Comments (3)
That's also good. Semantically, it might make the most sense to get rid of periods altogether for that part. So AssumeRolePolicyDocument|Statement.*.Principal.Service.*
would effectively mean "Take the payload inside the AssumeRolePolicyDocument field and parse it, then descend the parsed structure". That prevents the need to do look-back when it encounters the |
.
Sounds like we're close enough in agreement to start hashing out an implementation, at least.
from cloudformation-guard.
This is, of course, a function of using parsers for the language the template is written in. A less elegant but valid rule to check what you're specifying would be to treat it as a literal:
AWS::IAM::Role AssumeRolePolicyDocument == { "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] } } ]}
(The above is the cfn-guard-rulegen output from the template - so it's sort of a working-backward way to arrive at what a valid rule would look like for a property.)
That said, there's a lot of room for improvement in the experience so that nested structures inside properties can themselves be descended into and addressed using the dotted notation.
After pondering this particular case, we're trying to nail down what a simple, intuitive syntax for this kind of thing would be.
What are your thoughts on something like:
AWS::IAM::Role AssumeRolePolicyDocument.|.Statement.*.Principal.Service.* == lambda.amazonaws.com
Where the |
in the address indicates the possible need for a transform of the property under the address? Internally, we could just attempt to parse it as json or yaml and then continue to descend into it.
from cloudformation-guard.
The proposed solution looks good. I'm not sure on how flexible the parser is, but perhaps we could place the placeholder on the field that is being optionally processed, like so:
AWS::IAM::Role AssumeRolePolicyDocument|.Statement.*.Principal.Service.* == lambda.amazonaws.com
from cloudformation-guard.
Related Issues (20)
- [Enhancement] Add support for windows
- Add support for SARIF [Enhancement] HOT 2
- [GENERAL ISSUE] Documentation HOT 4
- [BUG] cfn-guard error via GitHub Actions HOT 2
- [Enhancement] Only show errors/failures in output HOT 5
- [BUG] Failed rule does not print details of the failure HOT 6
- [Enhancement] Add cspell action to check for spelling errors
- [Documentation] Update docs for all public facing functions, and structs
- [BUG] SAM CLI deployed lambda returns InvalidEntryPoint error HOT 3
- [Enhancement] Add support to retrieve the key of a given node HOT 1
- [BUG] '!=' does not work as expected even for same type while using 2 literals. HOT 2
- [Enhancement] Make variables mutable HOT 1
- [Enhancement] Support for CloudFormation Pseudo Parameters
- [GENERAL ISSUE] String concatenation with literal and variable HOT 2
- [BUG] OR is not working HOT 8
- [BUG] "true" does not equal true HOT 2
- Best practice for cfn-guard rules for CDK synthesized resources that are wrapped in a CustomResource, e.g. aws-eks.Cluster HOT 1
- [BUG] Problem with --show-summary HOT 2
- Question about specificity in wildcards. HOT 4
- Trying to search an If statement for a value HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudformation-guard.