diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d3d011bb0..df5328694 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v2 - name: Build run: cargo build --release --verbose - name: Run tests @@ -29,118 +29,3 @@ jobs: - uses: actions/checkout@v2 - name: Shellcheck run: shellcheck install-guard.sh - - test-lambda: - - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - - steps: - - name: Check out code - uses: actions/checkout@v3 - - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-region: ${{ secrets.LAMBDA_CREATION_AWS_REGION }} - role-to-assume: ${{ secrets.LAMBDA_CREATION_ROLE_NAME }} - role-session-name: LambdaTestGitHubAction - - - - name: Generate identifiers - id: generate-identifiers - run: | - LAMBDA_FUNCTION_PREFIX=GhCfnGrd - git_hash=$(git rev-parse --short "$GITHUB_SHA") - - if [[ $GITHUB_REF == *"/heads/"* ]]; then - git_branch_or_pr=${GITHUB_REF#refs/heads/} - else - git_branch_or_pr="PR$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')" - fi - - commit_hash=${git_branch_or_pr}_${git_hash} - - LAMBDA_FUNCTION_NAME=${LAMBDA_FUNCTION_PREFIX}_${commit_hash} - ROLE_NAME="${LAMBDA_FUNCTION_NAME}Role" - - echo "LAMBDA_FUNCTION_NAME=${LAMBDA_FUNCTION_NAME}" >> $GITHUB_OUTPUT - echo "ROLE_NAME=${ROLE_NAME}" >> $GITHUB_OUTPUT - - - - name: Deploy cfn-guard-lambda - env: - AWS_ACCOUNT_ID: ${{ secrets.LAMBDA_CREATION_AWS_ACCOUNT_ID }} - AWS_REGION: ${{ secrets.LAMBDA_CREATION_AWS_REGION }} - LAMBDA_FUNCTION_NAME: ${{ steps.generate-identifiers.outputs.LAMBDA_FUNCTION_NAME }} - ROLE_NAME: ${{ steps.generate-identifiers.outputs.ROLE_NAME }} - run: | - rustup target add x86_64-unknown-linux-musl - cd guard-lambda - cargo build --release --target x86_64-unknown-linux-musl --verbose - cp ./../target/x86_64-unknown-linux-musl/release/cfn-guard-lambda ./bootstrap && zip lambda.zip bootstrap && rm bootstrap - - aws iam create-role \ - --role-name $ROLE_NAME \ - --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}' - - aws iam attach-role-policy --role-name $ROLE_NAME \ - --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - - sleep 10 - - aws lambda create-function \ - --function-name $LAMBDA_FUNCTION_NAME \ - --handler guard.handler \ - --zip-file fileb://./lambda.zip \ - --runtime provided \ - --role "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLE_NAME}" \ - --environment Variables={RUST_BACKTRACE=1} \ - --tracing-config Mode=Active \ - --region $AWS_REGION - - - - name: Invoke Lambda and test output - env: - LAMBDA_FUNCTION_NAME: ${{ steps.generate-identifiers.outputs.LAMBDA_FUNCTION_NAME }} - run: | - aws lambda invoke \ - --function-name $LAMBDA_FUNCTION_NAME \ - --payload '{"data":"{\"Resources\":{\"NewVolume\":{\"Type\":\"AWS::EC2::Volume\",\"Properties\":{\"Size\":500,\"Encrypted\":true,\"AvailabilityZone\":\"us-west-2b\"}},\"NewVolume2\":{\"Type\":\"AWS::EC2::Volume\",\"Properties\":{\"Size\":50,\"Encrypted\":true,\"AvailabilityZone\":\"us-west-2c\"}}}}","rules":["let ec2_volumes = Resources.*[ Type == /EC2::Volume/ ]\nrule EC2_ENCRYPTION_BY_DEFAULT when %ec2_volumes !empty {\n %ec2_volumes.Properties.Encrypted == true \n <<\n Violation: All EBS Volumes should be encryped \n Fix: Set Encrypted property to true\n >>\n}"],"verbose":false}' \ - --cli-binary-format raw-in-base64-out \ - output.json - - echo '{"message":[{"data_from":"lambda-payload","rules_from":"lambda-rule","not_compliant":{},"not_applicable":[],"compliant":["EC2_ENCRYPTION_BY_DEFAULT"]}]}' > expected-output.json - - difference=`diff expected-output.json output.json -w | wc -c` - - if [ "$difference" != 0 ] - then - echo "Lambda output does not match the expected one" - echo "--------------------------------" - echo "Actual output:" - cat output.json - echo "--------------------------------" - echo "Expected output:" - cat expected-output.json - echo "--------------------------------" - echo "diff:" - echo "$difference" - exit 1 - fi - - - - name: Clean up resources - if: success() || failure() - env: - LAMBDA_FUNCTION_NAME: ${{ steps.generate-identifiers.outputs.LAMBDA_FUNCTION_NAME }} - ROLE_NAME: ${{ steps.generate-identifiers.outputs.ROLE_NAME }} - run: | - aws lambda delete-function --function-name $LAMBDA_FUNCTION_NAME - aws iam detach-role-policy \ - --role-name $ROLE_NAME \ - --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - aws iam delete-role --role-name $ROLE_NAME diff --git a/.github/workflows/publish_docker.yml b/.github/workflows/publish_docker.yml index bc352d641..667fbaf4d 100644 --- a/.github/workflows/publish_docker.yml +++ b/.github/workflows/publish_docker.yml @@ -21,7 +21,7 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 with: - aws-region: ${{ secrets.PUBLISHER_AWS_REGION }} + aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ secrets.PUBLISHER_ROLE_NAME }} role-session-name: PublishToElasticContainerRegistry diff --git a/Cargo.lock b/Cargo.lock index 22c82ee25..fd6eeb4b7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -111,7 +111,7 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "cfn-guard" -version = "2.1.2" +version = "2.1.3" dependencies = [ "Inflector", "clap", @@ -140,7 +140,7 @@ dependencies = [ [[package]] name = "cfn-guard-ffi" -version = "2.1.2" +version = "2.1.3" dependencies = [ "cfn-guard", "ffi-support", @@ -148,7 +148,7 @@ dependencies = [ [[package]] name = "cfn-guard-lambda" -version = "2.1.2" +version = "2.1.3" dependencies = [ "cfn-guard", "lambda_runtime", diff --git a/README.md b/README.md index 59aece411..6f78e8934 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Guard 2.0 release is a complete re-write of the earlier 1.0 version to make the 2. **Detective Governance and Compliance:** validate conformity of Configuration Management Database (CMDB) resources such as AWS Config-based configuration items (CIs). For example, developers can use Guard policies against AWS Config CIs to continuously monitor state of deployed AWS and non-AWS resources, detect violations from policies, and trigger remediation. 3. **Deployment Safety:** validate CloudFormation ChangeSets to ensure changes are safe before deployment. For example, renaming an Amazon DynamoDB Table will cause a replacement of the Table. With Guard 2.0, you can prevent such changes in your CI/CD pipelines. -> **NOTE**: If you are using Guard 1.0, we highly recommend adopting Guard 2.0 because Guard 2.0 is a major release that introduces multiple features to simplify your current policy-as-code experience. Guard 2.1.2 is backward incompatible with your Guard 1.0 rules and can result in breaking changes. To migrate from Guard 1.0 to Guard 2.0, 1) use migrate command to transition your existing 1.0 rules to 2.0 rules and 2) read all new Guard 2.0 features. +> **NOTE**: If you are using Guard 1.0, we highly recommend adopting Guard 2.0 because Guard 2.0 is a major release that introduces multiple features to simplify your current policy-as-code experience. Guard 2.0 and higher versions are backward incompatible with your Guard 1.0 rules and can result in breaking changes. To migrate from Guard 1.0 to Guard 2.0, 1) use migrate command to transition your existing 1.0 rules to 2.0 rules and 2) read all new Guard 2.0 features. > > You can find code related to Guard 2.0 on the main branch of the repo and code related to Guard 1.0 on [Guard1.0 branch](https://github.com/aws-cloudformation/cloudformation-guard/tree/Guard1.0) of the repo. @@ -216,11 +216,11 @@ Check `help` to see if it is working. ```bash $ cfn-guard help -cfn-guard 2.1.2 +cfn-guard 2.1.3 Guard is a general-purpose tool that provides a simple declarative syntax to define - policy-as-code as rules to validate against any structed hierarchical data (like JSON/YAML). - Rules are composed of clauses expressed using Conjuctive Normal Form + policy-as-code as rules to validate against any structured hierarchical data (like JSON/YAML). + Rules are composed of clauses expressed using Conjunctive Normal Form (fancy way of saying it is a logical AND of OR clauses). Guard has deep integration with CloudFormation templates for evaluation but is a general tool that equally works for any JSON- and YAML- data. @@ -241,12 +241,12 @@ SUBCOMMANDS: test Built in unit testing capability to validate a Guard rules file against unit tests specified in YAML format to determine each individual rule's success or failure testing. - validate Evaluates rules against the data files to determine success or failure. - You can point rules flag to a rules directory and point data flag to a data directory. - When pointed to a directory it will read all rules in the directory file and evaluate + validate Evaluates rules against the data files to determine success or failure. + You can point rules flag to a rules directory and point data flag to a data directory. + When pointed to a directory it will read all rules in the directory file and evaluate them against the data files found in the directory. The command can also point to a single file and it would work as well. - Note - When pointing the command to a directory, the directory may not contain a mix of + Note - When pointing the command to a directory, the directory may not contain a mix of rules and data files. The directory being pointed to must contain only data files, or rules files. ``` diff --git a/guard-ffi/Cargo.toml b/guard-ffi/Cargo.toml index f5e59b1d0..9d58ea765 100644 --- a/guard-ffi/Cargo.toml +++ b/guard-ffi/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cfn-guard-ffi" -version = "2.1.2" +version = "2.1.3" edition = "2018" authors = ["Diwakar Chakravarthy", "John Tompkins", "Omkar Hegde", "Priya Padmanaban", "aws-cloudformation-developers ", "Tyler Southwick"] description = "AWS CloudFormation Guard is an open-source general-purpose policy-as-code evaluation tool. It provides developers with a simple-to-use, yet powerful and expressive domain-specific language (DSL) to define policies and enables developers to validate JSON- or YAML- formatted structured data with those policies." @@ -14,6 +14,6 @@ keywords = ["policy-as-code", "guard", "cfn-guard", "security", "compliance"] crate-type = ["rlib", "dylib"] [dependencies] -cfn-guard = { version = "2.1.2", path = "../guard" } +cfn-guard = { version = "2.1.3", path = "../guard" } ffi-support = "0.4.4" diff --git a/guard-lambda/Cargo.toml b/guard-lambda/Cargo.toml index 3a5de97fb..970646ddb 100644 --- a/guard-lambda/Cargo.toml +++ b/guard-lambda/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cfn-guard-lambda" -version = "2.1.2" +version = "2.1.3" authors = ["Diwakar Chakravarthy", "John Tompkins", "Omkar Hegde", "Priya Padmanaban", "Bryan Ayala", "Kexiang Wang", "Akshay Rane", "Josh Fried", "aws-cloudformation-developers "] description = "Lambda version of cfn-guard. Checks JSON- or YAML- formatted structured data for policy compliance using a simple, policy-as-code, declarative syntax" @@ -17,4 +17,4 @@ serde_derive = "1.0.92" simple_logger = "4.0.0" log = "0.4.6" tokio = "1.8.4" -cfn-guard = { version = "2.1.2", path = "../guard" } \ No newline at end of file +cfn-guard = { version = "2.1.3", path = "../guard" } \ No newline at end of file diff --git a/guard/Cargo.toml b/guard/Cargo.toml index 2ffdcae97..99bb1fa1d 100644 --- a/guard/Cargo.toml +++ b/guard/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cfn-guard" -version = "2.1.2" +version = "2.1.3" edition = "2018" authors = ["Diwakar Chakravarthy", "John Tompkins", "Omkar Hegde", "Priya Padmanaban", "Bryan Ayala", "Kexiang Wang", "Akshay Rane", "Tyler Southwick", "Josh Fried", "aws-cloudformation-developers "]