search

aws-cloudformation / cloudformation-guard

Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
Apache License 2.0
1.29k stars 180 forks source link

[BUG] Error encountered while parsing data file when using yaml anchor #578

Open sj-versent opened 3 weeks ago

sj-versent commented 3 weeks ago

Describe the bug

When validating a source file of type YAML, if yaml anchors are in use then cfn-guard fails to parse the file and errors with Error occurred Parser Error

To Reproduce

  1. Source File
---

homeRegion: &HOME_REGION ap-southeast-2

vpcs:
  - name: myvpc
    tags:
      - key: Name
        value: myvpc
    account: myaccount
    region: *HOME_REGION
    defaultSecurityGroupRulesDeletion: true
  1. Rule file
rule check_defaultSecurityGroupRulesDeletion {
    vpcs.defaultSecurityGroupRulesDeletion == true
}
  1. The commands you used to invoke the tool
cfn-guard validate --data original.yaml --rules rule.guard
  1. The output of a -v log level if it's not related to cfn-guard-lambda, or the relevant CloudWatch log messages if it is related to the cfn-guard-lambda
cfn-guard validate -v  --data original.yaml --rules rule.guard
Error occurred Parser Error when parsing `Error encountered while parsing data file: original.yaml, data beginning with 
---

homeRegion: &HOME_REGION ap-southeast-2

vpcs:
  - name: myvpc
    tags:
      - key: Name

 ...`

Expected behavior

File is parsed correctly and rules triggered if appropraite

Operating System:

MacOS

OS Version

15.0.1 - Sequoia

Additional context

Commenting out the YAML anchor in the source file enables cfn-guard to process the file.

joshfried-aws commented 3 weeks ago

Hi @sj-versent this is not a bub, cfn-guard does not currently support aliases or anchors https://github.com/aws-cloudformation/cloudformation-guard/blob/main/guard/src/rules/libyaml/loader.rs#L54

sj-versent commented 3 weeks ago

Thanks for responding, @joshfried-aws ; it would be awesome to include that in the README if possible as I did go looking. I am happy to propose a PR if you would like.

Also note that the error code that is fired back to the user doesn't indicate that.

I'll come up with a possible workaround to strip out the aliases or anchors prior to processing. Thanks! Love the tool BTW 👍

joshfried-aws commented 3 weeks ago

Hey @sj-versent thats a good idea, I thought it was in there somewhere. As for the error message this is actually because all errors that result from parsing of the yaml/json are converted into a generic ParseError https://github.com/aws-cloudformation/cloudformation-guard/blob/main/guard/src/commands/validate.rs#L769

Appreciate the love for the tool!