Ruleset migration from aws-quickstart

Author: davmayd

.coveragerc

@@ -0,0 +1,4 @@
+[run]
+branch = True
+include =
+  *cfn_mp_ql_rules*

.gitignore

@@ -0,0 +1,9 @@
+__pycache__/
+/venv/
+.DS_Store
+*.pyc
+.idea
+*.egg-info/
+.coverage
+.python-version
+.vscode

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "assets/git-secrets"]
+	path = assets/git-secrets
+	url = https://github.com/awslabs/git-secrets.git

.pre-commit-config.yaml

@@ -0,0 +1,100 @@
+exclude: ^(.travis.yml|.pre-commit-config.yaml)$
+fail_fast: true
+repos:
+#- repo: https://github.com/pre-commit/mirrors-isort
+#  rev: v4.3.21
+#  hooks:
+#  - id: isort
+#    # language_version: python3.6
+- repo: https://github.com/psf/black
+  rev: 22.1.0
+  hooks:
+  - id: black
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.1.0
+  hooks:
+  - id: check-case-conflict
+  - id: end-of-file-fixer
+  - id: mixed-line-ending
+    args:
+    - --fix=lf
+  - id: trailing-whitespace
+  - id: check-json
+  - id: pretty-format-json
+    args:
+    - --autofix
+    - --indent
+    - '2'
+    - --no-sort-keys
+- repo: https://github.com/PyCQA/flake8
+  rev: 4.0.1
+  hooks:
+  - id: flake8
+    additional_dependencies:
+    - flake8-bugbear>=19.3.0
+    - flake8-builtins>=1.4.1
+    - flake8-commas>=2.0.0
+    - flake8-comprehensions>=2.1.0
+    - flake8-debugger>=3.1.0
+    - flake8-pep3101>=1.2.1
+    - flake8-print>=3.1.0
+    # language_version: python3.6
+#  - id: pretty-format-json
+#    args:
+#    - --autofix
+#    - --indent=4
+#    - --no-sort-keys
+#  - id: check-merge-conflict
+#- repo: https://github.com/pre-commit/pygrep-hooks
+#  rev: v1.4.4
+#  hooks:
+#  - id: python-check-blanket-noqa
+#  - id: python-check-mock-methods
+#  - id: python-no-log-warn
+- repo: https://github.com/PyCQA/bandit
+  rev: 1.7.2
+  hooks:
+  - id: bandit
+    files: "^taskcat/"
+    args: ["--skip", "B322"]
+#- repo: https://github.com/pre-commit/mirrors-mypy
+#  rev: v0.761
+#  hooks:
+#  - id: mypy
+#    files: "^taskcat/"
+- repo: local
+  hooks:
+#  - id: update-schema
+#    name: update-schema
+#    description: generate schema from dataclasses
+#    entry: python generate_schema.py
+#    language: system
+#    pass_filenames: false
+#    always_run: true
+#  - id: git-secrets-register-aws
+#    name: git-secrets-register-aws
+#    description: Register AWS patterns with git-secrets
+#    entry: git-secrets --register-aws
+#    language: system
+#    always_run: true
+#    pass_filenames: false
+#  - id: git-secrets
+#    name: git-secrets
+#    description: Run git-secrets
+#    entry: git-secrets --scan
+#    language: system
+#    always_run: true
+#  - id: pylint-local
+#    name: pylint-local
+#    description: Run pylint in the local virtualenv
+#    entry: pylint "setup.py" "taskcat/" "bin/"
+#    language: system
+#    pass_filenames: false
+#    always_run: true
+  - id: pytest-local
+    name: pytest-local
+    description: Run pytest in the local virtualenv
+    entry: pytest "./test/"
+    language: system
+    pass_filenames: false
+    always_run: true

.pre-commit-hooks.yaml

@@ -0,0 +1,22 @@
+-   id: qs-cfn-lint
+    name: AWS Quick Start Linter
+    entry: cfn-lint
+    language: python
+    files: \.(json|yaml|yml)$
+-   id: qs-cfn-lint-wrapped
+    name: AWS Quick Start Linter
+    entry: wrapped-cfn-lint
+    language: python
+    files: \.(json|yaml|yml)$
+-   id: files-are-cfn
+    name: Validates files are CFN
+    entry: files-are-cfn
+    language: python
+    types_or: [json, yaml]
+-   id: files-are-not-cfn
+    name: Validates files are not CFN
+    entry: files-are-cfn
+    language: python
+    types_or: [json, yaml]
+    args:
+      - '-i'

CODEOWNERS

@@ -0,0 +1 @@
+* @aws-ia/aws-ia

README.md

@@ -1,2 +1,113 @@
-# cfn-mp-ql-rules
-Custom cfn-lint ruleset
+# AWS Quick Start cfn-lint rules
+
+This repo provides CloudFormation linting rules specific to [AWS Quick Start](https://aws.amazon.com/quickstart/)
+guidelines, for more information see the [Contributors Guide](https://aws-ia.github.io).
+
+## Installation and Usage
+
+```bash
+cd ~/
+git clone https://github.com/aws-ia/cfn-mp-ql-rules.git
+cd cfn-mp-ql-rules
+pip install -e .
+```
+
+To add the rules when running on the command line use the `-a` flag to add the additional rules:
+
+```bash
+cfn-lint my-cfn-template.yaml -a ~/cfn-mp-ql-rules/cfn_mp_ql_rules/
+```
+
+To use in your IDE install the relevant
+[cfn-lint plugin](https://github.com/aws-cloudformation/cfn-python-lint#editor-plugins) and add the rules to your
+cfn-lint config file (`~/.cfnlintrc`) as follows:
+
+```yaml
+append_rules:
+- ~/cfn-mp-ql-rules/cfn_mp_ql_rules/
+```
+
+## Vim Specfic Instructions (using vundle and syntastic)
+
+![image](https://user-images.githubusercontent.com/5912128/55508631-22366880-560f-11e9-867f-baa516712f63.png)
+
+### Install the plugins
+
+**Add to `syntastic` and `vim-cfn` your `~/.vimrc`:**
+
+__Add to vundle plugin section:__
+
+```vim
+"---------------------------=== CloudFormation  ===------------------------------
+Plugin 'scrooloose/syntastic'        " Syntax checking plugin for Vim
+Plugin 'speshak/vim-cfn'             "CloudFormation syntax checking/highlighting
+```
+
+#### Install plugins
+
+```bash
+vim +PluginInstall +qall
+```
+
+### Set statusline and triggers
+
+**Append to the bottom of your `~/.vimrc`**
+
+```vim
+"cfn-lint
+set statusline+=%#warningmsg#
+set statusline+=%{SyntasticStatuslineFlag()}
+set statusline+=%*
+
+let g:syntastic_always_populate_loc_list = 1
+let g:syntastic_auto_loc_list = 1
+let g:syntastic_check_on_open = 1
+let g:syntastic_check_on_wq = 0
+let g:syntastic_cloudformation_checkers = ['cfn_lint']
+```
+
+### Set FileTypes for vim-cfn
+
+**Add to `~/.vim/bundle/vim-cfn/ftdetect/cloudformation.vim`**
+
+```vim
+autocmd BufNewFile,BufRead *.template setfiletype yaml.cloudformation
+autocmd BufNewFile,BufRead *.template.yaml setfiletype yaml.cloudformation
+```
+
+### Update syntastic plugin
+
+Add the following to ~/.vim/after/plugin/syntastic.vim:
+
+```vim
+let g:syntastic_cloudformation_checkers = ['cfn_lint']
+```
+
+## Troubleshooting
+
+### Custom dictionary
+
+If you receive spelling error warnings [9006] for words that are spelled correctly, such as the example below, AWS service names, or words that should be excluded from all future linting, please add these words to `./cfn-mp-ql-rules/data/custom_dict.txt`.
+
+```text
+line 93 [9006] Parameter QSS3BucketName contains spelling error(s):
+{'customizing'}
+```
+
+For spelling exclusions for a specific CloudFormation template, such as partner brand names, please add these words to a `LintSpellExclude` list to the `Metadata` section.
+
+```yaml
+Metadata:
+  LintSpellExclude:
+    - PartnerName
+```
+
+### Sentence case
+
+If you receive sentence case warnings [9006] for words that should be capitalized, such as partner product names, please add a `SentenceCaseExclude` list to the `Metadata` section.
+
+```yaml
+Metadata:
+  SentenceCaseExclude:
+    - Pro
+```

archive/IAMManagedPolicyOnlyGroup.bak

@@ -0,0 +1,30 @@
+# """
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+# """
+# from cfnlint.rules import CloudFormationLintRule
+# from cfnlint.rules import RuleMatch
+
+
+# class IAMManagedPolicyOnlyGroup(CloudFormationLintRule):
+#     id = 'EIAMManagedPolicyOnlyGroup' # New Rule ID
+#     shortdesc = 'No direct user on IAM Managed policy' # A short description about the rule
+#     description = 'IAM managed policy should not apply directly to users. Should be on group' # (Longer) description about the rule
+#     source_url = 'https://github.com/aws-ia/cfn-mp-ql-rules/tree/main' # A url to the source of the rule, e.g. documentation, AWS Blog posts etc
+#     tags = ["iam"] 
+
+#     def match(self, cfn):
+        
+#         """Check if user is mentioned in IAM policy"""
+
+#         resources = cfn.get_resources(['AWS::IAM::ManagedPolicy'])
+#         matches = []
+#         for resource_name, resource in resources.items():
+#             path = ['Resources', resource_name, 'Properties']
+#             properties = resource.get('Properties')
+#             if properties:
+#                 if (len(properties.get('Users')) >= 1):
+#                     path = ['Resources', resource_name, 'Properties', 'Users']
+#                     message = 'Do not assign Managed IAM policies directly to Users'
+#                     matches.append(RuleMatch(path, message.format(resource_name)))
+#         return matches

archive/IAMPolicyResourceWildcardPassRole.bak

@@ -0,0 +1,41 @@
+# """
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+# """
+# from cfnlint.rules import CloudFormationLintRule
+# from cfnlint.rules import RuleMatch
+
+
+# class IAMPolicyResourceWildcardPassRole(CloudFormationLintRule):
+#     id = 'EIAMPolicyResourceWildardPassRole' # New Rule ID
+#     shortdesc = 'No * resource with PassRole Action on IAM Policy' # A short description about the rule
+#     description = 'IAM Policy should not allow * resource with PassRole action on its permissions policy' # (Longer) description about the rule
+#     source_url = 'https://github.com/aws-ia/cfn-mp-ql-rules/tree/main' # A url to the source of the rule, e.g. documentation, AWS Blog posts etc
+#     tags = ["iam"] 
+
+#     def match(self, cfn):
+        
+#         """Check if IAM policy contains * Resource and PassRole Action"""
+
+#         resources = cfn.get_resources(['AWS::IAM::Policy'])
+#         matches = []
+#         for resource_name, resource in resources.items():
+#             path = ['Resources', resource_name, 'Properties']
+#             properties = resource.get('Properties', {})
+#             if properties:
+#                 actions = properties.get('PolicyDocument', {}).get('Statement',[])[0].get('Action', [])
+#                 resources_wild = properties.get('PolicyDocument', {}).get('Statement', [])[0].get('Resource', [])
+#                 is_wildcard = false
+#                 if '*' in resources_wild:
+#                     is_wildcard = true
+#                 if ((actions == 'iam:PassRole') and is_wildcard):
+#                     path = ['Resources', resource_name, 'Properties', 'PolicyDocument', 'Statement', 'Action']
+#                     message = 'Do not use a resource wildcard (*) with the PassRole Action'
+#                     matches.append(RuleMatch(path, message.format(resource_name)))
+#                 else:
+#                     for action in actions:
+#                         if ((action == 'iam:PassRole') and is_wildcard):
+#                             path = ['Resources', resource_name, 'Properties', 'PolicyDocument', 'Statement', 'Action']
+#                             message = 'Do not use a resource wildcard (*) with the PassRole Action'
+#                             matches.append(RuleMatch(path, message.format(resource_name)))
+#         return matches

archive/IAMRoleResourceWildcardPassRole.bak

@@ -0,0 +1,40 @@
+# """
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+# """
+# from cfnlint.rules import CloudFormationLintRule
+# from cfnlint.rules import RuleMatch
+
+# class IAMRoleResourceWildcardPassRole(CloudFormationLintRule):
+#     id = 'EIAMRoleResourceWildardPassRole' # New Rule ID
+#     shortdesc = 'No * resource with PassRole Action on IAM role' # A short description about the rule
+#     description = 'IAM role should not allow * resource with PassRole action on its permissions policy' # (Longer) description about the rule
+#     source_url = 'https://github.com/aws-ia/cfn-mp-ql-rules/tree/main' # A url to the source of the rule, e.g. documentation, AWS Blog posts etc
+#     tags = ["iam"] 
+
+#     def match(self, cfn):
+        
+#         """Check if IAM role contains * Resource and PassRole Action"""
+
+#         resources = cfn.get_resources(['AWS::IAM::Role'])
+#         matches = []
+#         for resource_name, resource in resources.items():
+#             path = ['Resources', resource_name, 'Properties']
+#             properties = resource.get('Properties')
+#             if properties:
+#                 actions = properties.get('Policies')[0].get('PolicyDocument').get('Statement')[0].get('Action')
+#                 resources_wild = properties.get('Policies')[0].get('PolicyDocument').get('Statement')[0].get('Resource')
+#                 is_wildcard = ''
+#                 if '*' in resources_wild:
+#                     is_wildcard = '*'
+#                 if ((actions == 'iam:PassRole') and (is_wildcard == '*')):
+#                     path = ['Resources', resource_name, 'Properties', 'Policies', 'PolicyDocument', 'Statement', 'Action']
+#                     message = 'Do not use a resource wildcard (*) with the PassRole Action'
+#                     matches.append(RuleMatch(path, message.format(resource_name)))
+#                 else:
+#                     for action in actions:
+#                         if ((action == 'iam:PassRole') and (is_wildcard == '*')):
+#                             path = ['Resources', resource_name, 'Properties', 'Policies', 'PolicyName', 'Statement', 'Action']
+#                             message = 'Do not use a resource wildcard (*) with the PassRole Action'
+#                             matches.append(RuleMatch(path, message.format(resource_name)))
+#         return matches