aws-cloudformation/cloudformation-guard 2.1.1

v2.1.1

on GitHub

AWS CloudFormation Guard 2.1.1 is a patch release that includes new features, resolves bugs, and addresses feedback from the open source community.

New Features

1. Docker image for Guard now available in ECR public gallery

Bug fixes

1. Security fix for denial of service attack
2. Improved parsing logic and graceful exits in case of parsing failures
3. Upgraded Lambda to use new evaluation engine

Issues addressed

1. #210 - [BUG] main thread panic
2. #160 - cfn-guard test should fail when test file isn't found
3. #228 - [BUG] Parsing error when comments used at EOF
4. #224 - [BUG] DoS using Crafted Yaml file
5. #266 - [BUG] empty Function Broken on Boolean Keys
6. #252 - [BUG] Message Formatting

Other changes

• #239 - Updated FFI exports to support Rust-supported types by @tylersouthwick
• #238 - Fixed return Result return types by @tylersouthwick
• #282 - Improved parsing for inner regular expressions by @joshfried-aws
• #287 - Added non-zero exit code for parsing failures by @tylersouthwick
• #278 - Better handling of EOF in Guard rules by @joshfried-aws
• #275 - Handling slashes in Resource names by @joshfried-aws
• #276 - Added error for alias event to prevent panic by @joshfried-aws
• #271 - Decouple from yaml-rust and unblock crates.io (http://crates.io/) release by @joshfried-aws
• #270 - Bump up serde-yaml by @joshfried-aws
• #269 - Added empty check for boolean values by @akshayrane
• #284 - Added is_bool support by @tylersouthwick
• #254 - Fixed formatting for Guard evaluation report by @wkexiang
• #262, #255 - Update Lambda to use new evaluation engine by @GriffinMB & @akshayrane
• #264 - Fix for IN operator with literal LHS by @dchakrav-github
• #243, #246, #263, #247 - Dependabot version bumps
• #292 - Added GitHub action to automatically push a docker image on every commit by @akshayrane

Full change log: 2.1.0...2.1.1

Details

Guard Docker Image launched on ECR public gallery

Prerequisites

1. Install docker. Follow this guide.
2. Have a directory ready on the host you are downloading the docker image to that contains data templates and Guard rules you are planning to use, we may mount this directory and use the files as input to cfn-guard. We'll refer this directory to be called guard-files in the rest of this guide

Usage Guide

To use the binary, we should pull the latest docker image, we may do so using the following command:

docker pull public.ecr.aws/aws-cloudformation/cloudformation-guard:latest

Now go ahead and run the docker image, using the files from directory we have our templates and rules file in, using:

docker run \
  --mount src=/path/to/guard-files,target=/container/guard-files,type=bind \
  -it public.ecr.aws/aws-cloudformation/cloudformation-guard:latest \
  ./cfn-guard validate -d /container/guard-files/template.yml -r /container/guard-files/rule.guard

We should see the evaluation result emitted out on the console.

Tagging convention

• We use the tag latest for the most recent docker image that gets published in sync with main branch of the cloudformation-guard GitHub repository.
• We use the convention <branch_name>.<github_shorthand_commit_hash> for tags of historical docker images

New contributors

• @joshfried-aws made their first contribution in #270
• @GriffinMB made their first contribution in #255, pushed as part of #262
• @tylersouthwick made their first contribution in #284
• @wkexiang made their first contribution in #254