Giter Club home page Giter Club logo

Comments (3)

nathanataws avatar nathanataws commented on May 28, 2024 1

That's also good. Semantically, it might make the most sense to get rid of periods altogether for that part. So AssumeRolePolicyDocument|Statement.*.Principal.Service.* would effectively mean "Take the payload inside the AssumeRolePolicyDocument field and parse it, then descend the parsed structure". That prevents the need to do look-back when it encounters the |.

Sounds like we're close enough in agreement to start hashing out an implementation, at least.

from cloudformation-guard.

nathanataws avatar nathanataws commented on May 28, 2024

This is, of course, a function of using parsers for the language the template is written in. A less elegant but valid rule to check what you're specifying would be to treat it as a literal:

AWS::IAM::Role AssumeRolePolicyDocument == {  "Statement": [    {      "Effect": "Allow",      "Principal": {        "Service": [          "lambda.amazonaws.com"        ]      }    }  ]}

(The above is the cfn-guard-rulegen output from the template - so it's sort of a working-backward way to arrive at what a valid rule would look like for a property.)

That said, there's a lot of room for improvement in the experience so that nested structures inside properties can themselves be descended into and addressed using the dotted notation.

After pondering this particular case, we're trying to nail down what a simple, intuitive syntax for this kind of thing would be.

What are your thoughts on something like:

AWS::IAM::Role AssumeRolePolicyDocument.|.Statement.*.Principal.Service.* == lambda.amazonaws.com

Where the | in the address indicates the possible need for a transform of the property under the address? Internally, we could just attempt to parse it as json or yaml and then continue to descend into it.

from cloudformation-guard.

iann0036 avatar iann0036 commented on May 28, 2024

The proposed solution looks good. I'm not sure on how flexible the parser is, but perhaps we could place the placeholder on the field that is being optionally processed, like so:

AWS::IAM::Role AssumeRolePolicyDocument|.Statement.*.Principal.Service.* == lambda.amazonaws.com

from cloudformation-guard.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.