Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(core): template validation after synthesis #23951

Merged
merged 112 commits into from
Mar 27, 2023
Merged

Conversation

otaviomacedo
Copy link
Contributor

@otaviomacedo otaviomacedo commented Feb 1, 2023

Integrate policy as code tools into CDK synthesis via a plugin mechanism. Immediately after synthesis, the framework invokes all the registered plugins, collect the results and, if there are any violations, show a report to the user.

Application developers register plugins to a Stage:

const app = new App({
  validationPlugins: [
	new SomePolicyAgentPlugin(),
	new AnotherPolicyAgentPugin(),
  ]
});

Plugin authors must implement the IPolicyValidationPlugin interface. Hypothetical example of a CloudFormation Guard plugin:

export class CfnGuardValidator implements IPolicyValidationPlugin {
  public readonly name = 'cfn-guard-validator';
  constructor() {}

  validate(context: IPolicyValidationContext): PolicyValidationPluginReport {
    // execute the cfn-guard cli and get the JSON response from the tool
    const cliResultJson = executeCfnGuardCli();

    // parse the results and return the violations format
    // that the framework expects
    const violations = parseGuardResults(cliResultJson);

    // construct the report and return it to the framework
    // this is a vastly over simplified example that is only
    // meant to show the structure of the report that is returned
    return {
      success: false,
      violations: [{
        ruleName: violations.ruleName,
        recommendation: violations.recommendation,
        fix: violations.fix,
        violatingResources: [{
          resourceName: violations.resourceName,
          locations: violations.locations,
          templatePath: violations.templatePath,
        }],
      }],
    };
  }
}

Co-authored-by: corymhall 43035978+corymhall@users.noreply.github.com

@gitpod-io
Copy link

gitpod-io bot commented Feb 1, 2023

@github-actions github-actions bot added the p2 label Feb 1, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team February 1, 2023 11:17
@otaviomacedo otaviomacedo changed the title First draft First draft fo the Checkov plugin Feb 1, 2023
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Feb 1, 2023
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

@otaviomacedo otaviomacedo changed the title First draft fo the Checkov plugin First draft of the Checkov plugin (proof of concept) Feb 1, 2023
@otaviomacedo otaviomacedo changed the title First draft of the Checkov plugin (proof of concept) Checkov and KICS plugins (proof of concept) Feb 7, 2023
packages/@aws-cdk/core/README.md Show resolved Hide resolved
packages/@aws-cdk/core/lib/validation/validation.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/core/lib/validation/validation.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/core/lib/validation/validation.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/core/lib/validation/validation.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/core/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/core/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/core/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/core/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/core/lib/validation/report.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/core/lib/validation/report.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/core/lib/validation/report.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/README.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/README.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/README.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/README.md Outdated Show resolved Hide resolved
otaviomacedo and others added 8 commits March 27, 2023 12:09
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
@iliapolo iliapolo added the pr/do-not-merge This PR should not be merged at this time. label Mar 27, 2023
@corymhall corymhall removed the pr/do-not-merge This PR should not be merged at this time. label Mar 27, 2023
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 4746872
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Mar 27, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 20aeb0f into main Mar 27, 2023
@mergify mergify bot deleted the otaviom/checkov-poc branch March 27, 2023 20:55
corymhall added a commit that referenced this pull request Mar 28, 2023
Integrate policy as code tools into CDK synthesis via a plugin mechanism. Immediately after synthesis, the framework invokes all the registered plugins, collect the results and, if there are any violations, show a report to the user.

Application developers register plugins to a `Stage`:

```ts
const app = new App({
  validationPlugins: [
	new SomePolicyAgentPlugin(),
	new AnotherPolicyAgentPugin(),
  ]
});
```

Plugin authors must implement the `IPolicyValidationPlugin` interface. Hypothetical example of a CloudFormation Guard plugin:

```ts
export class CfnGuardValidator implements IPolicyValidationPlugin {
  public readonly name = 'cfn-guard-validator';
  constructor() {}

  validate(context: IPolicyValidationContext): PolicyValidationPluginReport {
    // execute the cfn-guard cli and get the JSON response from the tool
    const cliResultJson = executeCfnGuardCli();

    // parse the results and return the violations format
    // that the framework expects
    const violations = parseGuardResults(cliResultJson);

    // construct the report and return it to the framework
    // this is a vastly over simplified example that is only
    // meant to show the structure of the report that is returned
    return {
      success: false,
      violations: [{
        ruleName: violations.ruleName,
        recommendation: violations.recommendation,
        fix: violations.fix,
        violatingResources: [{
          resourceName: violations.resourceName,
          locations: violations.locations,
          templatePath: violations.templatePath,
        }],
      }],
    };
  }
}
```

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
corymhall added a commit that referenced this pull request Mar 28, 2023
Integrate policy as code tools into CDK synthesis via a plugin mechanism. Immediately after synthesis, the framework invokes all the registered plugins, collect the results and, if there are any violations, show a report to the user.

Application developers register plugins to a `Stage`:

```ts
const app = new App({
  validationPlugins: [
	new SomePolicyAgentPlugin(),
	new AnotherPolicyAgentPugin(),
  ]
});
```

Plugin authors must implement the `IPolicyValidationPlugin` interface. Hypothetical example of a CloudFormation Guard plugin:

```ts
export class CfnGuardValidator implements IPolicyValidationPlugin {
  public readonly name = 'cfn-guard-validator';
  constructor() {}

  validate(context: IPolicyValidationContext): PolicyValidationPluginReport {
    // execute the cfn-guard cli and get the JSON response from the tool
    const cliResultJson = executeCfnGuardCli();

    // parse the results and return the violations format
    // that the framework expects
    const violations = parseGuardResults(cliResultJson);

    // construct the report and return it to the framework
    // this is a vastly over simplified example that is only
    // meant to show the structure of the report that is returned
    return {
      success: false,
      violations: [{
        ruleName: violations.ruleName,
        recommendation: violations.recommendation,
        fix: violations.fix,
        violatingResources: [{
          resourceName: violations.resourceName,
          locations: violations.locations,
          templatePath: violations.templatePath,
        }],
      }],
    };
  }
}
```

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
homakk pushed a commit to homakk/aws-cdk that referenced this pull request Mar 28, 2023
Integrate policy as code tools into CDK synthesis via a plugin mechanism. Immediately after synthesis, the framework invokes all the registered plugins, collect the results and, if there are any violations, show a report to the user.

Application developers register plugins to a `Stage`:

```ts
const app = new App({
  validationPlugins: [
	new SomePolicyAgentPlugin(),
	new AnotherPolicyAgentPugin(),
  ]
});
```

Plugin authors must implement the `IPolicyValidationPlugin` interface. Hypothetical example of a CloudFormation Guard plugin:

```ts
export class CfnGuardValidator implements IPolicyValidationPlugin {
  public readonly name = 'cfn-guard-validator';
  constructor() {}

  validate(context: IPolicyValidationContext): PolicyValidationPluginReport {
    // execute the cfn-guard cli and get the JSON response from the tool
    const cliResultJson = executeCfnGuardCli();

    // parse the results and return the violations format
    // that the framework expects
    const violations = parseGuardResults(cliResultJson);

    // construct the report and return it to the framework
    // this is a vastly over simplified example that is only
    // meant to show the structure of the report that is returned
    return {
      success: false,
      violations: [{
        ruleName: violations.ruleName,
        recommendation: violations.recommendation,
        fix: violations.fix,
        violatingResources: [{
          resourceName: violations.resourceName,
          locations: violations.locations,
          templatePath: violations.templatePath,
        }],
      }],
    };
  }
}
```

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
contribution/core This is a PR that came from AWS. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants