@intentius/chant-lexicon-aws 0.0.8 → 0.0.9

package/src/lint/post-synth/waw017.test.ts

@@ -0,0 +1,130 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw017, checkMissingTags } from "./waw017";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+/** Synthetic taggable set — no disk dependency. */
+const taggable = new Set(["AWS::S3::Bucket", "AWS::Lambda::Function"]);
+
+describe("WAW017: Missing Tags on Taggable Resource", () => {
+  test("check metadata", () => {
+    expect(waw017.id).toBe("WAW017");
+    expect(waw017.description).toContain("tags");
+  });
+
+  test("emits warning for taggable resource without Tags", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "my-bucket" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW017");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("tagging");
+    expect(diags[0].message).toContain("MyBucket");
+    expect(diags[0].entity).toBe("MyBucket");
+    expect(diags[0].lexicon).toBe("aws");
+  });
+
+  test("no diagnostic when Tags are present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            BucketName: "my-bucket",
+            Tags: [{ Key: "Env", Value: "prod" }],
+          },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-taggable resource type", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyCustom: {
+          Type: "Custom::MyResource",
+          Properties: { Foo: "bar" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic on empty template", () => {
+    const ctx = makeCtx({ Resources: {} });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles resource with no Properties (still flags missing Tags)", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: { Type: "AWS::S3::Bucket" },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("MyBucket");
+  });
+
+  test("returns empty when taggable set is empty", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "test" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, new Set());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags multiple taggable resources missing Tags", () => {
+    const ctx = makeCtx({
+      Resources: {
+        Bucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "b" },
+        },
+        Func: {
+          Type: "AWS::Lambda::Function",
+          Properties: { FunctionName: "f" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(2);
+  });
+
+  test("only flags resources without Tags, not those with", () => {
+    const ctx = makeCtx({
+      Resources: {
+        Tagged: {
+          Type: "AWS::S3::Bucket",
+          Properties: { Tags: [{ Key: "k", Value: "v" }] },
+        },
+        Untagged: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "b" },
+        },
+      },
+    });
+    const diags = checkMissingTags(ctx, taggable);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].entity).toBe("Untagged");
+  });
+});

package/src/lint/post-synth/waw017.ts

@@ -0,0 +1,53 @@
+/**
+ * WAW017: Missing Tags on Taggable Resource
+ *
+ * Flags taggable resources that have no Tags property set.
+ * Encourages adding tags for cost allocation and compliance.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+import { loadTaggableResources } from "../../taggable";
+
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkMissingTags(
+  ctx: PostSynthContext,
+  taggable: Set<string>,
+): PostSynthDiagnostic[] {
+  if (taggable.size === 0) return [];
+
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!taggable.has(resource.Type)) continue;
+
+      const props = resource.Properties ?? {};
+      if (!("Tags" in props)) {
+        diagnostics.push({
+          checkId: "WAW017",
+          severity: "warning",
+          message: `Resource "${logicalId}" (${resource.Type}) supports tagging but has no Tags — consider adding tags for cost allocation and compliance`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw017: PostSynthCheck = {
+  id: "WAW017",
+  description: "Missing tags on taggable resource — suggests adding tags for cost allocation and compliance",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkMissingTags(ctx, loadTaggableResources());
+  },
+};

package/src/lint/post-synth/waw018.test.ts

@@ -0,0 +1,109 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw018, checkS3PublicAccess } from "./waw018";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW018: S3 Public Access Not Blocked", () => {
+  test("check metadata", () => {
+    expect(waw018.id).toBe("WAW018");
+    expect(waw018.description).toContain("public access");
+  });
+
+  test("flags bucket missing PublicAccessBlockConfiguration", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "test" },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW018");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].entity).toBe("MyBucket");
+  });
+
+  test("flags bucket with a flag set to false", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            PublicAccessBlockConfiguration: {
+              BlockPublicAcls: true,
+              BlockPublicPolicy: false,
+              IgnorePublicAcls: true,
+              RestrictPublicBuckets: true,
+            },
+          },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("BlockPublicPolicy");
+  });
+
+  test("no diagnostic when all flags are true", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            PublicAccessBlockConfiguration: {
+              BlockPublicAcls: true,
+              BlockPublicPolicy: true,
+              IgnorePublicAcls: true,
+              RestrictPublicBuckets: true,
+            },
+          },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-S3 resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: { FunctionName: "test" },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("skips intrinsic value in PublicAccessBlockConfiguration", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            PublicAccessBlockConfiguration: { Ref: "PublicAccessParam" },
+          },
+        },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles missing Properties", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: { Type: "AWS::S3::Bucket" },
+      },
+    });
+    const diags = checkS3PublicAccess(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw018.ts

@@ -0,0 +1,71 @@
+/**
+ * WAW018: S3 Public Access Not Blocked
+ *
+ * Flags S3 buckets missing PublicAccessBlockConfiguration or with any flag set to false.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, isIntrinsic } from "./cf-refs";
+
+const REQUIRED_FLAGS = [
+  "BlockPublicAcls",
+  "BlockPublicPolicy",
+  "IgnorePublicAcls",
+  "RestrictPublicBuckets",
+] as const;
+
+export function checkS3PublicAccess(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::S3::Bucket") continue;
+
+      const props = resource.Properties ?? {};
+      const pab = props.PublicAccessBlockConfiguration;
+
+      if (!pab) {
+        diagnostics.push({
+          checkId: "WAW018",
+          severity: "error",
+          message: `S3 bucket "${logicalId}" is missing PublicAccessBlockConfiguration — all public access should be blocked`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+        continue;
+      }
+
+      if (isIntrinsic(pab)) continue;
+
+      if (typeof pab === "object" && pab !== null) {
+        const config = pab as Record<string, unknown>;
+        for (const flag of REQUIRED_FLAGS) {
+          const value = config[flag];
+          if (value === false) {
+            diagnostics.push({
+              checkId: "WAW018",
+              severity: "error",
+              message: `S3 bucket "${logicalId}" has ${flag} set to false — all public access should be blocked`,
+              entity: logicalId,
+              lexicon: "aws",
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw018: PostSynthCheck = {
+  id: "WAW018",
+  description: "S3 bucket missing public access block — all public access should be blocked",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkS3PublicAccess(ctx);
+  },
+};

package/src/lint/post-synth/waw019.test.ts

@@ -0,0 +1,138 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw019, checkUnrestrictedIngress } from "./waw019";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW019: Security Group Unrestricted Ingress", () => {
+  test("check metadata", () => {
+    expect(waw019.id).toBe("WAW019");
+    expect(waw019.description).toContain("ingress");
+  });
+
+  test("flags SG with 0.0.0.0/0 on port 22", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 22, ToPort: 22, CidrIp: "0.0.0.0/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW019");
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("flags SG with ::/0 on port 3389", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 3389, ToPort: 3389, CidrIpv6: "::/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("flags wide port range containing sensitive port", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 0, ToPort: 65535, CidrIp: "0.0.0.0/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("no diagnostic for restricted CIDR", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 22, ToPort: 22, CidrIp: "10.0.0.0/8" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-sensitive port with open CIDR", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 443, ToPort: 443, CidrIp: "0.0.0.0/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("checks standalone SecurityGroupIngress resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyIngress: {
+          Type: "AWS::EC2::SecurityGroupIngress",
+          Properties: {
+            GroupId: { Ref: "MySG" },
+            IpProtocol: "tcp",
+            FromPort: 5432,
+            ToPort: 5432,
+            CidrIp: "0.0.0.0/0",
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].entity).toBe("MyIngress");
+  });
+
+  test("handles missing port range (all ports)", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "-1", CidrIp: "0.0.0.0/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw019.ts

@@ -0,0 +1,82 @@
+/**
+ * WAW019: Security Group Unrestricted Ingress
+ *
+ * Flags security groups with 0.0.0.0/0 or ::/0 ingress on sensitive ports
+ * (SSH 22, RDP 3389, MySQL 3306, PostgreSQL 5432).
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, getSecurityGroupIngress, portRangeContainsSensitive, isIntrinsic } from "./cf-refs";
+
+const SENSITIVE_PORTS = [22, 3389, 3306, 5432];
+const OPEN_CIDRS = new Set(["0.0.0.0/0", "::/0"]);
+
+function checkIngressRule(
+  rule: Record<string, unknown>,
+  logicalId: string,
+  diagnostics: PostSynthDiagnostic[],
+): void {
+  const cidrIp = rule.CidrIp;
+  const cidrIpv6 = rule.CidrIpv6;
+
+  const hasOpenCidr =
+    (typeof cidrIp === "string" && OPEN_CIDRS.has(cidrIp)) ||
+    (typeof cidrIpv6 === "string" && OPEN_CIDRS.has(cidrIpv6));
+
+  if (!hasOpenCidr) return;
+
+  if (portRangeContainsSensitive(rule.FromPort, rule.ToPort, SENSITIVE_PORTS)) {
+    const cidr = typeof cidrIp === "string" && OPEN_CIDRS.has(cidrIp) ? cidrIp : cidrIpv6;
+    const fromPort = rule.FromPort;
+    const toPort = rule.ToPort;
+    const portDesc = fromPort !== undefined && toPort !== undefined
+      ? ` on ports ${fromPort}-${toPort}`
+      : " on all ports";
+
+    diagnostics.push({
+      checkId: "WAW019",
+      severity: "error",
+      message: `Security group "${logicalId}" allows unrestricted ingress from ${cidr}${portDesc} — restrict to specific CIDR ranges`,
+      entity: logicalId,
+      lexicon: "aws",
+    });
+  }
+}
+
+export function checkUnrestrictedIngress(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      // Check inline SecurityGroupIngress on EC2::SecurityGroup
+      if (resource.Type === "AWS::EC2::SecurityGroup") {
+        const rules = getSecurityGroupIngress(resource);
+        for (const rule of rules) {
+          checkIngressRule(rule, logicalId, diagnostics);
+        }
+      }
+
+      // Check standalone SecurityGroupIngress resources
+      if (resource.Type === "AWS::EC2::SecurityGroupIngress") {
+        const props = resource.Properties ?? {};
+        if (!isIntrinsic(props)) {
+          checkIngressRule(props as Record<string, unknown>, logicalId, diagnostics);
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw019: PostSynthCheck = {
+  id: "WAW019",
+  description: "Security group allows unrestricted ingress on sensitive ports (SSH, RDP, database)",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkUnrestrictedIngress(ctx);
+  },
+};