AWS has released version 2 of CloudFormation Guard, their open source tool for validating CloudFormation templates. This release introduces many new features, including type blocks, support for conjugate normal forms, filters, and naming rules.

Guard can write policy as code, which can then be used to validate any well-formed JSON or YAML file. These rules can be used to validate any number of infrastructure-as-code files, including CloudFormation ChangeSets, Terraform JSON Configuration files, or Kubernetes Configurations. For example, Guard can be connected to a CI pipeline to verify that ChangeSets is secure before it goes into deployment.

In this release, you can now write rules using type blocks. This makes rules written more succinctly, with implicit “AND” between clauses. For example, to verify that all EC2 volumes are encrypted, you can now write if the volume type is GP2 and the size is less than 10GB.

AWS::EC2:: volume {attribute {Encryption == true Size <= 10 VolumeType == 'gp2'}}Copy the code

Thanks to added support for conjugate normal form (CNF), it is now possible to include OR clauses in type blocks. The above example can be adjusted to allow GP2 or GP3 volume types.

AWS::EC2:: volume {attribute {Encrypted == true size <= 10 VolumeType == 'gp2' OR VolumeType == 'gp3'}}Copy the code

The above example can also be written using the new IN operator. The IN operator allows you to specify a list of valid options for checking.

AWS::EC2:: volume {attribute {Encryption == true Size <= 10 VolumeType in ['gp2', 'gp3']}}Copy the code

Filtering and naming rule sets are now supported. A type block is a short filter that matches only by type of resource. Naming rules allow you to reuse blocks of rules throughout a file. As AWS senior developer advocate Matteo Rinaudo points out.

Filters and naming conventions are prescribed ways of expressing terms in Guard 2.0. Using both of these capabilities improves readability, supports refactoring, and allows complete flexibility to recombine rules for higher-order clauses.

For example, to verify that there are any labels on a resource, you can define the following naming convention.

Rule assert_ALL_resources_have_non_EMPty_tags {resources.*. Attribute. Tag! Empty}Copy the code

This rule can then be used in a larger rule to verify that the DynamoDB table has at least one label and is also encrypted.

Let DDB = Resources.*[Type == 'AWS::DynamoDB::Table'] Rule dynamo_db_sse_on when % DDB! Empty "{assert_all_resources_have_non_empty_tags % DDB. Properties. SSESpecification. SSEEnabled = = true}Copy the code

You can now validate any part of the template, including descriptions and parameters. You can write unit tests against rules to verify that they work as expected. The test data file is a JSON or YAML file that simulates the necessary resources, including the expected results of the rule evaluation.

CloudFormation Guard is open source and is available on GitHub.

The original link: www.infoq.com/news/2021/0…