General Compliance Features #302
Description
(Going to be updating this issue as I come up with a bit of a design)
Part of the original contents of the PR #257 included functionality to define regex patterns for naming conventions. This was born out of an approach that I am using at work for this type of compliance check in the templates we produce. Although what we do has the downside that we have a common test file copied (and getting out of sync) between repositories.
@shadycuz suggested in this comment that a more flexible approach could be taken to include more compliance functionality by providing a hook system that could be imported like a plugin. This would allow for checking other resource type specific things consistently like ensuring S3 buckets always had encryption etc.
This branches into the kind of functionality that I have used CloudFormation Guard for in projects, but with the ability to use the python language instead of the custom DSL for guard (and that cloud-radar has better parameter support than cfn-guard at this point in time).
Requirements wise we need:
- the ability to set multiple hooks per resource type
- the ability to set hooks that apply to all resources
These types of hooks should be able to be ran against a template pre-render:
- properties
- mappings
These should be able to be ran post-render:
- resources
- outputs
Use cases:
- thing for checking resources start with r, outputs o etc (there is a link somewhere to a best practice guide that mentions this)
- all templates must contain these x parameters (e.g. lifecycle, environment)
- testing names meet a pattern
- testing that resources that support tags have given tags
For checking a resource, need:
- resource name
- resource data
Need some way via metadata to mark a rule as excluded