search

aws-cloudformation / cloudformation-guard

Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
Apache License 2.0
1.3k stars 180 forks source link

[Enhancement] Add Support for Arithmetic Operations #584

Open lizhunt-aws opened 2 weeks ago

lizhunt-aws commented 2 weeks ago

Is your feature request related to a problem? Please describe.

I'd like to do some basic math in assertions and counts() outside of the binary comparison operations.

Describe the solution you'd like

Be able to parse and validate a rule similar to the following:

let minimum_tag_ratio = 0.95
rule tag_ratio_must_be_over_sla {
    let all_resources_to_check =  Resources.*[ Type == /AWS::IAM::Role/ ]
    let found_required_tags = Resources.*[
        Type == /AWS::IAM::Role/
        Properties.Tags[*].Key == ...blahblah
        ...blah
    ]
    (count(%found_required_tags) / count(%all_resources_to_check)) >= %minimum_tag_ratio
}
joshfried-aws commented 3 days ago

Hey @lizhunt-aws, thanks for the suggestion. This is definitely something I could see a lot of benefit to adding. We're going to talk it over with the team and will update this ticket in the future as necessary.