cfn-model 0.4.28 → 0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df1ac14db4c825a752953a999fca09e56eaaa3e7141146bea1892cfe0c1f350c
-  data.tar.gz: 010c17ccd4d19b1999768d8b41b71dd98f6cca02713cf3065ac6cf208ee4d4f2
+  metadata.gz: 9aef1495499472493a59d8d4a674eb275bad575fccf3b7eaa6d91db4308d3914
+  data.tar.gz: cd9340c44f684f0e6eeedbbd7f7e2a84826b79bede5f09c5930f3b7bdca2f3f3
 SHA512:
-  metadata.gz: 2530d80cc408f921c69ec5757c6b4c73a064a1d6e7c980cce9dd3a0441bdd501e82685ceff915c756ea7a4cd4fd52f712ddb7cd63a190686abc9b8613b63de05
-  data.tar.gz: 8f053b02001d51fb7f4130e6b77d0e9cc7d3c36f35d8e3b9c3d55b6d9cc610a9ab02cdb8604c4385556819aa4e7581f2bf23cd912b910220b0f7c7bfd13d8dd6
+  metadata.gz: 33b02918cbb23f06c2c74b05bf7897f17d78896b74bfcdf80fd8be619cb69d7385a161809ddbb7a8ad632e4f5af618e2508712b7615ae6ec72980180823a2338
+  data.tar.gz: 3cfb410027085088f737643e4197ad7e1238ebff994bfac19b62738ff53d0a609583cfe1919c4ec89ff1c9e968276fc5727c0bf07f90ab3a17ce4d898da79001

data/lib/cfn-model/model/cfn_model.rb

@@ -3,7 +3,7 @@
 require_relative 'references'
 
 class CfnModel
-  attr_reader :resources, :parameters, :line_numbers, :conditions, :globals
+  attr_reader :resources, :parameters, :line_numbers, :conditions, :globals, :mappings
 
   ##
   # if you really want it, here it is - the raw Hash from YAML.load.  you'll have to mess with structural nits of
@@ -16,6 +16,7 @@ class CfnModel
     @resources = {}
     @conditions = {}
     @globals = {}
+    @mappings = {}
     @raw_model = nil
     @line_numbers = {}
   end
@@ -38,6 +39,9 @@ class CfnModel
     @resources.each do |k, v|
       new_cfn_model.resources[k] = v
     end
+    @mappings.each do |k, v|
+      new_cfn_model.mappings[k] = v
+    end
     new_cfn_model.raw_model = @raw_model.dup unless @raw_model.nil?
     new_cfn_model
   end

data/lib/cfn-model/model/references.rb

@@ -9,25 +9,58 @@ require 'cfn-model/parser/parser_error'
 # references yet... in the meantime pile things up here and hope a pattern becomes
 # clear
 module References
+  def self.unsupported_passthru?(value)
+    value.has_key?('Fn::GetAtt') || value.has_key?('Fn::ImportValue') || value.has_key?('Fn::Transform') || value.has_key?('Fn::Cidr')
+  end
+
   def self.resolve_value(cfn_model, value)
     if value.is_a? Hash
       if value.has_key?('Ref')
-        ref_id = value['Ref']
-        if ref_id.is_a? String
-          if cfn_model.parameters.has_key?(ref_id)
-            return value if cfn_model.parameters[ref_id].synthesized_value.nil?
-            return cfn_model.parameters[ref_id].synthesized_value
-          else
-            return value
-          end
-        else
-          return value
-        end
+        resolve_reference(cfn_model, value)
+      elsif value.has_key?('Fn::FindInMap')
+        resolve_map(cfn_model, value)
+      elsif value.has_key?('Fn::If')
+        resolve_if(cfn_model, value)
+      elsif value.has_key?('Fn::Sub')
+        resolve_sub(cfn_model, value)
+      elsif value.has_key?('Fn::GetAZs')
+        resolve_getazs(cfn_model, value)
+      elsif value.has_key?('Fn::Split')
+        resolve_split(cfn_model, value)
+      elsif value.has_key?('Fn::Join')
+        resolve_join(cfn_model, value)
+      elsif value.has_key?('Fn::Base64')
+        resolve_base64(cfn_model, value)
+      elsif value.has_key?('Fn::Select')
+        resolve_select(cfn_model, value)
+      elsif unsupported_passthru?(value)
+        value
+      else # another mapping
+        value.map do |k,v|
+          [k, resolve_value(cfn_model, v)]
+        end.to_h
+      end
+    elsif value.is_a? Array
+      value.map { |item| resolve_value(cfn_model, item) }
+    else
+      value
+    end
+  end
+
+  ##
+  # For a !Ref to another resource.... just returns the !REf
+  # For a !Ref to a Parameter, then try to synthesize the value
+  def self.resolve_reference(cfn_model, value)
+    ref_id = value['Ref']
+    if ref_id.is_a? String
+      if cfn_model.parameters.has_key?(ref_id)
+        return value if cfn_model.parameters[ref_id].synthesized_value.nil?
+        return cfn_model.parameters[ref_id].synthesized_value
       else
         return value
       end
     else
-      return value
+      value
     end
   end
 
@@ -57,8 +90,146 @@ module References
     resolve_resource_id group_id, 'GroupId'
   end
 
+  ##
+  # Try to compute the FindInMap against a real Mapping
+  #
+  # If anything doesn't match up - either a syntax error,
+  # a missing Mapping, or some other kind Cfn evaluation
+  # we don't understand, just return the call to FindInMap
+  def self.resolve_map(cfn_model, find_in_map)
+    map_name = find_in_map['Fn::FindInMap'][0]
+    top_level_key = find_in_map['Fn::FindInMap'][1]
+    second_level_key = find_in_map['Fn::FindInMap'][2]
+
+    map = cfn_model.mappings[map_name]
+
+    return find_in_map if map.nil?
+
+    top_level_resolved = resolve_value(cfn_model, top_level_key)
+
+    return find_in_map if !map.has_key?(top_level_resolved)
+
+    top_level = map[top_level_resolved]
+    second_level = top_level[resolve_value(cfn_model, second_level_key)]
+
+    return find_in_map if second_level.nil?
+
+    second_level
+  end
+
   private
 
+  def self.resolve_sub(cfn_model, expression)
+    if expression['Fn::Sub'].is_a? String
+      resolve_shorthand_sub(cfn_model, expression)
+    elsif expression['Fn::Sub'].is_a? Array
+      resolve_longform_sub(cfn_model, expression)
+    else
+      expression
+    end
+  end
+
+  def self.resolve_select(cfn_model, reference)
+    index = reference['Fn::Select'][0]
+    collection = References.resolve_value(cfn_model, reference['Fn::Select'][1])
+    if collection.is_a? Array
+      collection[index]
+    else
+      reference
+    end
+  end
+
+  def self.resolve_base64(cfn_model, reference)
+    References.resolve_value(cfn_model, reference['Fn::Base64'])
+  end
+
+  def self.resolve_join(cfn_model, reference)
+    delimiter = reference['Fn::Join'][0]
+    items = References.resolve_value(cfn_model, reference['Fn::Join'][1])
+    return reference unless items.is_a?(Array)
+    items.join(delimiter)
+  end
+
+  def self.resolve_split(cfn_model, reference)
+    delimiter = reference['Fn::Split'][0]
+    target_string = References.resolve_value(cfn_model, reference['Fn::Split'][1])
+    return reference unless target_string.is_a?(String)
+    target_string.split(delimiter)
+  end
+
+  def self.resolve_getazs(cfn_model, reference)
+    number_azs = References.resolve_value(cfn_model, { 'Ref' => 'AWS::NumberAZs' })
+    region = reference['Fn::GetAZs']
+    if region == '' || region == { 'Ref' => 'AWS::Region' }
+      region = References.resolve_value(cfn_model, { 'Ref' => 'AWS::Region' })
+    end
+    (('a'.ord)..('a'.ord+number_azs)).map do |az_number|
+      "#{region}#{az_number.chr}"
+    end
+  end
+
+  def self.strip_cfn_interpolation(reference)
+    reference[2..-2]
+  end
+
+  def self.references_in_sub(string_value)
+    # ignore ${!foo} as cfn interprets that as the literal ${foo}
+    references = string_value.scan /\${[^!].*?}/
+    references.map { |reference| strip_cfn_interpolation(reference) }
+  end
+
+  def self.resolvable_reference?(cfn_model, reference)
+    resolved_value = References.resolve_value(cfn_model, {'Ref'=>reference})
+    resolved_value != {'Ref'=>reference}
+  end
+
+  def self.resolve_shorthand_sub(cfn_model, expression)
+    string_value = expression['Fn::Sub']
+    subbed_string_value = string_value
+    has_unresolved_references = false
+    references_in_sub(string_value).each do |reference|
+      if resolvable_reference?(cfn_model, reference)
+        subbed_string_value = subbed_string_value.gsub(
+          "${#{reference}}",
+          References.resolve_value(cfn_model, {'Ref'=>reference})
+        )
+      end
+    end
+    subbed_string_value
+  end
+
+  def self.resolve_longform_sub(cfn_model, expression)
+    array_value = expression['Fn::Sub']
+    subbed_string_value = array_value[0]
+    substitution_mapping = array_value[1]
+    references_in_sub(subbed_string_value).each do |reference|
+      if substitution_mapping.has_key? reference
+        if References.resolve_value(cfn_model, substitution_mapping[reference]).is_a?(String)
+          subbed_string_value = subbed_string_value.gsub(
+            "${#{reference}}",
+            References.resolve_value(cfn_model, substitution_mapping[reference])
+          )
+        end
+      elsif resolvable_reference?(cfn_model, reference)
+        subbed_string_value = subbed_string_value.gsub(
+          "${#{reference}}",
+          References.resolve_value(cfn_model, {'Ref'=>reference})
+        )
+      end
+    end
+    subbed_string_value
+  end
+
+  def self.resolve_if(cfn_model, expression)
+    if_expression = expression['Fn::If']
+    condition_name = if_expression[0]
+    if cfn_model.conditions[condition_name]
+      resolve_value(cfn_model, if_expression[1])
+    else
+      resolve_value(cfn_model, if_expression[2])
+    end
+  end
+
   def self.logical_resource_id_from_get_att(attribute_spec, attr_to_retrieve=nil)
     if attribute_spec.is_a? Array
       if !attr_to_retrieve || attribute_spec[1] == attr_to_retrieve

data/lib/cfn-model/parser/cfn_parser.rb

@@ -44,6 +44,9 @@ class CfnParser
 
     apply_parameter_values(cfn_model, parameter_values_json)
 
+    # pass 2: tie together separate resources only where necessary to make life easier for rule logic
+    post_process_resource_model_elements cfn_model
+
     cfn_model
   end
 
@@ -76,6 +79,8 @@ class CfnParser
 
     process_conditions cfn_hash, cfn_model, condition_values_json
 
+    process_mappings cfn_hash, cfn_model
+
     # pass 1: wire properties into ModelElement objects
     if with_line_numbers
       transform_hash_into_model_elements_with_numbers cfn_hash, cfn_model
@@ -85,14 +90,21 @@ class CfnParser
     transform_hash_into_parameters cfn_hash, cfn_model
     transform_hash_into_globals cfn_hash, cfn_model
 
-    # pass 2: tie together separate resources only where necessary to make life easier for rule logic
-    post_process_resource_model_elements cfn_model
+
 
     cfn_model
   end
 
   private
 
+  def process_mappings(cfn_hash, cfn_model)
+    if cfn_hash.key?('Mappings')
+      cfn_hash['Mappings'].each do |mapping_key, mapping_value|
+        cfn_model.mappings[mapping_key] = mapping_value
+      end
+    end
+  end
+
   def process_conditions(cfn_hash, cfn_model, condition_values_json)
     if cfn_hash.key?('Conditions')
       if condition_values_json.nil?

data/lib/cfn-model/parser/iam_group_parser.rb

@@ -2,6 +2,7 @@
 
 require 'cfn-model/model/iam_role'
 require 'cfn-model/model/policy'
+require 'cfn-model/model/references'
 require_relative 'policy_document_parser'
 
 class IamGroupParser
@@ -12,8 +13,8 @@ class IamGroupParser
       next unless policy.has_key? 'PolicyName'
 
       new_policy = Policy.new
-      new_policy.policy_name = policy['PolicyName']
-      new_policy.policy_document = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy.policy_name = References.resolve_value(cfn_model, policy['PolicyName'])
+      new_policy.policy_document = PolicyDocumentParser.new.parse(cfn_model, policy['PolicyDocument'])
       new_policy
     end.reject { |policy| policy.nil? }
     iam_group

data/lib/cfn-model/parser/iam_role_parser.rb

@@ -2,20 +2,21 @@
 
 require 'cfn-model/model/iam_role'
 require 'cfn-model/model/policy'
+require 'cfn-model/model/references'
 require_relative 'policy_document_parser'
 
 class IamRoleParser
   def parse(cfn_model:, resource:)
     iam_role = resource
 
-    iam_role.assume_role_policy_document = PolicyDocumentParser.new.parse(iam_role.assumeRolePolicyDocument)
+    iam_role.assume_role_policy_document = PolicyDocumentParser.new.parse(cfn_model, iam_role.assumeRolePolicyDocument)
 
     iam_role.policy_objects = iam_role.policies.map do |policy|
       next unless policy.has_key? 'PolicyName'
 
       new_policy = Policy.new
-      new_policy.policy_name = policy['PolicyName']
-      new_policy.policy_document = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy.policy_name = References.resolve_value(cfn_model, policy['PolicyName'])
+      new_policy.policy_document = PolicyDocumentParser.new.parse(cfn_model, policy['PolicyDocument'])
       new_policy
     end.reject { |policy| policy.nil? }
 

data/lib/cfn-model/parser/iam_user_parser.rb

@@ -2,6 +2,7 @@
 
 require 'cfn-model/model/policy_document'
 require 'cfn-model/model/policy'
+require 'cfn-model/model/references'
 require_relative 'policy_document_parser'
 
 class IamUserParser
@@ -12,8 +13,8 @@ class IamUserParser
       next unless policy.has_key? 'PolicyName'
 
       new_policy = Policy.new
-      new_policy.policy_name = policy['PolicyName']
-      new_policy.policy_document = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy.policy_name = References.resolve_value(cfn_model, policy['PolicyName'])
+      new_policy.policy_document = PolicyDocumentParser.new.parse(cfn_model, policy['PolicyDocument'])
       new_policy
     end.reject { |policy| policy.nil? }
 
@@ -22,8 +23,8 @@ class IamUserParser
     user_to_group_additions = cfn_model.resources_by_type 'AWS::IAM::UserToGroupAddition'
     user_to_group_additions.each do |user_to_group_addition|
 
-      if user_to_group_addition_has_username(user_to_group_addition.users,iam_user)
-        iam_user.group_names << user_to_group_addition.groupName
+      if user_to_group_addition_has_username(user_to_group_addition.users, iam_user)
+        iam_user.group_names << References.resolve_value(cfn_model, user_to_group_addition.groupName)
 
         # we need to figure out the story on resolving Refs i think for this to be real
       end

data/lib/cfn-model/parser/kms_key_parser.rb

@@ -9,7 +9,7 @@ class KmsKeyParser
     kms_key = resource
 
     new_policy = Policy.new
-    new_policy.policy_document = PolicyDocumentParser.new.parse(kms_key.keyPolicy)
+    new_policy.policy_document = PolicyDocumentParser.new.parse(cfn_model, kms_key.keyPolicy)
     kms_key.key_policy = new_policy
 
     kms_key

data/lib/cfn-model/parser/parameter_substitution.rb

@@ -33,6 +33,33 @@ class ParameterSubstitution
     end
   end
 
+  def apply_pseudo_parameter_values(cfn_model, parameter_values)
+    # leave out 'AWS::NoValue'? not sure - we explicitly check it in some places...
+    # might make sense to substitute here?
+    pseudo_function_defaults = {
+      'AWS::URLSuffix' => 'amazonaws.com',
+      'AWS::Partition' => 'aws',
+      'AWS::NotificationARNs' => '',
+      'AWS::AccountId' => '111111111111',
+      'AWS::Region' => 'us-east-1',
+      'AWS::StackId' => 'arn:aws:cloudformation:us-east-1:111111111111:stack/stackname/51af3dc0-da77-11e4-872e-1234567db123',
+      'AWS::StackName' => 'stackname',
+      'AWS::NumberAZs' => 2
+    }
+    pseudo_function_defaults.each do |function_name, default_value|
+      parameter = Parameter.new
+      parameter.id = function_name
+      parameter.type = 'String'
+      cfn_model.parameters[function_name] = parameter
+
+      if parameter_values[PARAMETERS].has_key?(function_name)
+        parameter.synthesized_value = parameter_values[PARAMETERS][function_name]
+      else
+        parameter.synthesized_value = default_value
+      end
+    end
+  end
+
   def apply_parameter_values_impl(cfn_model, parameter_values)
     parameter_values[PARAMETERS].each do |parameter_name, parameter_value|
       if cfn_model.parameters.has_key?(parameter_name)
@@ -50,6 +77,7 @@ class ParameterSubstitution
         parameter.synthesized_value = parameter.default.to_s
       end
     end
+    apply_pseudo_parameter_values(cfn_model, parameter_values)
   end
 
   def is_aws_format?(parameter_values)

data/lib/cfn-model/parser/policy_document_parser.rb

@@ -1,16 +1,18 @@
 # frozen_string_literal: true
 
 require 'cfn-model/model/iam_policy'
+require 'cfn-model/model/references'
+
 require 'cfn-model/model/policy_document'
 
 class PolicyDocumentParser
-  def parse(raw_policy_document)
+  def parse(cfn_model, raw_policy_document)
     policy_document = PolicyDocument.new
 
-    policy_document.version = raw_policy_document['Version']
+    policy_document.version = References.resolve_value(cfn_model, raw_policy_document['Version'])
 
     policy_document.statements = streamline_array(raw_policy_document['Statement']) do |statement|
-      parse_statement statement
+      parse_statement cfn_model, statement
     end
 
     policy_document
@@ -18,17 +20,17 @@ class PolicyDocumentParser
 
   private
 
-  def parse_statement(raw_statement)
+  def parse_statement(cfn_model, raw_statement)
     statement = Statement.new
-    statement.effect = raw_statement['Effect']
-    statement.sid = raw_statement['Sid']
-    statement.condition = raw_statement['Condition']
-    statement.actions = streamline_array(raw_statement['Action'])
-    statement.not_actions = streamline_array(raw_statement['NotAction'])
-    statement.resources = streamline_array(raw_statement['Resource'])
-    statement.not_resources = streamline_array(raw_statement['NotResource'])
-    statement.principal = raw_statement['Principal']
-    statement.not_principal = raw_statement['NotPrincipal']
+    statement.effect = References.resolve_value(cfn_model, raw_statement['Effect'])
+    statement.sid = References.resolve_value(cfn_model, raw_statement['Sid'])
+    statement.condition = References.resolve_value(cfn_model, raw_statement['Condition'])
+    statement.actions = References.resolve_value(cfn_model, streamline_array(raw_statement['Action']))
+    statement.not_actions = References.resolve_value(cfn_model, streamline_array(raw_statement['NotAction']))
+    statement.resources = References.resolve_value(cfn_model, streamline_array(raw_statement['Resource']))
+    statement.not_resources = References.resolve_value(cfn_model, streamline_array(raw_statement['NotResource']))
+    statement.principal = References.resolve_value(cfn_model, raw_statement['Principal'])
+    statement.not_principal = References.resolve_value(cfn_model, raw_statement['NotPrincipal'])
     statement
   end
 

data/lib/cfn-model/parser/security_group_parser.rb

@@ -38,7 +38,7 @@ class SecurityGroupParser
       ingress_object = AWS::EC2::SecurityGroupIngress.new cfn_model
       ingress.each do |k, v|
         silently_fail do
-          ingress_object.send("#{initialLower(k)}=", v)
+          ingress_object.send("#{initialLower(k)}=", References.resolve_value(cfn_model, v))
           mapped_at_least_one_attribute = true
         end
       end
@@ -59,7 +59,7 @@ class SecurityGroupParser
       egress.each do |k, v|
         next if k.match /::/
         silently_fail do
-          egress_object.send("#{initialLower(k)}=", v)
+          egress_object.send("#{initialLower(k)}=", References.resolve_value(cfn_model, v))
           mapped_at_least_one_attribute = true
         end
 

data/lib/cfn-model/parser/with_policy_document_parser.rb

@@ -6,7 +6,7 @@ require_relative 'policy_document_parser'
 
 class WithPolicyDocumentParser
   def parse(cfn_model:, resource:)
-    resource.policy_document = PolicyDocumentParser.new.parse(resource.policyDocument)
+    resource.policy_document = PolicyDocumentParser.new.parse(cfn_model, resource.policyDocument)
     resource
   end
 end

data/lib/cfn-model/transforms/serverless.rb

@@ -112,8 +112,14 @@ class CfnModel
                                                           resource_name,
                                                           with_line_numbers)
 
-        cfn_hash['Resources'][resource_name] = lambda_function lambda_fn_params
-
+        cfn_hash['Resources'][resource_name] = lambda_function(
+          handler: lambda_fn_params[:handler],
+          code_bucket: lambda_fn_params[:code_bucket],
+          code_key: lambda_fn_params[:code_key],
+          role: lambda_fn_params[:role],
+          runtime: lambda_fn_params[:runtime],
+          with_line_numbers: lambda_fn_params[:with_line_numbers]
+        )
         unless serverless_function['Properties']['Role']
           cfn_hash['Resources'][resource_name + 'Role'] = function_role(serverless_function,
                                                                         resource_name,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-model
 version: !ruby/object:Gem::Version
-  version: 0.4.28
+  version: 0.5.1
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-08 00:00:00.000000000 Z
+date: 2020-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -165,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.3
 signing_key: 
 specification_version: 4
 summary: cfn-model