forked from cdklabs/cdk-nag
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnag-rules.ts
67 lines (61 loc) · 2.16 KB
/
nag-rules.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
import { CfnResource, Stack } from 'aws-cdk-lib';
/**
* The compliance level of a resource in relation to a rule.
*/
export enum NagRuleCompliance {
COMPLIANT = 'Compliant',
NON_COMPLIANT = 'Non-Compliant',
NOT_APPLICABLE = 'N/A',
}
export type NagRuleFinding = string;
export type NagRuleFindings = NagRuleFinding[];
/**
* The result of a rule check. Can either be `NagRuleCompliance`
* or an array of individual findings
*/
export type NagRuleResult = NagRuleCompliance | NagRuleFindings;
/**
* Helper class with methods for rule creation
*/
export class NagRules {
/**
* Use in cases where a primitive value must be known to pass a rule.
* https://developer.mozilla.org/en-US/docs/Glossary/Primitive
* @param node The CfnResource to check.
* @param parameter The value to attempt to resolve.
* @returns Return a value if resolves to a primitive data type, otherwise throw an error.
*/
static resolveIfPrimitive(node: CfnResource, parameter: any): any {
const resolvedValue = Stack.of(node).resolve(parameter);
if (resolvedValue === Object(resolvedValue)) {
throw Error(
`The parameter resolved to to a non-primitive value "${JSON.stringify(
resolvedValue
)}", therefore the rule could not be validated.`
);
} else {
return resolvedValue;
}
}
/**
* Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.
* @param node The CfnResource to check.
* @param parameter The value to attempt to resolve.
* @returns Return the Logical resource Id if resolves to a intrinsic function, otherwise the resolved provided value.
*/
static resolveResourceFromInstrinsic(node: CfnResource, parameter: any): any {
const resolvedValue = Stack.of(node).resolve(parameter);
const ref = resolvedValue?.Ref;
const getAtt = resolvedValue?.['Fn::GetAtt'];
if (ref != undefined) {
return ref;
} else if (Array.isArray(getAtt) && getAtt.length > 0) {
return getAtt[0];
}
return resolvedValue;
}
}