cfn-model 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: df7b00fc32259e430e24108cd53e3f9d6a314415
+  data.tar.gz: fdfe0f37dc53623ffda3fad4cd32b9aaa466b3fa
+SHA512:
+  metadata.gz: 98060606e4d5a092a4b6619093f770b09b7bdf714a15dd93481f0c3df6b10ba6907afcfe26db0940cdb5a7cf9666b72acf828aa61a40f6e6c1cb6c68286d2f3f
+  data.tar.gz: 4e30e1684419ff1cab3d400dfcf5eb57591c9a6518ae7fea8fd6362788280c5d4bcbca9344eca566f8b4441bed5da4e8433c3ca910cbb652c3cf469eb992bff3

data/bin/cfn_parse

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+require 'cfn-model'
+
+puts '======'
+puts ARGV[0]
+puts '======'
+cfn_model = CfnParser.new.parse IO.read(ARGV[0])
+puts cfn_model

data/lib/cfn-model/model/bucket_policy.rb

@@ -0,0 +1,13 @@
+require_relative 'model_element'
+
+class AWS::S3::BucketPolicy  < ModelElement
+  # mapped from document
+  attr_accessor :bucket, :policyDocument
+
+  # PolicyDocument - objectified policyDocument
+  attr_accessor :policy_document
+
+  def initialize
+    @resource_type = 'AWS::S3::BucketPolicy'
+  end
+end

data/lib/cfn-model/model/cfn_model.rb

@@ -0,0 +1,64 @@
+require_relative 'references'
+
+class CfnModel
+  attr_reader :resources
+
+  ##
+  # if you really want it, here it is - the raw Hash from YAML.load.  you'll have to mess with structural nits of
+  # CloudFormation and deal with variations between yaml/json refs and all that
+  #
+  attr_accessor :raw_model
+
+  def initialize
+    @resources = {}
+    @raw_model = nil
+  end
+
+  def security_groups
+    resources_by_type 'AWS::EC2::SecurityGroup'
+  end
+
+  def iam_users
+    resources_by_type 'AWS::IAM::User'
+  end
+
+  def standalone_ingress
+    security_group_ingresses = resources_by_type 'AWS::EC2::SecurityGroupIngress'
+    security_group_ingresses.select do |security_group_ingress|
+      References.is_security_group_id_external(security_group_ingress.groupId)
+    end
+  end
+
+  def standalone_egress
+    security_group_egresses = resources_by_type 'AWS::EC2::SecurityGroupEgress'
+    security_group_egresses.select do |security_group_egress|
+      References.is_security_group_id_external(security_group_egress.groupId)
+    end
+  end
+
+  def resources_by_type(resource_type)
+    @resources.values.select { |resource| resource.resource_type == resource_type }
+  end
+
+  def find_security_group_by_group_id(security_group_reference)
+    security_group_id = References.resolve_security_group_id(security_group_reference)
+    if security_group_id.nil?
+      # leave it alone since external ref or something we don't grok
+      security_group_reference
+    else
+      matched_security_group = security_groups.find do |security_group|
+        security_group.logical_resource_id == security_group_id
+      end
+      if matched_security_group.nil?
+        # leave it alone since external ref or something we don't grok
+        security_group_reference
+      else
+        matched_security_group
+      end
+    end
+  end
+
+  def to_s
+    @resources.to_s
+  end
+end

data/lib/cfn-model/model/ec2_instance.rb

@@ -0,0 +1,15 @@
+require_relative 'model_element'
+
+class AWS::EC2::Instance  < ModelElement
+  attr_accessor :securityGroupIds, :networkInterfaces
+
+  # SecurityGroup objects based upon securityGroupIds
+  attr_accessor :security_groups
+
+  def initialize
+    @securityGroupIds = []
+    @networkInterfaces = []
+    @security_groups = []
+    @resource_type = 'AWS::EC2::Instance'
+  end
+end

data/lib/cfn-model/model/ec2_network_interface.rb

@@ -0,0 +1,18 @@
+require_relative 'model_element'
+
+class AWS::EC2::NetworkInterface  < ModelElement
+  attr_accessor :groupSet, :ipv6Addresses, :privateIpAddresses, :tags
+  attr_accessor :description, :ipv6AddressCount, :privateIpAddress, :secondaryPrivateIpAddressCount, :sourceDestCheck, :subnetId
+
+  # SecurityGroup objects based upon groupSet
+  attr_accessor :security_groups
+
+  def initialize
+    @groupSet = []
+    @ipv6Addresses = []
+    @privateIpAddresses = []
+    @tags = []
+    @security_groups = []
+    @resource_type = 'AWS::EC2::NetworkInterface'
+  end
+end

data/lib/cfn-model/model/iam_group.rb

@@ -0,0 +1,15 @@
+require_relative 'model_element'
+
+class AWS::IAM::Group  < ModelElement
+  attr_accessor :groupName, :managedPolicyArns, :path, :policies
+
+  # synthesized version of policies
+  attr_accessor :policy_objects
+
+  def initialize
+    @managedPolicyArns = []
+    @policies = []
+    @policy_objects = []
+    @resource_type = 'AWS::IAM::Group'
+  end
+end

data/lib/cfn-model/model/iam_managed_policy.rb

@@ -0,0 +1,14 @@
+require_relative 'model_element'
+
+class AWS::IAM::ManagedPolicy < ModelElement
+  attr_accessor :description, :managedPolicyName, :policyDocument, :groups, :roles, :users, :path
+
+  attr_accessor :policy_document
+
+  def initialize
+    @groups = []
+    @roles = []
+    @users = []
+    @resource_type = 'AWS::IAM::ManagedPolicy'
+  end
+end

data/lib/cfn-model/model/iam_policy.rb

@@ -0,0 +1,14 @@
+require_relative 'model_element'
+
+class AWS::IAM::Policy < ModelElement
+  attr_accessor :policyName, :policyDocument, :groups, :roles, :users
+
+  attr_accessor :policy_document
+
+  def initialize
+    @groups = []
+    @roles = []
+    @users = []
+    @resource_type = 'AWS::IAM::Policy'
+  end
+end

data/lib/cfn-model/model/iam_role.rb

@@ -0,0 +1,14 @@
+require_relative 'model_element'
+
+class AWS::IAM::Role < ModelElement
+  attr_accessor :roleName, :assumeRolePolicyDocument, :policies, :path, :managedPolicyArns
+
+  attr_accessor :policy_objects, :assume_role_policy_document
+
+  def initialize
+    @policies = []
+    @managedPolicyArns = []
+    @policy_objects = []
+    @resource_type = 'AWS::IAM::Role'
+  end
+end

data/lib/cfn-model/model/iam_user.rb

@@ -0,0 +1,16 @@
+require_relative 'model_element'
+
+class AWS::IAM::User  < ModelElement
+  attr_accessor :groups, :loginProfile, :path, :policies, :userName
+
+  # synthesized version of policies
+  attr_accessor :policy_objects, :group_names
+
+  def initialize
+    @groups = []
+    @policies = []
+    @policy_objects = []
+    @group_names = []
+    @resource_type = 'AWS::IAM::User'
+  end
+end

data/lib/cfn-model/model/iam_user_to_group_addition.rb

@@ -0,0 +1,10 @@
+require_relative 'model_element'
+
+class AWS::IAM::UserToGroupAddition  < ModelElement
+  attr_accessor :groupName, :users
+
+  def initialize
+    @users = []
+    @resource_type = 'AWS::IAM::UserToGroupAddition'
+  end
+end

data/lib/cfn-model/model/load_balancer.rb

@@ -0,0 +1,37 @@
+require_relative 'model_element'
+
+class AWS::ElasticLoadBalancing::LoadBalancer < ModelElement
+  attr_accessor :securityGroups, :subnets, :tags, :scheme, :loadBalancerName, :crossZone, :availabilityZones, :connectionDrainingPolicy
+  attr_accessor :connectionSettings, :accessLoggingPolicy, :instances, :appCookieStickinessPolicy, :lBCookieStickinessPolicy, :healthCheck, :policies, :listeners
+
+  attr_accessor :security_groups
+
+  def initialize
+    @securityGroups = []
+    @security_groups = []
+    @subnets = []
+    @tags = []
+    @availabilityZones = []
+    @instances = []
+    @appCookieStickinessPolicy = []
+    @lBCookieStickinessPolicy = []
+    @policies = []
+    @listeners = []
+    @resource_type = 'AWS::ElasticLoadBalancing::LoadBalancer'
+  end
+end
+
+class AWS::ElasticLoadBalancingV2::LoadBalancer < ModelElement
+  attr_accessor :securityGroups, :loadBalancerAttributes, :subnets, :tags, :scheme, :name, :ipAddressType
+
+  attr_accessor :security_groups
+
+  def initialize
+    @securityGroups = []
+    @security_groups = []
+    @loadBalancerAttributes = []
+    @subnets = []
+    @tags = []
+    @resource_type = 'AWS::ElasticLoadBalancingV2::LoadBalancer'
+  end
+end

data/lib/cfn-model/model/model_element.rb

@@ -0,0 +1,101 @@
+
+module AWS
+  module CloudFormation
+
+  end
+
+  module EC2
+
+  end
+
+  module ElasticLoadBalancing
+
+  end
+
+  module ElasticLoadBalancingV2
+
+  end
+
+  module IAM
+
+  end
+
+  module S3
+
+  end
+
+  module SNS
+
+  end
+
+  module SQS
+
+  end
+
+  module Lambda
+
+  end
+
+  module CloudFront
+
+  end
+end
+
+module Custom
+
+end
+
+class ModelElement
+  attr_accessor :logical_resource_id, :resource_type
+
+  def to_s
+    <<END
+{
+#{emit_instance_vars}
+}
+END
+  end
+
+  def ==(another_model_element)
+    found_unequal_instance_var = false
+    instance_variables_without_at_sign.each do |instance_variable|
+      if instance_variable != :logical_resource_id
+        if self.send(instance_variable) != another_model_element.send(instance_variable)
+          found_unequal_instance_var = true
+        end
+      end
+    end
+    !found_unequal_instance_var
+  end
+
+  private
+
+  ##
+  # Treat any missing method as an instance variable get/set
+  #
+  # This will allow arbitrary elements in Resource/Properties definitions
+  # to map to instance variables without having to anticipate them in a schema
+  def method_missing(method_name, *args)
+    if method_name =~ /^(\w+)=$/
+      instance_variable_set "@#{$1}", args[0]
+    else
+      instance_variable_get "@#{method_name}"
+    end
+  end
+
+  def instance_variables_without_at_sign
+    self.instance_variables.map { |instance_variable| strip(instance_variable) }
+  end
+
+  def strip(sym)
+    sym.to_s.gsub(/@/, '').to_sym
+  end
+
+  def emit_instance_vars
+    instance_vars_str = ''
+    self.instance_variables.each do |instance_variable|
+      instance_vars_str += "  #{instance_variable}=#{instance_variable_get(instance_variable)}\n"
+    end
+    instance_vars_str
+  end
+end

data/lib/cfn-model/model/policy.rb

@@ -0,0 +1,10 @@
+require_relative 'model_element'
+
+class Policy
+  attr_accessor :policy_name, :policy_document
+
+  def ==(another_policy)
+    policy_name == another_policy.policy_name &&
+      policy_document == another_policy.policy_document
+  end
+end

data/lib/cfn-model/model/policy_document.rb

@@ -0,0 +1,52 @@
+require_relative 'statement'
+
+class PolicyDocument
+  attr_accessor :version, :statements
+
+  def initialize
+    @statements = []
+  end
+
+  def wildcard_allowed_resources
+    @statements.select { |statement| !statement.wildcard_resources.empty? && statement.effect == 'Allow' }
+  end
+
+  def wildcard_allowed_actions
+    @statements.select { |statement| !statement.wildcard_actions.empty? && statement.effect == 'Allow' }
+  end
+
+  def wildcard_allowed_principals
+    @statements.select { |statement| statement.wildcard_principal? && statement.effect == 'Allow' }
+  end
+
+  ##
+  # Select any Statement objects that Allow in conjunction with a NotAction
+  #
+  def allows_not_action
+    @statements.select { |statement| !statement.not_actions.empty? && statement.effect == 'Allow' }
+  end
+
+  def allows_not_resource
+    @statements.select { |statement| !statement.not_resources.empty? && statement.effect == 'Allow' }
+  end
+
+  def allows_not_principal
+    @statements.select { |statement| !statement.not_principal.nil? && statement.effect == 'Allow' }
+  end
+
+  def ==(another_doc)
+    @version == another_doc.version && @statements == another_doc.statements
+  end
+
+  def to_s
+    <<END
+{
+  version=#{@version}
+  statements=#{@statements}
+}
+END
+  end
+end
+
+
+

data/lib/cfn-model/model/principal.rb

@@ -0,0 +1,34 @@
+class Principal
+  def self.wildcard?(principal)
+    if principal.is_a? String
+      return has_asterisk principal
+    elsif principal.is_a? Hash
+      # if new principal types arrive, let's not tie ourselves down - the * is still likely the thing to look for
+      # unless %w(AWS FederatedUser CanonicalUser Service).include?(principal.keys.first)
+      #   raise "whacky principal key: #{principal}"
+      # end
+
+      has_wildcard = false
+      principal.values.each do |principal_value|
+        if principal_value.is_a? String
+          has_wildcard ||= has_asterisk principal_value
+        elsif principal_value.is_a? Array
+          wildcard_principal = principal_value.find { |principal_iter| principal_iter =~ /\*/ }
+          has_wildcard ||= !wildcard_principal.nil?
+        end
+      end
+      has_wildcard
+    elsif principal.nil?
+      false
+    else
+      # array? not legal?
+      raise "whacky principal not string or hash: #{principal}"
+    end
+  end
+
+  private
+
+  def self.has_asterisk(string)
+    !(string =~ /\*/).nil?
+  end
+end

data/lib/cfn-model/model/queue_policy.rb

@@ -0,0 +1,13 @@
+require_relative 'model_element'
+
+class AWS::SQS::QueuePolicy  < ModelElement
+  attr_accessor :queues, :policyDocument
+
+  # PolicyDocument - objectified policyDocument
+  attr_accessor :policy_document
+
+  def initialize
+    @queues = []
+    @resource_type = 'AWS::SQS::QueuePolicy'
+  end
+end

data/lib/cfn-model/model/references.rb

@@ -0,0 +1,52 @@
+
+##
+# this is a placeholder for anything related to resolving references
+#
+# not sure if we are going to be able to have a useful generic set of code for
+# references yet... in the meantime pile things up here and hope a pattern becomes
+# clear
+module References
+  def self.is_security_group_id_external(group_id)
+    resolve_security_group_id(group_id).nil?
+  end
+
+  ##
+  # Return nil if
+  def self.resolve_security_group_id(group_id)
+    return nil if group_id.is_a? String
+
+    # an imported value can only yield a literal to an external sg vs. referencing something local
+    if !group_id['Ref'].nil?
+      group_id['Ref']
+    elsif !group_id['Fn::GetAtt'].nil?
+      logical_resource_id_from_get_att group_id['Fn::GetAtt']
+    else # !group_id['Fn::ImportValue'].nil?
+      # anything else will be string manipulation functions
+      # which again leads us back to a string which must be an external security group known out of band
+      # so don't/can't link it up to a security group
+      return nil
+    end
+  end
+
+  private
+
+  def self.logical_resource_id_from_get_att(attribute_spec)
+    if attribute_spec.is_a? Array
+      if attribute_spec[1] == 'GroupId'
+        return attribute_spec.first
+      else
+        # this could be a reference to a nested stack output so treat it as external
+        # and presume the ingress is freestanding.
+        return nil
+      end
+    elsif attribute_spec.is_a? String
+      if attribute_spec.split('.')[1] == 'GroupId'
+        return attribute_spec.split('.').first
+      else
+        # this could be a reference to a nested stack output so treat it as external
+        # and presume the ingress is freestanding.
+        return nil
+      end
+    end
+  end
+end

data/lib/cfn-model/model/security_group.rb

@@ -0,0 +1,18 @@
+require_relative 'model_element'
+
+class AWS::EC2::SecurityGroup < ModelElement
+  attr_accessor :groupDescription, :vpcId
+  attr_accessor :tags
+  attr_accessor :securityGroupIngress, :securityGroupEgress
+
+  attr_accessor :ingresses, :egresses
+
+  def initialize
+    @securityGroupIngress = []
+    @securityGroupEgress = []
+    @ingresses = []
+    @egresses = []
+    @tags = []
+    @resource_type = 'AWS::EC2::SecurityGroup'
+  end
+end

data/lib/cfn-model/model/security_group_egress.rb

@@ -0,0 +1,29 @@
+require_relative 'model_element'
+
+# this could have been inline or freestanding
+# in latter case there would be a logical resource id
+# but i think we don't ever care?
+class AWS::EC2::SecurityGroupEgress < ModelElement
+  # You must specify a destination security group (destinationPrefixListId or destinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
+  attr_accessor :cidrIp,
+                :cidrIpv6,
+                :destinationPrefixListId,
+                :destinationSecurityGroupId
+
+  # required
+  attr_accessor :groupId,
+                :fromPort,
+                :toPort,
+                :ipProtocol
+
+  def initialize
+    @resource_type = 'AWS::EC2::SecurityGroupEgress'
+  end
+
+  # def valid?
+  #   has_no_destination = @cidrIp.nil? && @cidrIpv6.nil? && @destinationPrefixListId.nil? && @destinationSecurityGroupId.nil?
+  #   if has_no_destination
+  #     raise "SG egress #{@logical_resource_id} has no destination specified"
+  #   end
+  # end
+end

data/lib/cfn-model/model/security_group_ingress.rb

@@ -0,0 +1,38 @@
+require_relative 'model_element'
+
+# this could have been inline or freestanding
+# in latter case there would be a logical resource id
+# but i think we don't ever care?
+class AWS::EC2::SecurityGroupIngress < ModelElement
+  # You must specify a source security group (SourceSecurityGroupName or SourceSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
+  attr_accessor :cidrIp,
+                :cidrIpv6,
+                :sourceSecurityGroupName,
+                :sourceSecurityGroupId
+
+  # Required: Conditional. You must specify the GroupName property or the GroupId property.
+  # For security groups that are in a VPC, you must use the GroupId property. For example, EC2-VPC accounts must use the GroupId property.
+  # this will be nil for inline ingress rules
+  attr_accessor :groupId,
+                :groupName
+
+  # required
+  attr_accessor :fromPort,
+                :toPort,
+                :ipProtocol
+
+  # Required: Conditional. If you specify SourceSecurityGroupName and that security group is owned by a different
+  # account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional.
+  attr_accessor :sourceSecurityGroupOwnerId
+
+  def initialize
+    @resource_type = 'AWS::EC2::SecurityGroupIngress'
+  end
+
+  # def valid?
+  #   has_no_source = @cidrIp.nil? && @cidrIpv6.nil? && @sourceSecurityGroupName.nil? && @sourceSecurityGroupId.nil?
+  #   if has_no_source
+  #     raise "SG ingress #{@logical_resource_id} has no source specified"
+  #   end
+  # end
+end

data/lib/cfn-model/model/statement.rb

@@ -0,0 +1,38 @@
+require_relative 'principal'
+
+class Statement
+  attr_accessor :sid, :effect, :condition
+  attr_accessor :actions, :not_actions
+  attr_accessor :resources, :not_resources
+  attr_accessor :principal, :not_principal
+
+  def initialize
+    @actions = []
+    @not_actions = []
+    @resources = []
+    @not_resources = []
+  end
+
+  def wildcard_actions
+    @actions.select { |action| action.to_s =~ /\*/ }
+  end
+
+  def wildcard_principal?
+    Principal.wildcard? @principal
+  end
+
+  def wildcard_resources
+    @resources.select { |action| action.to_s =~ /\*/ }
+  end
+
+  def ==(another_statement)
+    @effect == another_statement.effect &&
+      @actions == another_statement.actions &&
+      @not_actions == another_statement.not_actions &&
+      @resources == another_statement.resources &&
+      @not_resources == another_statement.not_resources &&
+      @principal == another_statement.principal &&
+      @not_principal == another_statement.not_principal &&
+      @condition == another_statement.condition
+  end
+end

data/lib/cfn-model/model/topic_policy.rb

@@ -0,0 +1,13 @@
+require_relative 'model_element'
+
+class AWS::SNS::TopicPolicy < ModelElement
+  attr_accessor :topics, :policyDocument
+
+  # PolicyDocument - objectified policyDocument
+  attr_accessor :policy_document
+
+  def initialize
+    @topics = []
+    @resource_type = 'AWS::SNS::TopicPolicy'
+  end
+end