How does cfn-guard differentiate from cfn-linter?

aws-cloudformation / cloudformation-guard

Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0

Apache License 2.0

1.3k stars 180 forks source link

How does cfn-guard differentiate from cfn-linter? #9

Closed tvb closed 2 years ago

tvb commented 4 years ago

Hi AWS,

Awesome news! cfn-guard really looks promising. I do have one question. How does cfn-guard differentiate from cfn-linter (https://github.com/aws-cloudformation/cfn-python-lint)?

adamchainz commented 4 years ago

This is also my question. I've written custom cfn-lint rules for compliance. cfn-guard seems to be a faster way of writing such rules. Why isn't it part of cfn-lint?

nathanataws commented 4 years ago

We see the two tools as complementary. As @adamchainz has correctly intuited, cfn-guard is purpose-built and optimized specifically for the tasks of rule-writing and checking.

tvb commented 4 years ago

Hi @nathanataws thank you for replying.

~~Could you elaborate a bit more on this? If you can write rules in cfn-guard, why would one write rules also in cfn-lint?~~

I think I understand what you are saying. It means we can use the basic checks for valid CFN with cfn-lint and if you need custom rules (e.g.: check for missing tags?) you can use cfn-guard to write these?

MTNPCGCG commented 4 years ago

Will there be a mechanism for more complex (programmatic rules) as well? For most rules, the rule syntax from cfn-guard is fantastic, but occasionally something more complex might be needed.

ranman166 commented 4 years ago

So I could assume this is similar to cfn-nag?

n1t1nv3rma commented 4 years ago

IMO, this is a great tool for non-programmers to create simple and easy to understand validation rules. So one canjust rely on combination of standard AWS CLI "aws cloudformation validate-template..." and CFN Guard.

PatMyron commented 4 years ago

So one canjust rely on combination of standard AWS CLI "aws cloudformation validate-template..." and CFN Guard.

aws cloudformation validate-template only does primitive validation and does not catch much

cfn-guard/opa focus on faster custom rule writing for concise constraints and don't have default rules

cfn-lint focuses more on default rules which mostly catch deployment failures since CloudFormation itself doesn't do much static analysis before provisioning resources (cfn-lint has other default rules like not hardcoding sensitive properties/availability zones/partitions/etc, setting DeletionPolicy/UpdateReplacePolicy to protect certain resources, approaching template limits, unused Parameters/Mappings/Conditions, etc.)

cfn_nag/cfripper default rules focus on security

cfn-lint/cfn_nag/cfripper support more extensible custom rules in addition to their default rules if custom rules aren't expressible within cfn-guard / opa concise constraints

razcloud commented 2 years ago

Closing this issue as it was a Q&A, and the original question was answered.

For other questions, please create a new Issue. Thank you.