search

aws-cloudformation / cloudformation-guard

Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
Apache License 2.0
1.26k stars 176 forks source link

[Enhancement] Auto Rule Generation from CloudFormation Resource Specification #132

Open dontirun opened 3 years ago

dontirun commented 3 years ago

Request:

Make rules to validate that a template defines resources that exist for a particular region using the CloudFormation resource specifications

Reason

I currently develop CDK/CloudFormation that need to work across across various regions. I would like to make sure that my templates do not define resources that don't exist in one of the regions I intend to deploy to

PatMyron commented 3 years ago

related to https://github.com/aws-cloudformation/cloudformation-guard/issues/9, this specific use-case is one of the purposes of cfn-lint:

cfn-lint -r us-west-2 currently flags regional unavailability of resource types and instance types

Keeping this open since other use-cases like https://github.com/aws-cloudformation/cloudformation-guard/issues/86#issuecomment-710178347 would benefit from this

although we might prefer the newer Resource Schemas over the older Resource Specifications

dontirun commented 3 years ago

It would be nice to have some default rules in cfn-guard that relate to unsupported attributes to use with cfn-lint as well for a more complete checking experience

For example

  1. I create a template meant for cross region deployments
  2. Using cfn-lint, the resource specification and resource schemas can tell you that EC2 instances are supported in region X
  3. With cfn-guard I can check if the M6g instance type that I specified for my instance is supported