By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How it's possible to make custom rule works for the DeletionPolicy attribute in cfn-lint?

0

cfn-lint 0.86.4

I have cloudformation template.json, and I want to add custom rule for "DeletionPolicy" attribute for a specific value which is "Retain" for a specific resource e.g EC2 or Route53

  "Resources": {
    "EC2Instance": {
      "DeletionPolicy": "Detele",
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": "m4.16xlarge",
        "ImageId": "ami-019a123123123",
        "KeyName": { "Ref": "KeyName" },
        "SecurityGroups": [
          { "Ref": "InstanceSecurityGroup" }
        ]
      }
    }
}

and I have .cfnlintrc and custom_rules.txt files in the root

templates:
  -  myapp/template.json
ignore_templates:
  - codebuild.yaml
include_checks:
  - I
  - E3012 # = type-checking

custom_rules.txt file, each rule in a single line:

AWS::EC2::Instance InstanceType NOT_EQUALS "m4.16xlarge" WARN "This is an expensive instance type, use t2.micro instead"
AWS::EC2::Instance DeletionPolicy NOT_EQUALS "Delete" ERROR "You should set DeletionPolicy to Retain"

I am aware of the custom rule format : <Resource Type> <Property[*]> <Operator> <Value> [Error Level] [Custom Error Message] and I know that "DeletionPolicy" is not a property on the Properties object of a resource. How is it possible to make the DeletionPolicy custom rule work? when I run cfn-lint I only get warning about the instance type and nothing about the DeletionPolicy value W9001 This is an expensive instance type, use t2.micro instead Instead I should get : W9001 This is an expensive instance type, use t2.micro instead E12345 You should set DeletionPolicy to Retain

  • GK EXPERT
    a month ago

    Can you try in this way ? <Resource Type> * EQUALS "Delete" ERROR "You should set DeletionPolicy to Retain"

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
Yusuf
asked a month ago120 views
1 Answer
0

I don't think this is possible with the one line custom rule format, as it expects to operate on the Properties of the Resource. You could accomplish this using custom rules written in Python and using the -a / --append-rules CLI flag. For example, creating the directory rules and placing a file like DeletionPolicyRetain.py with the contents:

from cfnlint.rules import CloudFormationLintRule, RuleMatch


class DeletionPolicyRetain(CloudFormationLintRule):
    """Errors if EC2 Instance DeletionPolicy is not Retain"""
    id = 'E9001'
    shortdesc = 'Errors if EC2 Instance DeletionPolicy is not Retain'
    description = 'Errors if EC2 Instance DeletionPolicy is not Retain'
    source_url = 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html'
    tags = ['resources', 'deletionpolicy']

    def match(self, cfn):
        matches = []

        resources = cfn.get_resources([])
        for resourceName, resource in resources.items():
            if resource['Type'] == 'AWS::EC2::Instance' and resource['DeletionPolicy'] != 'Retain':
                matches.append(RuleMatch(['Resources', resourceName], 'Found EC2 instance missing DeletionPolicy of Retain'))

        return matches

and running the linting command with:

cfn-lint -a rules

AWS
Mike_A
answered 4 hours ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content