aws-cloudformation / cloudformation-guard

Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
Apache License 2.0
1.29k stars 180 forks source link

[Enhancement] Ability to specify directory with file regex, such as for cdk.out #189

Open 0xjjoyy opened 3 years ago

0xjjoyy commented 3 years ago

Is your feature request related to a problem? Please describe.

When using cdk, the template files have the suffix "*.template.json". Looking to run cfn-guard for only the cloudformation templates in the cdk.out directory and not all files within the given directory.

Describe the solution you'd like

Either a cdk specific toggle or a flag to support file regex such as ".template.json" or "projectname.template.json"

Describe alternatives you've considered

Would alternatively need to find the templates and then iteratively invoke cfn-guard

Additional context

Add any other context or screenshots about the feature request here.

dannysteenman commented 3 years ago

I'm using cdk pipelines, that means I also have directories within directories containing json templates. So it would also be a good idea to make the finding of files recursive.

drusellers commented 2 years ago

I originally tried

cfn-guard validate -d ./src/**/*.yaml -r ./policies

But that lead to the error

error: Found argument './src/trust.yaml' which wasn't expected, or isn't valid in this context

USAGE:
    cfn-guard validate --data <data> <--rules <rules>|--payload>

For more information try --help

Why am I doing this?

I co-locate README.md files that help to describe certain components that are being build by the CloudFormation YAML files.

Work around

files=$(ls ./src/**/*.yaml)
for file in $files; do
    cfn-guard validate --data "$file" -r ./policies
done
ericzbeard commented 5 months ago

It would also be good to ignore files, such as .env for Python.