search

aws-cloudformation / cloudformation-guard

Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
Apache License 2.0
1.29k stars 180 forks source link

Support existence check for resource properties #16

Closed toricls closed 4 years ago

toricls commented 4 years ago

like "AWS::ECS::TaskDefinition TaskRoleArn is not empty" :)

toricls commented 4 years ago

I guess this could be related to #3

nathanataws commented 4 years ago

There's a flag on the cfn-guard tool that sounds like a match for what you're trying to do:

-s, --strict-checks    Fail resources if they're missing the property that a rule checks

Essentially, if you define a rule for a resource type around a property and the resource doesn't have that property (even if it would normally be optional), the template will fail the check.

Looking at the README, this feature is a bit hard to discover from reading. We'll update the docs to make it more prevalent.

Let us know if that addresses your use-case.

toricls commented 4 years ago

@nathanataws Good to know!!

Yeah I found the option here :) https://github.com/aws-cloudformation/cloudformation-guard/tree/master/cfn-guard#runtime-arguments

So should I close this issue or change the title & description to suggest explicit/clear documentation around that option?

nathanataws commented 4 years ago

Don't worry about it. I'll update the doc and use this issue for the commit, then resolve it.

I apologize for it getting so buried. I didn't realize how far down the README it was till I saw this issue.