search

aws-cloudformation / rain

A development workflow tool for working with AWS CloudFormation.
Apache License 2.0
771 stars 69 forks source link

Build recommended templates and redesign modules #283

Closed ericzbeard closed 6 months ago

ericzbeard commented 6 months ago

This is a big PR that does a few related things:

It adds a --recommended -r flag to the build command. This command shows an interactive dialog that allows the user to select from built in, recommended templates that will pass typical compliance checks by default. For now it only has 4 templates, but more will come in later PRs.

Screenshot 2024-02-20 at 2 38 33 PM Screenshot 2024-02-20 at 2 38 19 PM

Or you can skip the dialog if you know the name of the template:

rain build -r bucket bucket

This PR also redesigns the !Rain::Module directive that is an experimental component of the pkg command. The first iteration of modules was not very intuitive and required you to pick a single resource to extend. The new design is much simpler, allowing for the module to look like a regular CloudFormation template. In the parent template, you are free to override any property you wish.

This is a very simple example of a module:

Parameters:
  Name:
    Type: String
Resources:
  Bucket1:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref Name
  Bucket2:
    Type: AWS::S3::Bucket

Example template that uses the module:

Resources:
  My:
    Type: !Rain::Module "./simple-module.yaml"
    Properties:
      Name: foo
    Overrides:
      Bucket2:
        Properties:
          BucketName: bar

Output of rain pkg -x template.yaml:

Resources:
  MyBucket1:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: foo
  MyBucket2:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: bar

It was necessary to do both in one PR because there was a lot of code duplication in the recommended templates. Those templates now make use of modules.

ericzbeard commented 6 months ago

There seemed to be several violations.

What violations? All of the generated templates passed checks in internal/cmd/build/tmpl/scripts/validate.sh

khmoryz commented 6 months ago

@ericzbeard

There seemed to be several violations.

What violations? All of the generated templates passed checks in internal/cmd/build/tmpl/scripts/validate.sh

Sorry, I didn't notice validate.sh. The violations that I mentioned are like this.

echo "Linting..."
cfn-lint -c I -t ${FILES}

echo "Nag..."
cfn_nag ${FILES}

About cfn-lint, these violations are Informational. But, vscode plugin seems to have -c I enabled by default.

ericzbeard commented 6 months ago

echo "Nag..." cfn_nag ${FILES}

We're moving away from nag, since it has barely been supported over the last few years. Guard is our preference, since it's an AWS product. I also include Checkov, since it is popular and seems to be actively maintained.