unbounce / laundry Goto Github PK
View Code? Open in Web Editor NEW๐ a CloudFormation template linter
License: MIT License
laundry's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
laundry's Issues
Fully validate IAM Policy Condition
Invalid template:
Condition:
StringEquals:
ssm:resourceTag/foo:bar
Valid template:
Condition:
StringEquals:
ssm:resourceTag/foo: bar
Check AWS::Serverless::* resources
Disable Serverless specs for now
The main issue here is that CodeUri can be a string or an object, but the format
of the CloudFormation Resource Specification doesn't support specifying
"either or"
Check output limits
Template format error: Outputs count x is greater than max allowed 60
Validate that IAM policy Resources are formatted as an ARN
Malformed ARNs in the IAM Policy Resource property produce the following CloudFormation error:
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument ...)
Example malformed ARNs:
arn:aws:ssm:::session/${aws:username}-*arn:aws:ssm:*:*session/${aws:username}-*
Valid:
arn:aws:ssm:*:*:session/${aws:username}-*
Incorrect: Sub can not be used within Equals
Root.Conditions.Foo.Equals.1.Sub: can not be used within Equals
Missing script: "update-resource-specification"
Hi,
I'm receiving the above error message when trying to update CF's Resource Specification rules as instructed:
npm run update-resource-specification
The full error log is as follows:
0 verbose cli [
0 verbose cli '/Users/cig0/.nvm/versions/node/v16.4.2/bin/node',
0 verbose cli '/Users/cig0/.nvm/versions/node/v16.4.2/bin/npm',
0 verbose cli 'run',
0 verbose cli 'update-resource-specification'
0 verbose cli ]
1 info using [email protected]
2 info using [email protected]
3 timing npm:load:whichnode Completed in 1ms
4 timing config:load:defaults Completed in 2ms
5 timing config:load:file:/Users/cig0/.nvm/versions/node/v16.4.2/lib/node_modules/npm/npmrc Completed in 1ms
6 timing config:load:builtin Completed in 1ms
7 timing config:load:cli Completed in 3ms
8 timing config:load:env Completed in 0ms
9 timing config:load:project Completed in 2ms
10 timing config:load:file:/Users/cig0/.npmrc Completed in 1ms
11 timing config:load:user Completed in 1ms
12 timing config:load:file:/Users/cig0/.nvm/versions/node/v16.4.2/etc/npmrc Completed in 0ms
13 timing config:load:global Completed in 0ms
14 timing config:load:validate Completed in 0ms
15 timing config:load:credentials Completed in 2ms
16 timing config:load:setEnvs Completed in 1ms
17 timing config:load Completed in 12ms
18 timing npm:load:configload Completed in 12ms
19 timing npm:load:setTitle Completed in 18ms
20 timing npm:load:setupLog Completed in 3ms
21 timing npm:load:cleanupLog Completed in 2ms
22 timing npm:load:configScope Completed in 0ms
23 timing npm:load:projectScope Completed in 1ms
24 timing npm:load Completed in 37ms
25 timing config:load:flatten Completed in 3ms
26 timing command:run-script Completed in 48ms
27 verbose stack Error: Missing script: "update-resource-specification"
27 verbose stack
27 verbose stack To see a list of scripts, run:
27 verbose stack npm run
27 verbose stack at RunScript.run (/Users/cig0/.nvm/versions/node/v16.4.2/lib/node_modules/npm/lib/run-script.js:104:13)
28 verbose cwd /Users/cig0/w/poap/poap-infrastructure/AWS/CloudFormation/IAM/Users-User
29 verbose Darwin 20.5.0
30 verbose argv "/Users/cig0/.nvm/versions/node/v16.4.2/bin/node" "/Users/cig0/.nvm/versions/node/v16.4.2/bin/npm" "run" "update-resource-specification"
31 verbose node v16.4.2
32 verbose npm v7.19.1
33 error Missing script: "update-resource-specification"
33 error
33 error To see a list of scripts, run:
33 error npm run
34 verbose exit 1I'm NVM and this is the Node stack:
{
npm: '7.19.1',
node: '16.4.2',
v8: '9.1.269.36-node.14',
uv: '1.41.0',
zlib: '1.2.11',
brotli: '1.0.9',
ares: '1.17.1',
modules: '93',
nghttp2: '1.42.0',
napi: '8',
llhttp: '6.0.2',
openssl: '1.1.1k+quic',
cldr: '39.0',
icu: '69.1',
tz: '2021a',
unicode: '13.0',
ngtcp2: '0.1.0-DEV',
nghttp3: '0.1.0-DEV'
}I checked the provided AWS link but I didn't see any instructions related to Node/NPM. Should I install those rules manually? I'm kind of a bit lost here ๐
IAM Policy Document Resource format
Laundry did not produce an error for:
Example template:
Resources:
Policy:
Type: AWS::IAM::Policy
Properties:
PolicyName: LoggingRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- logs:CreateLogGroup
Effect: Allow
Resource:
- some-string
Error from CloudFormation:
Resource ... must be in ARN format or "*".
Incorrect: Select can not be used within Equals
You can use the following functions in the Fn::If condition:
Fn::Base64
Fn::FindInMap
Fn::GetAtt
Fn::GetAZs
Fn::If
Fn::Join
Fn::Select
Fn::Sub
Ref
You can use the following functions in all other condition functions, such as Fn::Equals and Fn::Or:
Fn::FindInMap
Ref
Other condition functions
Does not properly validate WAFV2 Resources
Here are the incorrect errors I've noticed on these resource types:
AWS::WAFv2::WebACLAWS::WAFv2::IPSetAWS::WAFv2::WebACLAssociation
warn Root.Resources.WAFv2WebAcl.Properties.Rules: must be an Object, got [{"Name":"DefaultBlockRule","Priority":0,"Action":{"Block":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"DefaultBlockRuleMetric"},"Statement":{"IPSetReferenceStatement":{"GetAtt":"DefaultIPSet.Arn"}}}] [ResourcePropertyValidator]
warn Root.Resources.WAFv2WebAcl.Properties.Tags: must be an Object, got [{"Key":"project","Value":{"Ref":"Project"}},{"Key":"environment","Value":{"Ref":"Environment"}}] [ResourcePropertyValidator]
warn Root.Resources.DefaultIPSet.Properties.Name: is required [RequriedResourcePropertyValidator]
warn Root.Resources.DefaultIPSet.Properties.Addresses: must be an Object, got ["127.0.0.0/32"] [ResourcePropertyValidator]
warn Root.Resources.DefaultIPSet.Properties.Tags: must be an Object, got [{"Key":"project","Value":{"Ref":"Project"}},{"Key":"environment","Value":{"Ref":"Environment"}}] [ResourcePropertyValidator]
warn Root.Resources.WAFv2WebAclAssociation.Type: invalid type AWS::WAFv2::WebACLAssociation, did you mean AWS::WAFRegional::WebACLAssociation? [ResourceTypeValidator
Ignore lint checks via metadata
Ignore a specific property:
Metadata:
LaundryIgnore:
'MyTopic.Properties.Name':
- RequriedResourcePropertyValidator
Resources:
MyTopic:
Type: AWS::SNS::Topic
Ignore with glob:
Metadata:
LaundryIgnore:
'Resources.MyTopic.*':
- RequriedResourcePropertyValidator
'*.Name.*':
- RequriedResourcePropertyValidator
Resources:
MyTopic:
Type: AWS::SNS::Topic
Ignore for everything:
Metadata:
LaundryIgnore:
'*':
- RequriedResourcePropertyValidator
Resources:
MyTopic:
Type: AWS::SNS::Topic
Ignore for a resource:
Resources:
MyTopic:
Metadata:
LaundryIgnore:
- RequriedResourcePropertyValidator
Type: AWS::SNS::Topic
Lambda Function Role format
Laundry did not produce an error for:
Example template:
Resources:
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
FunctionName: !Ref AWS::StackName
Role: some-string
Runtime: nodejs8.10
Timeout: 10
Code:
ZipFile: ''
Error from CloudFormation:
1 validation error detected: Value
'some-string' at 'role' failed to
satisfy constraint: Member must satisfy regular expression
pattern:
arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+
Validate that inline policy names of an IAM resource are unique
CloudFormation will not produce an error if two inline policies of an IAM Role (or user or group?) are the same. When the resource is created, only one of the policies will be applied to the resource, and which policy that gets applied will not be deterministic. Validate that inline policies of an IAM resource have unique names.
Policies can be attached via the Policies property of a resource or via a separate AWS::IAM::Policy which references the resource.
Conditions can be used inside of conditional functions
Conditions:
Bar: true
Baz: true
Foo: !And [Bar, Baz]
Produces:
Root.Conditions.Foo.And.0: must be a Boolean, got "Bar"
Root.Conditions.Foo.And.1.Not.0: must be a Boolean, got "Baz"
Fully check AWS::IAM::Policy PolicyDocument
AWS::IAM::Policy.PolicyDocument is specified in the Cloud Formation Resource Specification as Json, which is very loose. Fully validate all properties of this property.
Cannot use Fn::ImportValue in Conditions
Cannot use Fn::ImportValue in Conditions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.