DRAFT: Add support for CfnGuard rules

.gitignore

@@ -126,5 +126,6 @@ CLOUD_TRAIL_ENCRYPTION_ENABLED/
 API_GW_NOT_EDGE_OPTIMISED/
 
 manageTest/
+myguardrule/
 
 football/

README.md

@@ -118,7 +118,7 @@ rdk init --generate-lambda-layer --custom-layer-name <LAYER_NAME>
 ## Create Rules
 
 In your working directory, use the `create` command to start creating a
-new custom rule. You must specify the runtime for the lambda function
+new custom rule. You must specify the runtime for the lambda function (or CfnGuard rule)
 that will back the Rule, and you can also specify a resource type (or
 comma-separated list of types) that the Rule will evaluate or a maximum
 frequency for a periodic rule. This will add a new directory for the
@@ -144,6 +144,10 @@ maximum-frequency, but not both. We have found that rules that try to be
 both event-triggered as well as periodic wind up being very complicated
 and so we do not recommend it as a best practice.
 
+As of RDK v0.18.0, you can also specify a runtime of `guard-2.x.x` to generate the files for deploying a CfnGuard Custom Policy Config rule.
+
+CfnGuard rules are only event-triggered; they **cannot** be run periodically.
+
 ### Edit Rules Locally
 
 Once you have created the rule, edit the python file in your rule

pyproject.toml

@@ -7,7 +7,8 @@
 #    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
 [tool.poetry]
 name = "rdk"
-version = "0.17.14"
+version = "0.18.0"
+
 description = "Rule Development Kit CLI for AWS Config"
 authors = [
     "AWS RDK Maintainers <[email protected]>",

rdk/__init__.py

@@ -6,4 +6,5 @@
 #
 #    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
 
-MY_VERSION = "0.17.14"
+MY_VERSION = "0.18.0"
+

rdk/template/configCfnGuardRule.yaml

@@ -0,0 +1,73 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: AWS CloudFormation template to create custom AWS Config Custom Policy rules (CfnGuard Rules).
+Parameters:
+  RuleName:
+    Description: Name of the Rule
+    Type: String
+    MinLength: "1"
+    MaxLength: "128"
+  Description:
+    Description: Description of the Rule
+    Type: String
+    MinLength: "1"
+    MaxLength: "255"
+  PolicyText:
+    Description: The policy definition, written as a CfnGuard rule
+    Type: String
+    MinLength: "1"
+  SourceEvents:
+    Description: Event Type
+    Type: CommaDelimitedList
+  DebugLogging:
+    Description: Whether to enable Debug Logging
+    Type: String
+    Default: "false"
+    AllowedValues:
+      - "true"
+      - "false"
+  EvaluationMode:
+    Description: The evaluation mode to use, either DETECTIVE, PROACTIVE, or BOTH.
+    Type: String
+    Default: DETECTIVE
+    AllowedValues:
+      - DETECTIVE
+      - PROACTIVE
+      - BOTH
+Conditions:
+  UseBothEvaluationModes:
+    Fn::Equals:
+      - Ref: EvaluationMode
+      - "BOTH"
+Resources:
+  rdkConfigRule:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName:
+        Ref: RuleName
+      Description:
+        Ref: Description
+      Scope:
+        ComplianceResourceTypes:
+          Ref: SourceEvents # TODO - Confirm this expands to a list
+      EvaluationModes:
+        Fn::If:
+          - UseBothEvaluationModes
+          - 
+            - Mode: DETECTIVE
+            - Mode: PROACTIVE
+          - 
+            - Mode:
+                Ref: EvaluationMode
+      Source:
+        Owner: CUSTOM_POLICY
+        CustomPolicyDetails:
+          EnableDebugLogDelivery:
+            Ref: DebugLogging
+          PolicyRuntime: "guard-2.x.x"
+          PolicyText:
+            Ref: PolicyText
+        SourceDetails:
+        - EventSource: aws.config
+          MessageType: ConfigurationItemChangeNotification
+        - EventSource: aws.config
+          MessageType: OversizedConfigurationItemChangeNotification

rdk/template/configCfnGuardRuleOrganization.yaml

@@ -0,0 +1,56 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: AWS CloudFormation template to create custom AWS Config Custom Policy rules (CfnGuard Rules).
+Parameters:
+  RuleName:
+    Description: Name of the Rule
+    Type: String
+    MinLength: "1"
+    MaxLength: "128"
+  Description:
+    Description: Description of the Rule
+    Type: String
+    MinLength: "1"
+    MaxLength: "255"
+  PolicyText:
+    Description: The policy definition, written as a CfnGuard rule
+    Type: String
+    MinLength: "1"
+  SourceEvents:
+    Description: Event Type
+    Type: CommaDelimitedList
+  ExcludedAccounts:
+    Description: A comma-separated list of account IDs to exclude from the rule
+    Type: CommaDelimitedList
+    Default: ""
+Conditions:
+  ExcludedAccountsPresent:
+    Fn::Not:
+      - Fn::Equals:
+          - Fn::Join:
+              - ","
+              - Ref: ExcludedAccounts
+          - ""
+Resources:
+  rdkConfigRule:
+    Type: AWS::Config::OrganizationConfigRule
+    Properties:
+      OrganizationConfigRuleName:
+        Ref: RuleName
+      ExcludedAccounts:
+        Fn::If:
+          - ExcludedAccountsPresent
+          - Ref: ExcludedAccounts
+          - Ref: AWS::NoValue
+      OrganizationCustomPolicyRuleMetadata:
+        Description:
+          Ref: Description
+        PolicyText:
+          Ref: PolicyText
+        ResourceTypesScope:
+          Ref: SourceEvents # TODO - Confirm this expands to a list
+        OrganizationConfigRuleTriggerTypes:
+        - ConfigurationItemChangeNotification 
+        - OversizedConfigurationItemChangeNotification 
+        Runtime: "guard-2.x.x"
+        # DebugLogDeliveryAccounts:
+          # - TODO

rdk/template/runtime/guard-2.x.x/rule_code.guard

@@ -0,0 +1,16 @@
+# # This is an example rule -- for full documentation, see https://docs.aws.amazon.com/cfn-guard/latest/ug/query-and-filtering.html
+
+# # Set resources variable
+#  let resources = Resources.*[ Type == 'AWS::S3::Bucket' ]
+
+# # Check S3 Bucket has required tags
+# rule check_tags when %resources !empty {
+#     %resources.Properties.Tags exists
+#     #For each resource in resources
+#     %resources {
+#         #Check a tag has a key of "billingcode"
+#         some Properties.Tags[*].key == "billingcode" 
+#         #Check a tag has a key of "env" and value of "dev"
+#         some Properties.Tags[*] { Key == "env" Value == "dev"}
+#     }
+# }