Schema Guard Rail
Project description
CloudFormation - Resource Schema Guard Rail
Notes
This is not a stable version (Beta), it's still under development
Overview
AWS CloudFormation Resource Schema Guard Rail is an open-source tool, which uses CloudFormation Guard policy-as-code evaluation engine to assess resource schema compliance. It validates json resource schemas against the AWS CloudFormation modeling best practices.
Contribute
See CONTRIBUTING for more information.
Rule Development
Read Guard Rail: Rule Development for more information on how to write resource schema rules.
How to use it?
Schema guard rail package has a built-in library of rules, that CloudFormation believe are the best practices that resource modelers should follow. It supports two types of evaluation - Basic Linting & Breaking Change;
Basic Linter (Stateless)
Linter works only with current version of resource schema and runs CloudFormation authored rules, which will highlight problematic schema constructs. A provider developers can run multiple independent schemas at once as well as attach custom rules.
In order to start using Basic Linting you need to run following command:
$ guard-rail --schema file://path-to-schema-1 --schema file://path-to-schema-2 --rule file://path-to-custom-ruleset1 --rule file://path-to-custom-ruleset2
Read-Only Resource Checks
For read-only resources, you can use the --is-read-only flag to run only the essential checks:
$ guard-rail --schema file://path-to-schema --is-read
When --is-read-only is specified, only the following checks are performed:
ARN001: arn related property MUST have pattern specifiedARN002: arn related property MUST have pattern specifiedCOM001: ensure_properties_do_not_support_multitypePID001: primaryIdentifier MUST existPID002: primaryIdentifier MUST contain valuesPR005: primaryIdentifier MUST have properties defined in the schemaPR007: readOnlyProperties MUST have properties defined in the schemaPER003: Resource MUST implement read handlerPER004: Resource MUST NOT specify wildcard permissions for read handlerPER010: Resource MUST implement list handlerPER011: Resource MUST NOT specify wildcard permissions for list handler
Breaking Change (Stateful)
Along with basic linting, guard rail supports capability of breaking change evaluation. Provider developer must provider two json objects - previous & current versions of the same resource schema. CloudFormation authored rules will be run and evaluation current version of the schema whether it is compliant or not.
In order to start using Breaking Change evaluation you need to run following command:
$ guard-rail --schema file://path-to-schema-1 --schema file://path-to-schema-2 --rule ... --stateful
*Additionally, you can specify format argument, which will produce a nicely formatted output.
IDE Experience
Guard Rail provides IDE extensions for real-time validation of CloudFormation resource schema files directly in your development environment. Get instant feedback with inline diagnostics, error highlighting, and validation status as you write your schemas.
Supported IDEs
IntelliJ IDEA Plugin
Real-time validation for IntelliJ IDEA with automatic validation on file open, edit, and save. Features include inline diagnostics, status bar widget, and integration with IntelliJ's Problems tool window.
View IntelliJ Extension Documentation →
VS Code Extension
Real-time validation for Visual Studio Code with smart debouncing and inline diagnostics. Features include automatic validation, status bar integration, and manual validation commands.
View VS Code Extension Documentation →
Both extensions require the Guard Rail CLI tool to be installed (pip install resource-schema-guard-rail).
How to install it locally?
Use following commands
Clone github repo
$ git clone git@github.com:aws-cloudformation/resource-schema-guard-rail.git
Create Virtual Environment & Activate
python3 -m venv env
source env/bin/activate
Install Package Locally from the root
pip install -e . -r requirements.txt
pre-commit install
Run CI Locally
# run all hooks on all files, mirrors what the CI runs
pre-commit run --all-files
License
This project is licensed under the Apache-2.0 License.
Community
Join us on Discord! Connect & interact with CloudFormation developers & experts, find channels to discuss and get help for our CLI, cfn-lint, CloudFormation registry, StackSets, Guard and more:
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file resource_schema_guard_rail-0.0.22.tar.gz.
File metadata
- Download URL: resource_schema_guard_rail-0.0.22.tar.gz
- Upload date:
- Size: 24.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9cabf10fe9a5dc7d8ccb151f78ef62a72e72ddf4a4b38f976de130eaac22368d
|
|
| MD5 |
9b7f3a57a35469288baef213fc7ae85c
|
|
| BLAKE2b-256 |
09459bec52147401045d4993e5d96dd40599dfb1de7bb0f23f23b46ce24a5735
|
File details
Details for the file resource_schema_guard_rail-0.0.22-py3-none-any.whl.
File metadata
- Download URL: resource_schema_guard_rail-0.0.22-py3-none-any.whl
- Upload date:
- Size: 31.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b53916fb12b7a0060e11f7db8cc37546d84315888200fccd85c9aebdde1cd70
|
|
| MD5 |
9175ca1e1f4b7a263e770638256d67d4
|
|
| BLAKE2b-256 |
00f248cd66424d0798ca450d3d109361897d19fc3e19fd0e3ec8eebdf5ea8358
|
