@intentius/chant-lexicon-aws 0.0.6 → 0.0.9

package/src/lint/post-synth/waw015.test.ts

@@ -0,0 +1,147 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { Declarable } from "@intentius/chant/declarable";
+import { CHILD_PROJECT_MARKER, type ChildProjectInstance } from "@intentius/chant/child-project";
+import { DECLARABLE_MARKER } from "@intentius/chant/declarable";
+import { waw015 } from "./waw015";
+
+function makeChildProject(
+  projectPath: string,
+  childEntities?: Map<string, Declarable>,
+): ChildProjectInstance {
+  return {
+    [CHILD_PROJECT_MARKER]: true,
+    [DECLARABLE_MARKER]: true,
+    lexicon: "aws",
+    entityType: "AWS::CloudFormation::Stack",
+    kind: "resource",
+    projectPath,
+    logicalName: "Child",
+    outputs: {},
+    options: {},
+    ...(childEntities && {
+      buildResult: {
+        outputs: new Map(),
+        entities: childEntities,
+        warnings: [],
+        errors: [],
+        sourceFileCount: 1,
+      },
+    }),
+  };
+}
+
+function makeCtx(entities: Map<string, Declarable>): PostSynthContext {
+  return {
+    outputs: new Map(),
+    entities,
+    buildResult: {
+      outputs: new Map(),
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WAW015: Circular Project References", () => {
+  test("check metadata", () => {
+    expect(waw015.id).toBe("WAW015");
+    expect(waw015.description).toContain("Circular");
+  });
+
+  test("detects simple two-node cycle (A → B → A)", () => {
+    // A's child entities include a child project pointing to B's path
+    // B's child entities include a child project pointing to A's path
+    const bInA = makeChildProject("/tmp/B");
+    const aInB = makeChildProject("/tmp/A");
+
+    const childA = makeChildProject("/tmp/A", new Map<string, Declarable>([
+      ["B", bInA],
+    ]));
+    const childB = makeChildProject("/tmp/B", new Map<string, Declarable>([
+      ["A", aInB],
+    ]));
+
+    const entities = new Map<string, Declarable>([
+      ["A", childA],
+      ["B", childB],
+    ]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW015");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("Circular");
+    expect(diags[0].message).toContain("A");
+    expect(diags[0].message).toContain("B");
+  });
+
+  test("detects three-node cycle (A → B → C → A)", () => {
+    const childA = makeChildProject("/tmp/A", new Map<string, Declarable>([
+      ["B", makeChildProject("/tmp/B")],
+    ]));
+    const childB = makeChildProject("/tmp/B", new Map<string, Declarable>([
+      ["C", makeChildProject("/tmp/C")],
+    ]));
+    const childC = makeChildProject("/tmp/C", new Map<string, Declarable>([
+      ["A", makeChildProject("/tmp/A")],
+    ]));
+
+    const entities = new Map<string, Declarable>([
+      ["A", childA],
+      ["B", childB],
+      ["C", childC],
+    ]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("A");
+    expect(diags[0].message).toContain("B");
+    expect(diags[0].message).toContain("C");
+  });
+
+  test("no diagnostic for acyclic graph (A → B, no back-edge)", () => {
+    const childA = makeChildProject("/tmp/A", new Map<string, Declarable>([
+      ["B", makeChildProject("/tmp/B")],
+    ]));
+    const childB = makeChildProject("/tmp/B", new Map<string, Declarable>());
+
+    const entities = new Map<string, Declarable>([
+      ["A", childA],
+      ["B", childB],
+    ]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic with fewer than 2 stacks", () => {
+    const childA = makeChildProject("/tmp/A", new Map());
+    const entities = new Map<string, Declarable>([["A", childA]]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic with no child projects", () => {
+    const ctx = makeCtx(new Map());
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles child without buildResult (not yet built)", () => {
+    // No buildResult means no edges — no cycle possible
+    const childA = makeChildProject("/tmp/A");
+    const childB = makeChildProject("/tmp/B");
+    // These have no buildResult, so deps map will be empty
+    const entities = new Map<string, Declarable>([
+      ["A", childA],
+      ["B", childB],
+    ]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw016.test.ts

@@ -0,0 +1,141 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw016, checkDeprecatedProperties } from "./waw016";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+/** Synthetic deprecated-property map — no disk dependency. */
+function fakeDeprecated(): Map<string, Set<string>> {
+  return new Map([
+    ["AWS::S3::Bucket", new Set(["AccessControl", "ObjectLockConfiguration"])],
+    ["AWS::Lambda::Function", new Set(["Code"])],
+  ]);
+}
+
+describe("WAW016: Deprecated Property Usage", () => {
+  test("check metadata", () => {
+    expect(waw016.id).toBe("WAW016");
+    expect(waw016.description).toContain("Deprecated");
+  });
+
+  test("emits warning for deprecated property", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            AccessControl: "LogDeliveryWrite",
+            BucketName: "my-bucket",
+          },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW016");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("AccessControl");
+    expect(diags[0].message).toContain("MyBucket");
+    expect(diags[0].message).toContain("deprecated");
+    expect(diags[0].entity).toBe("MyBucket");
+    expect(diags[0].lexicon).toBe("aws");
+  });
+
+  test("emits one warning per deprecated property", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            AccessControl: "Private",
+            ObjectLockConfiguration: {},
+          },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(2);
+    const props = diags.map((d) => d.message);
+    expect(props.some((m) => m.includes("AccessControl"))).toBe(true);
+    expect(props.some((m) => m.includes("ObjectLockConfiguration"))).toBe(true);
+  });
+
+  test("no diagnostic for non-deprecated properties", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            BucketName: "clean-bucket",
+            VersioningConfiguration: { Status: "Enabled" },
+          },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for resource type not in map", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyRole: {
+          Type: "AWS::IAM::Role",
+          Properties: { RoleName: "test" },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic on empty template", () => {
+    const ctx = makeCtx({ Resources: {} });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles resource with no Properties", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: { Type: "AWS::S3::Bucket" },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("returns empty when deprecated map is empty", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { AccessControl: "Private" },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, new Map());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags deprecated properties across multiple resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        Bucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { AccessControl: "Private" },
+        },
+        Func: {
+          Type: "AWS::Lambda::Function",
+          Properties: { Code: {} },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(2);
+    expect(diags[0].entity).toBe("Bucket");
+    expect(diags[1].entity).toBe("Func");
+  });
+});

package/src/lint/post-synth/waw016.ts

@@ -0,0 +1,86 @@
+/**
+ * WAW016: Deprecated Property Usage
+ *
+ * Flags properties marked as deprecated in the CloudFormation Registry.
+ * Sources: explicit `deprecatedProperties` array + description text mining.
+ */
+
+import { readFileSync } from "fs";
+import { join } from "path";
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+interface LexiconEntry {
+  kind: string;
+  resourceType: string;
+  deprecatedProperties?: string[];
+  [key: string]: unknown;
+}
+
+/**
+ * Load deprecated properties per resource type from the lexicon JSON.
+ */
+function loadDeprecatedProperties(): Map<string, Set<string>> {
+  const map = new Map<string, Set<string>>();
+  try {
+    const pkgDir = join(__dirname, "..", "..", "..");
+    const lexiconPath = join(pkgDir, "src", "generated", "lexicon-aws.json");
+    const content = readFileSync(lexiconPath, "utf-8");
+    const data = JSON.parse(content) as Record<string, LexiconEntry>;
+
+    for (const [_name, entry] of Object.entries(data)) {
+      if (entry.kind === "resource" && entry.resourceType && entry.deprecatedProperties && entry.deprecatedProperties.length > 0) {
+        map.set(entry.resourceType, new Set(entry.deprecatedProperties));
+      }
+    }
+  } catch {
+    // Lexicon not available — skip
+  }
+  return map;
+}
+
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkDeprecatedProperties(
+  ctx: PostSynthContext,
+  deprecated: Map<string, Set<string>>,
+): PostSynthDiagnostic[] {
+  if (deprecated.size === 0) return [];
+
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      const deprProps = deprecated.get(resource.Type);
+      if (!deprProps) continue;
+
+      const props = resource.Properties ?? {};
+      for (const propName of Object.keys(props)) {
+        if (deprProps.has(propName)) {
+          diagnostics.push({
+            checkId: "WAW016",
+            severity: "warning",
+            message: `Resource "${logicalId}" (${resource.Type}) uses deprecated property "${propName}" — consider alternatives`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw016: PostSynthCheck = {
+  id: "WAW016",
+  description: "Deprecated property usage — flags properties marked as deprecated in the CloudFormation Registry",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkDeprecatedProperties(ctx, loadDeprecatedProperties());
+  },
+};

package/src/lint/post-synth/waw017.test.ts

@@ -0,0 +1,130 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw017, checkMissingTags } from "./waw017";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+/** Synthetic taggable set — no disk dependency. */
+const taggable = new Set(["AWS::S3::Bucket", "AWS::Lambda::Function"]);
+
+describe("WAW017: Missing Tags on Taggable Resource", () => {
+  test("check metadata", () => {
+    expect(waw017.id).toBe("WAW017");
+    expect(waw017.description).toContain("tags");
+  });
+
+  test("emits warning for taggable resource without Tags", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "my-bucket" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW017");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("tagging");
+    expect(diags[0].message).toContain("MyBucket");
+    expect(diags[0].entity).toBe("MyBucket");
+    expect(diags[0].lexicon).toBe("aws");
+  });
+
+  test("no diagnostic when Tags are present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            BucketName: "my-bucket",
+            Tags: [{ Key: "Env", Value: "prod" }],
+          },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-taggable resource type", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyCustom: {
+          Type: "Custom::MyResource",
+          Properties: { Foo: "bar" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic on empty template", () => {
+    const ctx = makeCtx({ Resources: {} });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles resource with no Properties (still flags missing Tags)", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: { Type: "AWS::S3::Bucket" },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("MyBucket");
+  });
+
+  test("returns empty when taggable set is empty", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "test" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, new Set());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags multiple taggable resources missing Tags", () => {
+    const ctx = makeCtx({
+      Resources: {
+        Bucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "b" },
+        },
+        Func: {
+          Type: "AWS::Lambda::Function",
+          Properties: { FunctionName: "f" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(2);
+  });
+
+  test("only flags resources without Tags, not those with", () => {
+    const ctx = makeCtx({
+      Resources: {
+        Tagged: {
+          Type: "AWS::S3::Bucket",
+          Properties: { Tags: [{ Key: "k", Value: "v" }] },
+        },
+        Untagged: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "b" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].entity).toBe("Untagged");
+  });
+});

package/src/lint/post-synth/waw017.ts

@@ -0,0 +1,53 @@
+/**
+ * WAW017: Missing Tags on Taggable Resource
+ *
+ * Flags taggable resources that have no Tags property set.
+ * Encourages adding tags for cost allocation and compliance.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+import { loadTaggableResources } from "../../taggable";
+
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkMissingTags(
+  ctx: PostSynthContext,
+  taggable: Set<string>,
+): PostSynthDiagnostic[] {
+  if (taggable.size === 0) return [];
+
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!taggable.has(resource.Type)) continue;
+
+      const props = resource.Properties ?? {};
+      if (!("Tags" in props)) {
+        diagnostics.push({
+          checkId: "WAW017",
+          severity: "warning",
+          message: `Resource "${logicalId}" (${resource.Type}) supports tagging but has no Tags — consider adding tags for cost allocation and compliance`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw017: PostSynthCheck = {
+  id: "WAW017",
+  description: "Missing tags on taggable resource — suggests adding tags for cost allocation and compliance",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkMissingTags(ctx, loadTaggableResources());
+  },
+};

package/src/lint/post-synth/waw018.test.ts

@@ -0,0 +1,109 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw018, checkS3PublicAccess } from "./waw018";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW018: S3 Public Access Not Blocked", () => {
+  test("check metadata", () => {
+    expect(waw018.id).toBe("WAW018");
+    expect(waw018.description).toContain("public access");
+  });
+
+  test("flags bucket missing PublicAccessBlockConfiguration", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "test" },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW018");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].entity).toBe("MyBucket");
+  });
+
+  test("flags bucket with a flag set to false", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            PublicAccessBlockConfiguration: {
+              BlockPublicAcls: true,
+              BlockPublicPolicy: false,
+              IgnorePublicAcls: true,
+              RestrictPublicBuckets: true,
+            },
+          },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("BlockPublicPolicy");
+  });
+
+  test("no diagnostic when all flags are true", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            PublicAccessBlockConfiguration: {
+              BlockPublicAcls: true,
+              BlockPublicPolicy: true,
+              IgnorePublicAcls: true,
+              RestrictPublicBuckets: true,
+            },
+          },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-S3 resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: { FunctionName: "test" },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("skips intrinsic value in PublicAccessBlockConfiguration", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            PublicAccessBlockConfiguration: { Ref: "PublicAccessParam" },
+          },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles missing Properties", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: { Type: "AWS::S3::Bucket" },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});