_handler_exists_and_have_permissions │ -        │ -                                                        │ -                     │  passed │
│   ensure_resource_read_handler_exists_and_have_permissions │ -        │ -                                                        │ -                     │  passed │
│ ensure_resource_create_handler_exists_and_have_permissions │ -        │ -                                                        │ -                     │  passed │
│ ensure_resource_update_handler_exists_and_have_permissions │ -        │ -                                                        │ -                     │  passed │
│                          ensure_description_is_descriptive │ -        │ -                                                        │ -                     │  passed │
│                                ensure_sourceUrl_uses_https │ -        │ -                                                        │ -                     │  passed │
│                                   verify_property_notation │ -        │ -                                                        │ -                     │  passed │
│             ensure_primary_identifier_exists_and_not_empty │ -        │ -                                                        │ -                     │  passed │
│                 ensure_taggable_and_tagging_do_not_coexist │ -        │ -                                                        │ -                     │  passed │
│                                  check_if_taggable_is_used │ TAG001   │ `taggable` is deprecated, please used `tagging` property │ -                     │ warning │
│           ensure_primary_identifier_is_read_or_create_only │ PID003   │ primaryIdentifier MUST be either readOnly or createOnly  │ /createOnlyProperties │  failed │
│                                ensure_tagging_is_specified │ TAG002   │ `tagging` MUST be specified                              │ -                     │  failed │
└────────────────────────────────────────────────────────────┴──────────┴──────────────────────────────────────────────────────────┴───────────────────────┴─────────┘
Explicitly specify value for tagging
Resource schema is valid

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

prerna-p commented 1 month ago

Can we remove the Resource schema is valid message if there are failed checks? Instead output something like Issues were found in resource schema