Giter Club home page Giter Club logo

Comments (8)

nathanataws avatar nathanataws commented on May 24, 2024

You are correct. The behaviors are different because of the different way CFn intrinsic functions are represented within the two formats. We're working through a number of possible ways to address it.

Check out this part of the README for more info: https://github.com/aws-cloudformation/cloudformation-guard/blob/master/cfn-guard/README.md#working-with-cloudformation-intrinsic-functions

For your second approach, try changing the Tags reference to a wildcard (Tags.*) and the "==" will match if any part of the Tags list passes.

from cloudformation-guard.

f0o avatar f0o commented on May 24, 2024

The wildcard solution is sadly not applicable because it will fail on any additional tags that aren't defined in the ruleset (#23 (comment))

from cloudformation-guard.

nathanataws avatar nathanataws commented on May 24, 2024

I added some comments to #23.

[EDIT: Removed my repeat of the intrinsics details above]

That said, I'm not happy about how it works right now. We're kicking around different approaches to come up with a behavior that reconciles the different representations without being lossy or confusing. Hopefully, we'll get an elegant, supportable solution out soon. In the mean time, you need to use the |OR| with a checking for the intrinsic in JSON on one side and YAML on the other.

from cloudformation-guard.

nathanataws avatar nathanataws commented on May 24, 2024

For example:

AWS::EC2::Volume AvailabilityZone == ["EC2Instance","AvailabilityZone"] |OR| AWS::EC2::Volume AvailabilityZone == {"Fn::GetAtt":["EC2Instance","AvailabilityZone"]}

from cloudformation-guard.

f0o avatar f0o commented on May 24, 2024

Yeah I'm using regex match now instead. It's really ugly tho 😅

from cloudformation-guard.

nathanataws avatar nathanataws commented on May 24, 2024

Check out the latest release-0.5.2 branch. I added JSON list literals to make the task of matching against intrinsics in both YAML and JSON templates a bit easier.

For example:

let tag_vals = [{"Key":"OwnerContact","Value":"OwnerContact"},{"Key":"OwnerContact","Value":{"Ref":"OwnerContact"}}]
AWS::EC2::SecurityGroup Tags.* IN %tag_vals

Should now work correctly for both the YAML and JSON versions you're trying to check.

from cloudformation-guard.

f0o avatar f0o commented on May 24, 2024

Works and also 0.5.2 is quite a lot faster too!

Thanks :)

from cloudformation-guard.

nathanataws avatar nathanataws commented on May 24, 2024

Awesome! 👍

from cloudformation-guard.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.