@intentius/chant-lexicon-aws 0.0.8 → 0.0.10

package/src/lint/post-synth/waw013.test.ts

@@ -0,0 +1,120 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { Declarable } from "@intentius/chant/declarable";
+import { CHILD_PROJECT_MARKER, type ChildProjectInstance } from "@intentius/chant/child-project";
+import { STACK_OUTPUT_MARKER, type StackOutput } from "@intentius/chant/stack-output";
+import { DECLARABLE_MARKER } from "@intentius/chant/declarable";
+import { waw013 } from "./waw013";
+
+function makeStackOutput(): StackOutput {
+  return {
+    [STACK_OUTPUT_MARKER]: true,
+    [DECLARABLE_MARKER]: true,
+    lexicon: "aws",
+    entityType: "chant:output",
+    kind: "output",
+    sourceRef: {} as any,
+  };
+}
+
+function makeChildProject(opts: {
+  projectPath?: string;
+  childEntities?: Map<string, Declarable>;
+}): ChildProjectInstance {
+  return {
+    [CHILD_PROJECT_MARKER]: true,
+    [DECLARABLE_MARKER]: true,
+    lexicon: "aws",
+    entityType: "AWS::CloudFormation::Stack",
+    kind: "resource",
+    projectPath: opts.projectPath ?? "/tmp/child",
+    logicalName: "Child",
+    outputs: {},
+    options: {},
+    buildResult: {
+      outputs: new Map(),
+      entities: opts.childEntities ?? new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+function makeCtx(entities: Map<string, Declarable>): PostSynthContext {
+  return {
+    outputs: new Map(),
+    entities,
+    buildResult: {
+      outputs: new Map(),
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WAW013: Child project has no stackOutput() exports", () => {
+  test("check metadata", () => {
+    expect(waw013.id).toBe("WAW013");
+    expect(waw013.description).toContain("stackOutput");
+  });
+
+  test("flags child project with no outputs", () => {
+    const child = makeChildProject({ childEntities: new Map() });
+    const ctx = makeCtx(new Map([["Network", child]]));
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW013");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("Network");
+    expect(diags[0].message).toContain("no stackOutput()");
+    expect(diags[0].entity).toBe("Network");
+  });
+
+  test("no diagnostic when child has stackOutput", () => {
+    const childEntities = new Map<string, Declarable>([
+      ["subnetId", makeStackOutput()],
+    ]);
+    const child = makeChildProject({ childEntities });
+    const ctx = makeCtx(new Map([["Network", child]]));
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic when no child projects", () => {
+    const ctx = makeCtx(new Map());
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("only flags children without outputs, not those with", () => {
+    const goodChild = makeChildProject({
+      projectPath: "/tmp/good",
+      childEntities: new Map([["out", makeStackOutput()]]),
+    });
+    const badChild = makeChildProject({
+      projectPath: "/tmp/bad",
+      childEntities: new Map(),
+    });
+    const ctx = makeCtx(new Map<string, Declarable>([
+      ["Good", goodChild],
+      ["Bad", badChild],
+    ]));
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].entity).toBe("Bad");
+  });
+
+  test("skips non-child-project entities", () => {
+    const plainEntity: Declarable = {
+      [DECLARABLE_MARKER]: true,
+      lexicon: "aws",
+      entityType: "AWS::S3::Bucket",
+    };
+    const ctx = makeCtx(new Map([["MyBucket", plainEntity]]));
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw014.test.ts

@@ -0,0 +1,121 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { Declarable } from "@intentius/chant/declarable";
+import { CHILD_PROJECT_MARKER, type ChildProjectInstance } from "@intentius/chant/child-project";
+import { DECLARABLE_MARKER } from "@intentius/chant/declarable";
+import { waw014 } from "./waw014";
+
+function makeChildProject(projectPath = "/tmp/child"): ChildProjectInstance {
+  return {
+    [CHILD_PROJECT_MARKER]: true,
+    [DECLARABLE_MARKER]: true,
+    lexicon: "aws",
+    entityType: "AWS::CloudFormation::Stack",
+    kind: "resource",
+    projectPath,
+    logicalName: "Child",
+    outputs: {},
+    options: {},
+  };
+}
+
+function makeCtx(
+  entities: Map<string, Declarable>,
+  templateJson: string,
+): PostSynthContext {
+  const outputs = new Map<string, string>([["aws", templateJson]]);
+  return {
+    outputs,
+    entities,
+    buildResult: {
+      outputs,
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WAW014: Unreferenced Nested Stack Outputs", () => {
+  test("check metadata", () => {
+    expect(waw014.id).toBe("WAW014");
+    expect(waw014.description).toContain("outputs");
+  });
+
+  test("flags child whose outputs are never referenced in parent template", () => {
+    const entities = new Map<string, Declarable>([
+      ["Network", makeChildProject()],
+    ]);
+    // Parent template doesn't reference Network via Fn::GetAtt
+    const template = JSON.stringify({
+      Resources: {
+        Network: {
+          Type: "AWS::CloudFormation::Stack",
+          Properties: { TemplateURL: "network.json" },
+        },
+      },
+    });
+    const ctx = makeCtx(entities, template);
+    const diags = waw014.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW014");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("Network");
+    expect(diags[0].message).toContain("never referenced");
+    expect(diags[0].entity).toBe("Network");
+  });
+
+  test("no diagnostic when child outputs are referenced via Fn::GetAtt", () => {
+    const entities = new Map<string, Declarable>([
+      ["Network", makeChildProject()],
+    ]);
+    const template = JSON.stringify({
+      Resources: {
+        Network: {
+          Type: "AWS::CloudFormation::Stack",
+          Properties: { TemplateURL: "network.json" },
+        },
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: {
+            VpcConfig: {
+              SubnetIds: [{ "Fn::GetAtt": ["Network", "Outputs.SubnetId"] }],
+            },
+          },
+        },
+      },
+    });
+    const ctx = makeCtx(entities, template);
+    const diags = waw014.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic when no child projects", () => {
+    const ctx = makeCtx(new Map(), JSON.stringify({ Resources: {} }));
+    const diags = waw014.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags only unreferenced children, not referenced ones", () => {
+    const entities = new Map<string, Declarable>([
+      ["Network", makeChildProject("/tmp/net")],
+      ["Database", makeChildProject("/tmp/db")],
+    ]);
+    // Only Network is referenced
+    const template = JSON.stringify({
+      Resources: {
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: {
+            SubnetId: { "Fn::GetAtt": ["Network", "Outputs.SubnetId"] },
+          },
+        },
+      },
+    });
+    const ctx = makeCtx(entities, template);
+    const diags = waw014.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].entity).toBe("Database");
+  });
+});

package/src/lint/post-synth/waw015.test.ts

@@ -0,0 +1,147 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { Declarable } from "@intentius/chant/declarable";
+import { CHILD_PROJECT_MARKER, type ChildProjectInstance } from "@intentius/chant/child-project";
+import { DECLARABLE_MARKER } from "@intentius/chant/declarable";
+import { waw015 } from "./waw015";
+
+function makeChildProject(
+  projectPath: string,
+  childEntities?: Map<string, Declarable>,
+): ChildProjectInstance {
+  return {
+    [CHILD_PROJECT_MARKER]: true,
+    [DECLARABLE_MARKER]: true,
+    lexicon: "aws",
+    entityType: "AWS::CloudFormation::Stack",
+    kind: "resource",
+    projectPath,
+    logicalName: "Child",
+    outputs: {},
+    options: {},
+    ...(childEntities && {
+      buildResult: {
+        outputs: new Map(),
+        entities: childEntities,
+        warnings: [],
+        errors: [],
+        sourceFileCount: 1,
+      },
+    }),
+  };
+}
+
+function makeCtx(entities: Map<string, Declarable>): PostSynthContext {
+  return {
+    outputs: new Map(),
+    entities,
+    buildResult: {
+      outputs: new Map(),
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WAW015: Circular Project References", () => {
+  test("check metadata", () => {
+    expect(waw015.id).toBe("WAW015");
+    expect(waw015.description).toContain("Circular");
+  });
+
+  test("detects simple two-node cycle (A → B → A)", () => {
+    // A's child entities include a child project pointing to B's path
+    // B's child entities include a child project pointing to A's path
+    const bInA = makeChildProject("/tmp/B");
+    const aInB = makeChildProject("/tmp/A");
+
+    const childA = makeChildProject("/tmp/A", new Map<string, Declarable>([
+      ["B", bInA],
+    ]));
+    const childB = makeChildProject("/tmp/B", new Map<string, Declarable>([
+      ["A", aInB],
+    ]));
+
+    const entities = new Map<string, Declarable>([
+      ["A", childA],
+      ["B", childB],
+    ]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW015");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("Circular");
+    expect(diags[0].message).toContain("A");
+    expect(diags[0].message).toContain("B");
+  });
+
+  test("detects three-node cycle (A → B → C → A)", () => {
+    const childA = makeChildProject("/tmp/A", new Map<string, Declarable>([
+      ["B", makeChildProject("/tmp/B")],
+    ]));
+    const childB = makeChildProject("/tmp/B", new Map<string, Declarable>([
+      ["C", makeChildProject("/tmp/C")],
+    ]));
+    const childC = makeChildProject("/tmp/C", new Map<string, Declarable>([
+      ["A", makeChildProject("/tmp/A")],
+    ]));
+
+    const entities = new Map<string, Declarable>([
+      ["A", childA],
+      ["B", childB],
+      ["C", childC],
+    ]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("A");
+    expect(diags[0].message).toContain("B");
+    expect(diags[0].message).toContain("C");
+  });
+
+  test("no diagnostic for acyclic graph (A → B, no back-edge)", () => {
+    const childA = makeChildProject("/tmp/A", new Map<string, Declarable>([
+      ["B", makeChildProject("/tmp/B")],
+    ]));
+    const childB = makeChildProject("/tmp/B", new Map<string, Declarable>());
+
+    const entities = new Map<string, Declarable>([
+      ["A", childA],
+      ["B", childB],
+    ]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic with fewer than 2 stacks", () => {
+    const childA = makeChildProject("/tmp/A", new Map());
+    const entities = new Map<string, Declarable>([["A", childA]]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic with no child projects", () => {
+    const ctx = makeCtx(new Map());
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles child without buildResult (not yet built)", () => {
+    // No buildResult means no edges — no cycle possible
+    const childA = makeChildProject("/tmp/A");
+    const childB = makeChildProject("/tmp/B");
+    // These have no buildResult, so deps map will be empty
+    const entities = new Map<string, Declarable>([
+      ["A", childA],
+      ["B", childB],
+    ]);
+    const ctx = makeCtx(entities);
+    const diags = waw015.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw016.test.ts

@@ -0,0 +1,141 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw016, checkDeprecatedProperties } from "./waw016";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+/** Synthetic deprecated-property map — no disk dependency. */
+function fakeDeprecated(): Map<string, Set<string>> {
+  return new Map([
+    ["AWS::S3::Bucket", new Set(["AccessControl", "ObjectLockConfiguration"])],
+    ["AWS::Lambda::Function", new Set(["Code"])],
+  ]);
+}
+
+describe("WAW016: Deprecated Property Usage", () => {
+  test("check metadata", () => {
+    expect(waw016.id).toBe("WAW016");
+    expect(waw016.description).toContain("Deprecated");
+  });
+
+  test("emits warning for deprecated property", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            AccessControl: "LogDeliveryWrite",
+            BucketName: "my-bucket",
+          },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW016");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("AccessControl");
+    expect(diags[0].message).toContain("MyBucket");
+    expect(diags[0].message).toContain("deprecated");
+    expect(diags[0].entity).toBe("MyBucket");
+    expect(diags[0].lexicon).toBe("aws");
+  });
+
+  test("emits one warning per deprecated property", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            AccessControl: "Private",
+            ObjectLockConfiguration: {},
+          },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(2);
+    const props = diags.map((d) => d.message);
+    expect(props.some((m) => m.includes("AccessControl"))).toBe(true);
+    expect(props.some((m) => m.includes("ObjectLockConfiguration"))).toBe(true);
+  });
+
+  test("no diagnostic for non-deprecated properties", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            BucketName: "clean-bucket",
+            VersioningConfiguration: { Status: "Enabled" },
+          },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for resource type not in map", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyRole: {
+          Type: "AWS::IAM::Role",
+          Properties: { RoleName: "test" },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic on empty template", () => {
+    const ctx = makeCtx({ Resources: {} });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles resource with no Properties", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: { Type: "AWS::S3::Bucket" },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("returns empty when deprecated map is empty", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { AccessControl: "Private" },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, new Map());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags deprecated properties across multiple resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        Bucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { AccessControl: "Private" },
+        },
+        Func: {
+          Type: "AWS::Lambda::Function",
+          Properties: { Code: {} },
+        },
+      },
+    });
+    const diags = checkDeprecatedProperties(ctx, fakeDeprecated());
+    expect(diags).toHaveLength(2);
+    expect(diags[0].entity).toBe("Bucket");
+    expect(diags[1].entity).toBe("Func");
+  });
+});

package/src/lint/post-synth/waw016.ts

@@ -0,0 +1,86 @@
+/**
+ * WAW016: Deprecated Property Usage
+ *
+ * Flags properties marked as deprecated in the CloudFormation Registry.
+ * Sources: explicit `deprecatedProperties` array + description text mining.
+ */
+
+import { readFileSync } from "fs";
+import { join } from "path";
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+interface LexiconEntry {
+  kind: string;
+  resourceType: string;
+  deprecatedProperties?: string[];
+  [key: string]: unknown;
+}
+
+/**
+ * Load deprecated properties per resource type from the lexicon JSON.
+ */
+function loadDeprecatedProperties(): Map<string, Set<string>> {
+  const map = new Map<string, Set<string>>();
+  try {
+    const pkgDir = join(__dirname, "..", "..", "..");
+    const lexiconPath = join(pkgDir, "src", "generated", "lexicon-aws.json");
+    const content = readFileSync(lexiconPath, "utf-8");
+    const data = JSON.parse(content) as Record<string, LexiconEntry>;
+
+    for (const [_name, entry] of Object.entries(data)) {
+      if (entry.kind === "resource" && entry.resourceType && entry.deprecatedProperties && entry.deprecatedProperties.length > 0) {
+        map.set(entry.resourceType, new Set(entry.deprecatedProperties));
+      }
+    }
+  } catch {
+    // Lexicon not available — skip
+  }
+  return map;
+}
+
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkDeprecatedProperties(
+  ctx: PostSynthContext,
+  deprecated: Map<string, Set<string>>,
+): PostSynthDiagnostic[] {
+  if (deprecated.size === 0) return [];
+
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      const deprProps = deprecated.get(resource.Type);
+      if (!deprProps) continue;
+
+      const props = resource.Properties ?? {};
+      for (const propName of Object.keys(props)) {
+        if (deprProps.has(propName)) {
+          diagnostics.push({
+            checkId: "WAW016",
+            severity: "warning",
+            message: `Resource "${logicalId}" (${resource.Type}) uses deprecated property "${propName}" — consider alternatives`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw016: PostSynthCheck = {
+  id: "WAW016",
+  description: "Deprecated property usage — flags properties marked as deprecated in the CloudFormation Registry",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkDeprecatedProperties(ctx, loadDeprecatedProperties());
+  },
+};