[Enhancement] Introduce Parameter Inputs for checking the CF scripts

[konkerama]

Is your feature request related to a problem? Please describe.
In its current form, cfn-guard checks the Cloudformation script without any input.

Example, Lets say I have a Cloudformation script similar to the following (simplified version)

Parameters:
  RDSEncryption:
    Type: String

Resources:
  RDSPostgressDB:
    Type: AWS::RDS::DBInstance
    Properties: 
      StorageEncrypted: !Ref RDSEncryption

I want to create an RDS Database and I have a CF parameter input for encryption (true/false). Currently there is no way in cfn-guard to verify that the RDS will be created using encryption. I can only verify that the StorageEncrypted will have the value "RDSEncryption" (please correct me if I'm wrong)

Describe the solution you'd like
I would prefer an option to provide a json document with the CF parameter inputs and be able to check the Cloudformation script after all those values have been implemented.
The example I gave above would look like:

rules:

AWS::RDS::DBInstance StorageEncrypted == true

input.json:

[
  {
    "ParameterKey": "RDSEncryption",
    "ParameterValue": "true"
  }
]

cfn-guard:

cargo run -- -t rds.yaml -r rules -i input.json

cfn-guard will change the RDSEncryption Rerefence with the input true and will be able to check against that

[nathanataws]

This is a very reasonable use-case. We're kicking this kind of thing around already. Let's use this issue to track the work.

[rajddas]

Guys is there any ETA on this feature release?

[nathanataws]

No ETA yet but still a high priority.

[PatMyron]

raises larger questions of CloudFormation template syntax: dynamic references, intrinsic functions, psuedoparameters, parameters, mappings, conditions, transforms, etc.: #480

[konkerama]

@PatMyron indeed supporting all these "dynamic" features of Cloudformation will be necessary for a tool like this. From my point of view, the Input Parameter support has the highest priority of those features and its the bare minimum functionality we require to include it as a compliance mechanism in our CICD Pipelines

[rajddas]

Also it would be great if we allow the parameter json files needed for CodePipeline Cloudformation Action. Like this :

{
    "Parameters" : {
        "Owner": "ABC",
        "CostCenter": "1234567890"
    }
}

[rajddas]

Any update on this feature request?

[n1t1nv3rma]

Any update on this? Basically we would like CFN-guard to resolve the "Ref" from "Parameters" and allow us to validate the input value. W/o this feature, I don't see major uptake on this. Thanks

[shreyasmm]

we use taskcat in CI/CD Pipelines for testing Cloudformation templates, we have written a lot of taskcat files for templates with different test cases like eg enable/disable encryption, encryption with kms/user manged keys.
it would be good if we reuse/provide those taskcat files as input to cfn-guard, thanks
https://github.com/aws-quickstart/taskcat

[el-veee]

I also see this feature as essential, both for testing new templates and running validation checks on pre-existing templates.

Parameters are essential in all but the simplest of cloudformation templates, and therefore cloudformation-guard MUST support it to be usable on a large scale.

Perhaps CLI args can be passed in for each parameter, and cfn guard creates a new template with the previously-parameterized values now hardcoded into the template. CFN guard then runs checks on that template?

Where parameters support have default values, CFN guard will default to those values unless overridden? This would reduce the need to specify many parameter values for each test

[sriram9707]

is there any update on this please. Eagerly waiting for utilizing it.