Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added examples for "Parameter" rules #541

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

added examples for "Parameter" rules #541

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
93a4e9e
added examples for "Parameter" rules
pmagyar Jul 27, 2024
f5ba474
fix typos
pmagyar Aug 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions guard-examples/parameter-schemas/check-default-parameters-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
- input:
Parameters: {}
expectations:
rules:
assert_default_parameters_exists: SKIP
assert_default_parameter_configuration: SKIP
assert_ConstraintDescription: SKIP
- input:
Description: "Test if default parameters exists PASS"
Parameters:
Parameter1: {}
Parameter2: {}
Stage: {}
expectations:
rules:
assert_default_parameters_exists: PASS
assert_default_parameter_configuration: FAIL
assert_ConstraintDescription: SKIP
- input:
Description: "Test if default parameters exists FAILED "
Parameters:
Parameter1: {}
Parameter3: {}
Stage: {}
expectations:
rules:
assert_default_parameters_exists: FAIL
assert_default_parameter_configuration: SKIP
assert_ConstraintDescription: SKIP
- input:
Description: "correct Parameter configuration"
Parameters:
Parameter1:
Description: 'Parameter1'
Type: String
AllowedPattern: '[a-z0-9]+'
ConstraintDescription: "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
Parameter2:
Description: 'Parameter2'
Type: String
AllowedPattern: '[a-z0-9]+'
ConstraintDescription: "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
Stage:
Type: String
Description: 'Stage setting'
AllowedValues:
- stage1
- stage2
- stage3
expectations:
rules:
assert_default_parameters_exists: PASS
assert_default_parameter_configuration: PASS
assert_ConstraintDescription: PASS
- input:
Description: "wrong configuration Parameter1 (Missing Type and ConstraintDescription)"
Parameters:
Parameter1:
Description: 'Parameter1'
AllowedPattern: '[a-z0-9]+'
Parameter2:
Description: 'Parameter2'
Type: String
AllowedPattern: '[a-z0-9]+'
ConstraintDescription: "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
Stage:
Type: String
Description: 'Stage setting'
AllowedValues:
- stage1
- stage2
- stage3
expectations:
rules:
assert_default_parameters_exists: PASS
assert_default_parameter_configuration: FAIL
assert_ConstraintDescription: FAIL
44 changes: 44 additions & 0 deletions guard-examples/parameter-schemas/check-default-parameters.guard
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# This ruleset checks if Parameters are configured correctly.
# It is useful if you must have the same parameters in multiple templates (e.g. for tagging or name schema)

# Exception that proves the rule. ;D Maybe you have templates which does not need those parameters. In this scenario we have the cloudformation templates from https://github.com/aws-solutions/aws-waf-security-automations in our template dir. The exclude list is based of the template description. You can use Metadata or other ways as well.
let exclude = [
/(SO0006-FA) - Security Automations for AWS WAF - FA:/,
/(SO0006-WebACL) - Security Automations for AWS WAF:/,
/(SO0006) - Security Automations for AWS WAF:/
]


# Now we check if our default parameters exists in templates which we have not excluded
rule assert_default_parameters_exists when Description not in %exclude {
Parameters.Parameter1 exists
Parameters.Parameter2 exists
Parameters.Stage exists
}

# our default parameters must have always the same configuration
rule assert_default_parameter_configuration when assert_default_parameters_exists {
Parameters.Parameter1 {
Description == 'Parameter1'
Type == 'String'
AllowedPattern == '[a-z0-9]+'
ConstraintDescription == "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
}
Parameters.Parameter2 {
Description == 'Parameter2'
Type == 'String'
AllowedPattern == '[a-z0-9]+'
ConstraintDescription == "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
}
Parameters.Stage {
Type == 'String'
Description == 'Stage setting'
AllowedValues == ['stage1', 'stage2', 'stage3']
}
}

# All parameters with an AllowedPattern must have a ConstraintDescription
let parameters = some Parameters.*[AllowedPattern exists]
rule assert_ConstraintDescription when %parameters exists {
%parameters.ConstraintDescription exists
}