Open tatcoo opened 2 years ago
tatcoo
commented
2 years ago We are curious to hear more about how you and your team prefer to validate IaC templates -> is this most common when uploading the template to a service like Proton or shared repository, or as part of your deployment workflow? Do you want to have different kinds of checks at different points?
haakond
commented
1 year ago Hi, I'm working on a project where we have established a workflow where templates are pushed to GitHub and then the changes are synced back to AWS Proton.
In our case it would be very useful to be able to validate the syntax and compile Jinja Cloudformation templates as early as possible in the SDLC, even before the change is pushed, ideally set up as a pre-commit hook in each developer's environment, and/or in CI/CD pipelines.
As of today syntax errors and smaller mistakes aren't detected before a template is published and deployed (to a staging environment) in Proton. This is time consuming and error prone. Some kind of functionality in the CLI similar to aws cloudformation validate-template could do the trick.
Another idea could be to provide something like aws proton render-template where the output can be piped to another relevant process in the CI/CD workflow like Checkov, cfn-lint etc.
tatcoo
commented
1 year ago Thanks @haakond - this is great feedback. We're thinking through how we can help enable this before a template is published to help reduce errors you find and have to roll back. Stay tuned for more details!
davidebonavita
commented
1 year ago Hello @tatcoo Do you have any update on this? As @haakond said the current process is really time consuming. Pushing changes to GitHub, syncing them to Proton, publishing the version and trying to update the service just to find out that there's a syntax error is quite frustrating
tatcoo
commented
1 year ago Hi @davidebonavita ; has @haakond checked out our GitHub Actions Template Checker? https://github.com/aws-samples/aws-proton-template-checker-action
Its not a full-fledged feature within the service, but if he's open to trying it and providing feedback its something the team has been iterating on
As more teams and developers customize IaC templates, platform engineers want to remove manual checks and ticketing flows. To give their teams autonomy without lowering the bar on compliance with organizational standards, customers will be able to define validation steps as part of a Proton template, so that Proton can run evaluation to make sure the deployment meets standards. This includes IaC files that are created from pre-approved Proton templates, and developer-defined IaC component files. Validation could include integration to a tool (e.g., CloudFormation Guard, enforcing Terraform Sentinel checks), and defining exception flows (e.g., cuts a ticket to admin, who can manually review and approve).